GigaOm Radar for Threat Intelligence Platforms (TIPs)v2.01

1. Summary

Cyberthreat intelligence (CTI) is the collection, normalization, analysis, and sharing of information and data regarding vulnerabilities and breaches, leading to actionable recommendations. These recommendations help in understanding the motives, actions, and objectives of threat actors, thereby allowing businesses to shift from being defensively reactive to strategically proactive. In essence, CTI provides clarity on the cyber threat landscape, equipping firms to effectively tackle such threats. This intelligence serves as a compass for decision-makers, directing specific actions to forecast possible repercussions.

For effective CTI implementation, security organizations must define key intelligence requirements, understand stakeholder deliverables, and establish processes for dissemination and feedback. CTI programs with a clear grasp of their intelligence needs and operationalization mechanisms may already possess insights into the required CTI tools to enhance existing programs. This report aims to guide organizations that have struggled with the actionability of their threat intelligence. It helps delineate and clarify the roles of pure-play intelligence platforms, external threat intelligence providers, and threat intelligence management platforms, highlighting overlaps and assisting decision-makers in prioritizing solutions based on critical, recommended, and optional CTI tool capabilities.

• Pure-play platforms are traditionally known as threat intelligence platforms (TIPs). This generic name became problematic as the term platform was used by a variety of threat intelligence technologies. These tools work by ingesting threat intelligence from various sources to correlate events, logs, and telemetry data. Threat intelligence data is available out of the box, and TIPs focus on the actionability of this intelligence. To simplify it, a TIP is a connector between threat intelligence feeds and the end-user environment that supports the integration and automation of large datasets. Additionally, the TIP can support the mapping of threat intelligence to the intelligence requirements.
• External threat intelligence providers focus on the specific collection of threat intelligence and provide mechanisms to build real-time alerts or to query the database directly. Providers are no longer only acquiring data for intelligence; instead, vendors are building added capabilities to directly address the challenges end users are having.
• A threat intelligence management platform is a combination of the two. Depending on the specific requirements for the organization, it can be implemented without needing to deploy another tool or purchase another service before operationalizing and actioning their threat intel.

At this time, organizations with focused threat intelligence requirements can use any of the solutions on this list as a standalone one. For organizations that are building an expanded threat intelligence program that covers several stakeholders within the enterprise, any of the vendors on this list offer a foundation, but to fully cover the variety of intelligence requirements, a multiple-vendor architecture will be needed.

This is our second year evaluating the threat intelligence space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report highlights key vendors whose TIPs deal with CTI and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Threat Intelligence Platforms,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Data collection
• Data normalization
• Integration and connectors
• Alerting
• Industry standards alignment