Over the next five years, the threat intelligence market is predicted to grow more than 18% a year and reach nearly $9 billion by 2022. This growth is largely fueled by a fact we’ve all come to live with: we can’t block every attack. Threat intelligence allows us to accelerate detection and response to mitigate damage when attacks do happen, and it can also be used to proactively strengthen defenses and reduce risk in the future.
Another fact we live with is that the emergence of new, high growth technologies is often accompanied by confusion. In the case of threat intelligence there’s a lot of confusion between the terms “threat intelligence feed” and “threat intelligence platform.” Various articles, blogs and reports have been written in an attempt to provide clarity. But I’ve found that framing the discussion by using the various models of threat intelligence and focusing on the relationship between intelligence and systems, is effective at cutting through the confusion. There are four primary threat intelligence models that businesses employ today – from one to one to many to many. Let’s take a closer look at each.
One to one. In this model, you are connecting a single threat intelligence feed to a single system. This may include updating an individual point product – one of the many layers in your defense-in-depth architecture – with the latest threat intelligence available from that vendor. For example, adding signatures to your endpoint protection solution, or rules to your intrusion prevention system. This could also include connecting a single feed directly to a SIEM. A significant challenge here is that there is little overlap between threat feeds, as demonstrated by a Carnegie Mellon University study I’ve discussed before. With only one feed, you’re getting an incomplete picture of malicious activity.
One to many. Here, you’re taking a single feed and using it to update multiple systems or layers of defense. Clearly, you’re getting more leverage from that one threat feed, but the entire model tends to be vendor-specific. The vendor provides technology that funnels intelligence from its own threat feed to its own security systems which may include a firewall, an intrusion detection and prevention system, endpoint protection, etc.
Many to one. This model recognizes the lack of overlap between threat feeds, so the aim here is to get better threat intelligence by using multiple data feeds – commercial, industry, government, open source, etc. – and funneling that all into a single tool. Some people try to implement this approach into a SIEM, building on the one to one model. However, these people quickly figure out that the maintenance due to multiple formats, multiple duplicates and multiple false positives quickly raises effort and cost.
In response, companies started to use a traditional threat intelligence platform to correlate, normalize and de-dup the threat data to apply to the SIEM. However, since the data from the multiple feeds is global and there is little, if any, ability to add context and prioritize for relevance, the potential for false positives persists and security teams end up chasing problems that may not exist or do not matter to their organization.
Many to many. Going further in both the amount and type of data it considers and how and where it shares that data, this model is all about integration, orchestration, automation and synchronization of threat intelligence across all tools and teams. This is where an operations-focused threat intelligence platform comes into play. Here, you aggregate your many external threat data feeds into the threat intelligence platform, creating a central repository for all tools and systems to use. The threat intelligence platform not only normalizes the data for analysis and action, it also contextualizes and scores the data based on parameters you set to ensure relevance – instead of relying only on generic, global scores. By further augmenting and enriching the data with internal threat and event data from multiple sources and teams, you gain additional and critical context to understand what is high-priority to your specific organization.
A threat intelligence platform also allows you to utilize this curated threat intelligence across all relevant systems, regardless of the vendor. Automatically exporting and distributing key intelligence across the many different layers of your defense-in-depth architecture, it offers your different security teams access, as part of their workflow, to the threat intelligence they need to improve security posture and reduce the window of exposure and breach. For example, the IR team uses forensics and case management tools. The malware team uses sandboxes. The SOC uses the SIEM. The network team uses network monitoring tools and firewalls. The endpoint team uses endpoint detection and response tools.
In addition to sharing the intelligence directly in the systems your teams already know and use, a threat intelligence platform stores data for long periods of time and can foster much needed collaboration. As the different teams use and update this repository, there is instantaneous sharing of information across other teams, resulting in faster, more informed decisions. And as new data and context become available, the platform automatically reprioritizes threat intelligence to ensure teams stay focused on what matters most and even anticipate and prevent attacks in the future.
Confusion around terminology will continue to plague the technology industry – just ask the folks involved with blockchain and bitcoin! But when it comes to threat intelligence feeds and platforms, stepping through these models is an effective way to help cut through the confusion and understand the important differences.