Key features in a top threat intelligence platform include the consolidation of threat intelligence feeds from multiple sources, automated identification and containment of new attacks, security analytics, and integration with other security tools like SIEM, next-gen firewalls (NGFW) and EDR.
Top Threat Intelligence Platforms
A fully compliant XDR solution supported by a live team of experts. Heimdal’s XDR replaces fragmented, legacy tools and unresponsive data-gathering software for a consolidated approach, offering you a seamless experience. Data gathered from across your ecosystem is fed into Heimdal’s Intelligence Center for fewer false positives and rapid and accurate detection. The fully automatic functionality allows for greater incident response operations while keeping down the costs.
ThreatInsight: This security monitoring assessment tool collects logs and gives you insight into your organization’s threats. MSPs use it as a sales tool to demonstrate the value of SIEM & SOC and help them decide which security monitoring solution is right for them. With ThreatInsight MSPs can onboard all their clients and their devices unto Vijilan’s SIEM for $99/month. Spots available while seats last.
Log360 is a SIEM solution that helps combat threats on premises, in the cloud, or in a hybrid environment. It also helps organizations adhere to several compliance mandates. You can customize the solution to cater to your unique use cases.
It offers real-time log collection, analysis, correlation, alerting and archiving abilities. You can monitor activities that occur in your Active Directory, network devices, employee workstations, file servers, Microsoft 365 and more. Try free for 30 days!
IBM X-Force Exchange
IBM X-Force Exchange is a cloud-based, collaborative threat intelligence platform that helps security analysts focus on the most important threats and help speed up time to action. This TIP combines human-generated intelligence with a global security feed, offering a unique perspective on potential threats. Between the internal research team and the software behind its feed, IBM X-Force Exchange monitors over 25 billion websites around the world.
The X-Force Exchange dashboard is customizable, allowing users to prioritize relevant intelligence according to their needs, such as advisories and vulnerabilities. Analysts can also easily view the risk level assigned for potential threats, as well as how the risk level has changed over time using the Timeline view.
- Human-generated threat intelligence data
- Threat intelligence collaboration
- Centralized data platform
- Integration with third-party intelligence tools
- Early warning feed
For more, see our in-depth look at IBM X-Force Exchange.
Anomali ThreatStream aggregates millions of threat indicators to identify new attacks, discover existing breaches, and enable security teams to quickly understand and contain threats. In addition to the 140 open-source feeds included with the product, Anomali makes it easy to extend the information collected by the TIP through the Anomali App store. Here, users can evaluate and purchase additional intelligence feeds. This additional information contextualizes threats to greatly reduce the occurrence of false positives.
A key differentiator for Anomali is its highly accurate machine-learning algorithm that assigns scores to indicators of compromise (IoCs) so security teams can prioritize mitigation tasks. ThreatStream also allows for integration with many popular SIEMs and orchestration platforms in order to strengthen threat identification and remediation workflows.
- De-duplication of data
- Removal of false positives
- Integration with third-party intelligence tools
- Data extraction from suspected phishing emails
- Offers some free threat intelligence tools
For more, see our in-depth look at Anomali ThreatStream.
SolarWinds Security Event Manager
SolarWinds Security Event Manager (SEM) combines event tracking with a threat intelligence feed. It can identify both potential and active threats, and can also automatically deploy responses to remediate them. SEM is able to identify and respond to threats in on-premises data centers as well as in cloud environments.
SolarWinds SEM was designed with a clear, centralized dashboard and command interface that makes it easy to keep track of identified threats and quickly take action to resolve security issues. This dashboard can also be used to create intelligence reports.
- Log event Tracking
- Log correlation and analysis
- Centralized interface
- Alarm system
- Compliance reports
For more our in-depth look at SolarWinds Security Event Manager.
Palo Alto Networks Cortex XSOAR TIM
Palo Alto Networks has replaced its AutoFocus threat intelligence service with the new Cortex XSOAR Threat Intelligence Management (TIM) platform. The new platform aims to surface the most relevant threats with context, automation and threat data from Palo Alto’s Unit 42 threat intelligence group and the company’s massive footprint of network, endpoint, and cloud intel sources. Combining threat intelligence with the Cortex security orchestration, automation and response (SOAR) platform weaves threat intel into workflows by adding incident management, orchestration, and automation capabilities. The TIM platform doesn’t have much user feedback yet, but XSOAR users are generally pleased.
- Proactive defense against attacks
- Rich threat intelligence automatically embedded in an analyst’s existing tools for instant context and understanding of threats and events
- Automatic mapping to help you identify relevant threats, relationships between threat actors and attack techniques previously unknown in your environment
- Granular search with unlimited combinations
- Automated playbooks and 700+ third-party product integrations
LogRhythm Threat Lifecycle Management (TLM) Platform
LogRhythm Threat Lifecycle Management (TLM) Platform delivers a coordinated collection of data analysis and incident response capabilities to enable organizations around the globe to rapidly detect, neutralize and recover from security incidents. It can process 26 billion messages a day. The platform can also automate threat detection and prioritization with pattern matching and advanced correlation to machine learning and statistical analysis.
