For effective CTI implementation, security organizations must define key intelligence requirements, understand stakeholder deliverables, and establish processes for dissemination and feedback. CTI programs with a clear grasp of their intelligence needs and operationalization mechanisms may already possess insights into the required CTI tools to enhance existing programs. This report aims to guide organizations that have struggled with the actionability of their threat intelligence. It helps delineate and clarify the roles of pure-play intelligence platforms, external threat intelligence providers, and threat intelligence management platforms, highlighting overlaps and assisting decision-makers in prioritizing solutions based on critical, recommended, and optional CTI tool capabilities.

• Pure-play platforms are traditionally known as threat intelligence platforms (TIPs). This generic name became problematic as the term platform was used by a variety of threat intelligence technologies. These tools work by ingesting threat intelligence from various sources to correlate events, logs, and telemetry data. Threat intelligence data is available out of the box, and TIPs focus on the actionability of this intelligence. To simplify it, a TIP is a connector between threat intelligence feeds and the end-user environment that supports the integration and automation of large datasets. Additionally, the TIP can support the mapping of threat intelligence to the intelligence requirements.
• External threat intelligence providers focus on the specific collection of threat intelligence and provide mechanisms to build real-time alerts or to query the database directly. Providers are no longer only acquiring data for intelligence; instead, vendors are building added capabilities to directly address the challenges end users are having.
• A threat intelligence management platform is a combination of the two. Depending on the specific requirements for the organization, it can be implemented without needing to deploy another tool or purchase another service before operationalizing and actioning their threat intel.

At this time, organizations with focused threat intelligence requirements can use any of the solutions on this list as a standalone one. For organizations that are building an expanded threat intelligence program that covers several stakeholders within the enterprise, any of the vendors on this list offer a foundation, but to fully cover the variety of intelligence requirements, a multiple-vendor architecture will be needed.

This is our second year evaluating the threat intelligence space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report highlights key vendors whose TIPs deal with CTI and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Threat Intelligence Platforms,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Data collection
• Data normalization
• Integration and connectors
• Alerting
• Industry standards alignment

The post GigaOm Radar for Threat Intelligence Platforms (TIPs) appeared first on Gigaom.

For technology leaders, it’s important to understand that CTI goes beyond just real-time alerts and indicators of compromise (IoCs). Its purpose is to provide a comprehensive look at emerging and potential threats; the tactics, techniques, and procedures (TTPs) used by cybercriminals, hacktivists, and nation-states; advanced persistent threats (APTs); and the risk of related impacts on an enterprise. This intelligence is essential for making informed decisions about cybersecurity investments, risk management, and overall security strategy. As cyberattacks become more sophisticated and targeted, CTI provides the necessary insights and context to stay one step ahead of the attackers, safeguarding the organization’s assets, reputation, and future.

The consumption of intelligence is at an all-time high, but operationalizing threat intelligence remains a challenging task for security operations and threat intelligence teams. The foundation for a successful CTI program is the requirements. Without intelligence requirements, teams can’t track whether or not they are receiving the necessary intelligence to support their stakeholders.

The majority of organizations just consume intelligence and have very limited interactions with the rest of the intelligence process. Many organizations lack the automation needed to take action on the large amounts of intelligence they receive either through existing commercial intelligence feeds or from open source feeds. Moreover, many teams have only limited technical expertise, making it difficult for them to successfully integrate CTI with existing tool stacks and workflows. Organizations should comprehensively evaluate their existing ability to use CTI, including the knowledge and skills of their analysts and engineers.

There are three main categories of threat intelligence platforms (TIPs): pure-play intelligence solutions, external threat intelligence providers, and threat intelligence management solutions.

• Pure-play solutions are what’s traditionally been known as “TIPs.” However, over time, the term has been extended to now refer to a variety of threat intelligence technologies. Pure-play TIPs ingest threat intelligence from various sources to correlate events, logs, and telemetry data. Threat intelligence data is available out of the box, and the solution focuses on the actionability of this intelligence. To simplify, a pure-play TIP is a connector between threat intelligence feeds and the organization’s environment that supports the integration and automation of large datasets. These tools also support the mapping of threat intelligence to intelligence requirements.
• External threat intelligence providers collect threat intelligence and provide mechanisms to build real-time alerts or to query databases directly. In the past, providers focused only on acquiring data for intelligence. Now, they’re building capabilities to directly address the challenges organizations are having.
• A threat intelligence management platform is the combination of the two. Depending on the specific requirements for the organization, it can be implemented without needing to deploy another tool or purchase another service before operationalizing and acting on threat intelligence.

When evaluating the collection of intelligence, focus on the timeliness and the quality, always aligning it to your requirements. Timeliness is critical in countering cyberattacks, which requires the prompt availability of data for prevention and mitigation. Vendor delays of weeks or even days in disseminating intelligence to clients can prove consequential, rendering the provided information useless. In addition, it’s vital to recognize that quantity and quality are distinct facets, and a surplus of information may lead to noise, hindering security analysts’ investigative efforts.

