Key Criteria for Evaluating Threat Intelligence Platforms (TIPs)v2.0

1. Summary

Cyber threat intelligence (CTI) encompasses the collection, processing, analysis, and distribution of threat data, culminating in actionable insights. These insights facilitate the comprehension of threat actors’ intentions, behaviors, and targets, enabling organizations to transition from reactive to proactive security strategies. Essentially, CTI aids in developing an understanding of the threat landscape, empowering organizations to effectively counteract these threats. Intelligence informs decision-making by guiding targeted actions to predict potential outcomes.

For technology leaders, it’s important to understand that CTI goes beyond just real-time alerts and indicators of compromise (IoCs). Its purpose is to provide a comprehensive look at emerging and potential threats; the tactics, techniques, and procedures (TTPs) used by cybercriminals, hacktivists, and nation-states; advanced persistent threats (APTs); and the risk of related impacts on an enterprise. This intelligence is essential for making informed decisions about cybersecurity investments, risk management, and overall security strategy. As cyberattacks become more sophisticated and targeted, CTI provides the necessary insights and context to stay one step ahead of the attackers, safeguarding the organization’s assets, reputation, and future.

The consumption of intelligence is at an all-time high, but operationalizing threat intelligence remains a challenging task for security operations and threat intelligence teams. The foundation for a successful CTI program is the requirements. Without intelligence requirements, teams can’t track whether or not they are receiving the necessary intelligence to support their stakeholders.

The majority of organizations just consume intelligence and have very limited interactions with the rest of the intelligence process. Many organizations lack the automation needed to take action on the large amounts of intelligence they receive either through existing commercial intelligence feeds or from open source feeds. Moreover, many teams have only limited technical expertise, making it difficult for them to successfully integrate CTI with existing tool stacks and workflows. Organizations should comprehensively evaluate their existing ability to use CTI, including the knowledge and skills of their analysts and engineers.

There are three main categories of threat intelligence platforms (TIPs): pure-play intelligence solutions, external threat intelligence providers, and threat intelligence management solutions.

• Pure-play solutions are what’s traditionally been known as “TIPs.” However, over time, the term has been extended to now refer to a variety of threat intelligence technologies. Pure-play TIPs ingest threat intelligence from various sources to correlate events, logs, and telemetry data. Threat intelligence data is available out of the box, and the solution focuses on the actionability of this intelligence. To simplify, a pure-play TIP is a connector between threat intelligence feeds and the organization’s environment that supports the integration and automation of large datasets. These tools also support the mapping of threat intelligence to intelligence requirements.
• External threat intelligence providers collect threat intelligence and provide mechanisms to build real-time alerts or to query databases directly. In the past, providers focused only on acquiring data for intelligence. Now, they’re building capabilities to directly address the challenges organizations are having.
• A threat intelligence management platform is the combination of the two. Depending on the specific requirements for the organization, it can be implemented without needing to deploy another tool or purchase another service before operationalizing and acting on threat intelligence.

When evaluating the collection of intelligence, focus on the timeliness and the quality, always aligning it to your requirements. Timeliness is critical in countering cyberattacks, which requires the prompt availability of data for prevention and mitigation. Vendor delays of weeks or even days in disseminating intelligence to clients can prove consequential, rendering the provided information useless. In addition, it’s vital to recognize that quantity and quality are distinct facets, and a surplus of information may lead to noise, hindering security analysts’ investigative efforts.

Ultimately, the objective is to streamline the full intelligence cycle—the acquisition, normalization, analysis, dissemination, and feedback of intelligence, and workflows for analysts and stakeholders–to aid in risk management decision-making across all enterprise domains.

This is the second year that GigaOm has reported on the TIP space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Key Criteria report highlights the capabilities (table stakes, key criteria, and emerging technologies) and non-functional requirements (evaluation metrics) for selecting an effective TIP. The companion GigaOm Radar report identifies vendors and products that excel in those capabilities and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading TIPs, and help decision-makers evaluate these solutions so they can make a more informed investment decision.