A Threat Intelligence Platform (TIP) converts collected threat data into actionable intelligence. It empowers a team to defend their network proactively.
“It is only the enlightened ruler and the wise general who will use the highest intelligence of the army for the purposes of spying, and thereby they achieve great results.” – Sun Tzu from the Art of War.
Cyber-attacks are becoming too sophisticated and highly-targeted that it can be quite overwhelming for one or two security analysts keeping up the defenses of a network.
To get over attackers, security analysts need to understand how adversaries think, their techniques, and their intentions behind the attacks.
But understanding adversaries is easier said than done. First, not all companies can hire security analysis talent, and if they do, no analyst can win a war without proper threat intelligence.
Threat intelligence is like a “spying-the-enemy” strategy.
It is obtaining knowledge of the threat ecosystem around us, from logs, website scans, attack signatures, dark web, and even the criminal underground.
In this article we’ll take a look at the Best Threat Intelligence Platforms out on the market and how they'll help you defend your perimeter networks from active and passive threats.
What is a Threat Intelligence Platform?
Threat Intelligence Platforms (TIPs) are sophisticated content management systems that focus on threat intelligence.
They help security analysts aggregate intelligence data from different sources, normalize it, and arrange it in a single place.
Some TIPs can also help analyze this intelligence with AI/ML techniques and share it with peers.
One of the essential features of TIPs is that they let you set up alerts and notifications based on this data.
With proper alerting security, analysts can react quickly to any attack.
2 Ways to Generate Threat Intelligence:
- Machine-Generated Intelligence:
It can be knowledge gathered by scanning millions of websites on the web, or by finding new types of signature attacks. This data can be generated through AI or ML techniques.
- Human Intelligence Providers:
Security analysts gather information from different sources and come up with reports and feeds related to ongoing and new cyber-threats.
Although some TIPs vendors can internally generate their threat intelligence data, they can also receive it from a large variety of external resources.
Some TIPs can rely entirely on third-party providers to get intelligence feeds, so they can focus on managing the data and generating insights.
TIPs can also be integrated into other security systems like SIEMs, WAFs (Web-Application-Firewalls), USM platforms, and more.
Threat Intelligence feeds?
These are one of the most critical elements in TIPs.
They are streams of content that provide information on possible security cyber threats.
Feeds are made from different indicators like suspicious domains, file hashes, blacklisted IPs, etc.
There are multiple open-source and commercial feeds providers that users can subscribe to.
Paid feeds can provide a higher level of threat details because they are usually gathered from closed sources, like the dark web.
Open-source feeds, on the other hand, are free but need to be manually selected and curated. Some known feeds are Alien Vaults, ThreatConnect, OSINT, STIX/TAXII, ISACs, etc.
TIPs centralize these threat intelligence feeds generated by different providers and organize them in a single platform.
TIPs present threat data in a digestible format, prioritizes the sources, and removes any duplicate entries.
Here's a List of 10 Best Threat Intelligence Platforms of 2020:
SolarWinds MSP Threat Monitor
SolarWinds MSP (Manage Service Providers) is a set of scalable and comprehensive IT service management solutions.
Among them, SolarWinds MSP offers the Threat Monitor, which is an all-in-one platform for threat detection, response, and reporting.
The Threat Monitor is considered a TIP that helps users get insights with the latest threat intelligence updated from different sources.
It can help find and respond to threats in your on-premises and public cloud providers like Amazon AWS and Microsoft Azure.
The SolarWinds Threat Monitor was designed with a centralized command interface to keep track of threats, act on them, and create reports.
The Threat Monitor collects intelligence data and logs from many different sources and consolidates them so that you can get quick insights into threats.
- SIEM Security and Monitoring
- Log Correlation and Analysis:
- Network and Host Detection Intrusion Systems.
- Advanced Log Search.
- Streamlined Security Monitoring.
- Alarm system
- Compliance reports
- Log-event Archive.
Try free (Service Provider Edition) SolarWinds Threat Monitor for 14 days.
Anomali Threat Platform
Anomali Threat Platform is a TIP powered by Machine Learning (ML).
It is designed to detect active threats and prioritize them using ML algorithms.
The tool normalizes all feed sources into a single platform and enhances the data by adding threat context.
Anomali helps security managers identify new attacks and avoid false positives by combining threat intelligence with existing and historical events.
It collects intelligence feeds from premium providers like OSINT, STIX/TAXII, and ISACs.