Ultimately, the objective is to streamline the full intelligence cycle—the acquisition, normalization, analysis, dissemination, and feedback of intelligence, and workflows for analysts and stakeholders–to aid in risk management decision-making across all enterprise domains.

This is the second year that GigaOm has reported on the TIP space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Key Criteria report highlights the capabilities (table stakes, key criteria, and emerging technologies) and non-functional requirements (evaluation metrics) for selecting an effective TIP. The companion GigaOm Radar report identifies vendors and products that excel in those capabilities and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading TIPs, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

The post Key Criteria for Evaluating Threat Intelligence Platforms (TIPs) appeared first on Gigaom.

In general, there are two approaches to threat intelligence solutioning, though both share the same goal: to help organizations protect their environments, endpoints, and assets from known or emerging cyber threats. TIPs will correlate logs and telemetry data against the database of threat data and information, while TI providers take a more focused approach by scoping the collection and correlation through queries or client-specific threat intelligence programs. The decision whether to implement a TIP or a TI provider will come down to the specific requirements and the use case of the organization. As an example, security operations and vulnerability management will see a short time to value from the broader collection and correlation of a TIP, and threat hunters will see immediate value from the reduced scope and the more precise querying ability delivered by Tl providers.

Threat intelligence is still an evolving space. While the belt that has historically restricted security organizations has loosened, many security teams remain overwhelmed and face burn out. This issue is exacerbated when their existing threat intelligence solution is inadequate—causing security teams to waste hours investigating unreliable data and noise.

Digital transformation and the increasing number of remote and hybrid workers have drastically changed the way security professionals work. To optimize their approach to detection and response, security professionals must implement proactive strategies in place of reactionary ones. Even the best reactionary strategies are inadequate when attempting to stop mid-level adversaries.

Knowing the tactics, techniques, or procedures (TTPs) of your organization’s threats can help you plan, test, and engineer effective detections and responses before an incident. Put more simply, proactive intelligence-based threat strategies accelerate the effectiveness and reactiveness of your threat defense and incident response organizations.

This GigaOm Radar report highlights key threat intelligence vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Threat Intelligence Solutions,” we describe in more detail the key features and metrics that are used to evaluate vendors in this market.

The post GigaOm Radar for Threat Intelligence Solutions appeared first on Gigaom.

There are two main groups of threat intelligence solutions, but they share the same objective: to help organizations protect their environments, endpoints, and assets from cyber threats.

• Threat intelligence platforms (TIPs) work by correlating events, logs, and telemetry data against the database of threat data intelligence.
• Threat intelligence providers take a more focused approach by scoping the collection and correlation of intelligence through queries or client-specific programs.

Whether to implement a TIP or a provider depends on the organization’s specific requirements and use case. Security operations and vulnerability management will see a boost from the broader collection and correlation of a TIP, and threat hunters will see immediate value from the preciseness of Tl providers. In some scenarios, an enterprise would need to use both to achieve its security objectives. Several of the TIPs in the corresponding Radar report have partnerships with TI providers and source some of their threat intelligence from those databases through their APIs.

An intelligence-based approach to security operations has steadily grown as the threat landscape, and the amount of data required to implement an intelligence-led cybersecurity framework, increased exponentially year over year. Modern threat intelligence is a big data problem. Moreover, there has been a shift away from vendor-created detection rules. Detection engineers need contextual threat intelligence to build effective detection controls. Threat intelligence solutions provide the information to accelerate the development of contextual detection controls based on real-world data. This approach is logical; enterprise detections will almost always be more effective if written by the enterprise’s internal engineering team, based on threat intelligence contextualized for their own systems, endpoints, and infrastructure.

Threat intelligence solutions are designed to be the single source of truth driving the priorities for risk management strategies. Many security organizations are not equipped to handle the volume of threat data they are currently receiving. Threat intelligence is still an evolving space, and security teams are often overwhelmed by threat data when using a poor threat intelligence solution, wasting time working through the noise as they search for actionable threat intelligence.

Threat intelligence has moved from “nice-to-have” to a requirement across every cybersecurity domain. Attentive vendors have taken notice and are actively developing more advanced solutions based on the changing needs of diverse enterprise threat landscapes. Every element of cybersecurity today—security policies, security frameworks, physical security decisions, alert triage processes, incident response processes, vulnerability management programs, patch prioritization strategies, threat hunting priorities, and network architectures—need reliable, timely threat intelligence.

The GigaOm Key Criteria and Radar reports provide an overview of the threat intelligence market, identify capabilities (table stakes, key criteria, and emerging technology) and evaluation metrics for selecting a threat intelligence platform, and detail vendors and products that excel. These reports give prospective buyers an overview of the top vendors in this sector and help decision makers evaluate solutions and decide where to invest.

The post Key Criteria for Evaluating Threat Intelligence Solutions appeared first on Gigaom.