Anomali also offers the Anomali Preferred Partner Store (APP Store) which is a one-of-a-kind cyber-security marketplace for threat intelligence and integrations.
Through this store, you can have access to a catalog of threat intelligence providers, evaluate them, and buy intelligence feeds.
Anomali also offers Limo, a free Threat Intelligence Feed that contributes to cyber-threat intelligence.
They also provide STAXX, the free STIX/TAXII Solution, to help you collect and analyze more threat intelligence.
Price: Get a quote.
LookingGlass Cyber Solutions
LookingGlass offers diverse cyber-security products and services for different stages of an attack life-cycle.
Their portfolio ranges from managed services, two threat intelligence platforms, data feeds, and automated threat response software.
Their two TIPs are ScoutTHREAT and ScoutPrime.
ScoutTHREAT is an advanced proactive threat monitoring solution.
It tool allows security analysts to link atomic indicators, like IPs or file hashes to higher-level Tactics, Techniques, and Procedures (TTPs) frequently used by hackers.
- Threat Modeling
- Analyst Workbench
- Risk Scoring
- Data Consumption Model
- Threat Intelligence Investigation
- And more.
ScoutPRIME, on the other hand, is considered a cyber-situational awareness platform.
It helps you visualize the entire external threat landscape and all your IT assets.
It centralizes all the collected, and normalized data feeds into one platform.
- Incident Management
- TIC Scoring
- Aggregated Threat Data
- Automatic Notification.
- Graph Explorer.
Price: Contact sales.
Download: to try the platform for free, contact sales first.
FireEye Helix Security Platform
FireEye Helix is a cloud-based security platform that helps you solve and get alerts for any threat.
The solution is based on SIEM analytics and powered by FireEye human analysts experts.
FireEye Helix also integrates different tools and threat intelligence capabilities to protect you from the latest threats.
With FireEye Threat Intelligence, FireEye Helix can have a valuable context to help it better understand attacks.
You can also take advantage of this intelligence by integrating alerts and events data.
The software leverages ML and AI to analyze behavior and create alerts when there are anomalies.
With Threat Intelligence and advanced analytics, FireEye Helix can detect a wide range of multi-vector threats.
FireEye Helix detects security events by comparing and normalizing data from multiple integrated tools:
- Next-gen SIEM.
- Security Analytics.
- Threat Intelligence.
- Security Orchestration and Automation (SOAR).
- User and Entity Behavior Analytics (UEBA).
- Compliance Reporting.
Price and License:
You can obtain FireEye Helix when buying a FireEye subscription. For more information on pricing, contact sales.
There is no downloadable free trial. You can watch a demo to see how FireEye Helix works.
ThreatConnect is a SaaS-based security solutions provider.
Their Threat Intelligence Platform enables users to aggregate and act based on threat intelligence data.
ThreatConnect can take external or internal threat data and convert them into digestible and actionable intelligence that helps analysts make informed decisions.
ThreatConnect combines intelligence, automation, orchestration, and response in a single platform to help companies be more proactive in their security.
- Intelligence: Helps you prioritize threats and understand their impact. With ThreatConnect, you can operationalize and aggregate intelligence, convert artifacts into intelligence, correlate data, and more.
- Automation: The platform was designed to help users understand abnormal behaviors, automate workflows, and solve threats efficiently using intelligence data. With ThreatConnect, you can automate triage and phishing reporting to get a faster response.
- Orchestration: ThreatConnect allows you to orchestrate workflows so that you can respond faster to threats. For example, you can orchestrate processes at the time of an incident.
- Response: With ThreatConnect, you can manage team collaboration before, during, and after an incident to improve response times.
You can start using ThreatConnect for free by opening an account.
AT&T Cybersecurity AlienVault Unified Security Management
The AlienVault, now part of the AT&T CyberSecurity, provides Threat Intelligence updates that can be integrated with the AlienVault Unified Security Management (USM) platform. This software gives you a centralized platform to assess, detect, and respond to threats.
The USM is composed of
- Asset Discovery.
- Threat Detection (NIDS and HIDS)
- Assessment and analysis
- Incident Response.
- Compliance Management.
AlientVault USM gives you quick and centralized visibility into the entire threat ecosystem.
The AlienVault USM receives Threat Intelligence updates every 30 minutes from the AlienVault Labs Security Research Team.
This lab is a human intelligence threat provider that analyzes the environment to find new threats, vulnerabilities, and exploits.
Price and License:
The AlienVault USM comes in three different editions with different pricing, Essentials ($1075 /mo.), Standard ($1695 /mo), and Premium ($2595 /mo).
Afully functional AlienVault USM free trial for 14 days
Recorded Future is an all-in-one threat intelligence solution.
It collects and analyzes massive amounts of threat data in real-time and converts it into valuable insights using NLP (Natural Language Processing) and ML technology.
Recorded Future makes integration with your current security platforms such as SIEMs, or firewalls easy to implement.
It can aggregate internal intelligence data with external sources and contextualize it into a central platform.
Insikt Group a human-based research and analysis team that works with Recorded Future to hunt down Malware and look for emerging threats.
It provides the Recorded Future platform with new and unique intelligence.
Recorded Future solution works as a Threat Intelligence Platform.
It has all the functionalities as a TIP and even includes its own threat intelligence.
You can use it to analyze the collected data and get a holistic view of the entire threat landscape.
Threat Intelligence Platform Features:
- Centralize and contextualize any data feed.
- Collaborate with a team on threat analysis.
- Integrate with third-party solutions.
- Powerful alerting system.
Price and License:
Recorded Future comes in three different editions, Express, Core, and Advanced. To learn more about license and price, contact Recorded Future.
Event Log Analyzer ManageEngine
ManageEngine Event Log Analyzer is a web-based comprehensive log manager, auditing, and compliance solution.
As the name implies, Event Log Analyzer is a log analysis software that collects, analyzes, and creates reports from a wide range of event logs.
The tool is also widely used for auditing and report-generation purposes. With the Event Log Analyzer, you can run from network device, server, and application audits and create compliance audit reports.
The software also offers an integrated SIEM platform with threat intelligence capabilities.
You can view and share intelligence through popular feeds like STIX, TAXII, and AlienVault.
The tool also correlates with a global blacklist of IPs to protect you from potentially harmful sources.
Event Log Analyzer alerts you via email or SMS when malicious sources and threats attempt to attack your network.
Price and License:
Event Log Analyzers comes in three different editions, Free, Premium, and Distributed. For more information on the price and licensing, get a quote.
IBM X-Force Exchange
IBM X-Force Exchange is a cloud-based collaborative Threat Intelligence Platform.
It helps security analysts research, aggregate sources of intelligence, and share data with their peers.
The platform is supported by machine-generated data and by the IBM X-Force Research team that provides human-generated intelligence.
The research team and the software monitor over 25 billion websites looking for threats.
The platform is also supported by a large database of more than 96,000 risks, including attacks, blacklisted IPs, etc.
- Access to human-generated threat intelligence data
- Collaborate and share threat intelligence.
- Central platform for organizing data.
- Configure watchlists for continuous monitoring.
- Integrate third-party intelligence.
Price and license:
For more information on pricing and license, contact sales.
You can try IBM X-Force Exchange by signing up for a free guest account.
Splunk Enterprise Security
Splunk develops web-based software for searching, monitoring, and analyzing machine-generated data.
They provide security through SIEM, AIOPs, Machine Learning, Application and log management, and IT compliance software
Splunk Enterprise Security is an analytics-driven SIEM solution that uses actionable intelligence to protect enterprises from threats.
The software can integrate with the Threat Intelligence Framework to receive and manage threat feeds and generate alerts.
This framework collects and normalizes all threat intelligence data. It also provides a searching and correlation mechanism to improve attack detections.
The Splunk Enterprise Security framework also comes with audit dashboards that help you retrieve, normalize, and analyze threat intelligence.
- Ingest threat data from the cloud or on-premises
- A central dashboard to streamline threat analysis.
- Automated actions and workflows.
- Alert management.
- Risk scores.
Price and license:
Contact Spunk for pricing information.
Download: Get seven days of a free Splunk Enterprise Security sandbox environment, so you can start testing the product.
Threat Intelligence Platforms (TIPs) depend on threat intelligence providers, whether commercial or open-source.
Some TIPs vendors generate their internal intelligence through machine-generated data or human analysts and ingest it to the platform.
These vendors also sell their intelligence feeds to other TIPs.
Although threat intelligence feeds are very useful, without context, it is difficult to gain real insights to hunt down threats proactively.
TIPs can aggregate, normalize, curate, organize, send alerts, and even perform actions from all this data.
They give the context that the analyst needs to understand the threats at hand.
Some of the ten best Threat Intelligence Platforms shown above have free trials so that you can start protecting your networks.