Using big data technology and machine learning, this robust platform can deliver SIEM, log management, endpoint monitoring, Network Behavior Analytics (NB), User and Entity Behavior Analytics (UEBA) and Security Automation Orchestration (SAO) capabilities. This combination of features culminates in a comprehensive, end-to-end threat management workflow.
- Automated threat detection
- Third-party integrations
- Reduced alarm fatigue
For more, see our in-depth look at LogRhythm Threat Lifecycle Management.
Mandiant Threat Intelligence Suite
The Mandiant Threat Intelligence Suite – soon to become part of Google – continues to provide top-notch intelligence for cybersecurity teams. Mandiant Threat Intelligence adds context and priority to global threats before, during and after an attack. Data is gleaned from the adversarial underground, virtual network detection sensors and Mandiant IR investigations from the world’s largest breaches. Mandiant has more than 1,000 experts responding to incidents and researching attacks.
What sets Mandiant apart from the competition is how its platform tailors strategic intelligence to an organization’s corporate risk management and business goals by providing highly-contextual data so users can align security strategies to respond to the most likely threats aimed at their organization.
- Strategic intelligence
- Dark Web monitoring
- Research tools and alerting
Read more about Mandiant Threat Intelligence.
LookingGlass Cyber Solutions
LookingGlass Cyber Solutions is an open source-based threat intelligence platform that delivers unified threat protection against sophisticated cyberattacks to global enterprises and government agencies by operationalizing threat intelligence. It’s augmented by a worldwide team of security analysts who enrich the data feeds.
LookingGlass aggregates structured and unstructured data from over 87 out-of-the-box feeds, as well as other commercial feeds purchased separately. It provides the most relevant data to a business by categorizing network elements into a repository called Collections. Its Threat Indicator Confidence scoring tool then uses this information to identify the highest priority risks facing an organization.
- Comes with a large collection of out-of-the-box feeds
- Threat Indicator Confidence scoring tool
- Collections repository
See our in-depth look at LookingGlass Cyber Solutions.
ThreatConnect’s platform enables automated data collection from all sources and presents it to users in context. Security teams can then analyze the information manually or with automation assistance to look for evidence of cybersecurity dangers. The platform shows associations in the data, helping specialists identify meaningful connections.
ThreatConnect’s platform also uses an intelligence-driven orchestration feature called Playbooks. Users can set it up to perform certain tasks after receiving specified triggers. For example, the tool could detect a new IP address on the network and automatically block it until cybersecurity teams take a closer look. That capability cuts down on manual labor and error potential, resulting in higher productivity.
- Tool and app integrations marketplace
- Threat report export capabilities
- Crowdsourced analytics show threat prevalence
IntSights Threat Intelligence Platform
IntSights – recently acquired by Rapid7 – combines threat intelligence, data and tools, helping cybersecurity professionals stop attacks faster and see a greater return on investment (ROI). The company’s graph database lets users visualize cyberattacks and learn all the associated details of emerging threats, giving them the knowledge they need to make the most informed decisions and respond to issues faster.
The platform also shows people the potential impacts of unaddressed threats, helping them decide which ones to address first. Since this tool includes native indicators of compromise (IOC) aggregation and management, users have a centralized place to track and fix vulnerabilities before cybercriminals exploit them. An extensive IntSights integration network allows automating instant threat responses across the whole cybersecurity stack, too.
- Plug-and-play functionality with existing security devices
- Real-time threat prioritization
- Dark web monitoring capability
CrowdStrike Falcon X
This threat intelligence platform comes in a choice of three tiers — Falcon X, Falcon X Premium and Falcon X Elite. All come with automated malware investigation features, reducing the time required to identify threats and determine the associated severity. The platform also provides user-friendly endpoint integration that does not require new installations or deployments for people who already use the company’s Falcon products.
People can also benefit from intelligence reports that give daily alerts and offer strategic insights. Tailored breakdowns allow monitoring for DDoS attacks and social media-based threats against an organization, too. The top tier of this service includes a cybersecurity expert researching specific threats and giving a customized report of the findings.
- Available APIs and integrations work with existing security tools
- Real-time indicators of compromise (IOC) feed
- More than 100 profiles of known threat actors
Kaspersky Threat Intelligence Portal
This subscription-based product combines everything a cybersecurity expert needs to analyze risk in a single tool. It lets people check that IP and web addresses, files and file hashes are safe.
The product also uses various metrics to determine whether a file may pose dangers. Analysis tools examine static and dynamic characteristics, as well as how it behaves. The interface allows submitting files to verify and prioritize threats based on risk levels shown in context. People can also sign up for premium services. They include intelligence reporting for financial threats, threat data feeds and a database of known security dangers.
- URL sandbox tool for safely checking suspicious sites
- API allows connecting applications to the service
- Private submission mode keeps files and associated analysis information confidential
The Intelligence Platform from Recorded Future provides actionable insights at a glance, and always at the right time. It does so through its Intelligence Graph, which the developers tout as the “world’s most comprehensive” collection of reference data. This repository calls on an accumulated decade’s worth of observations from billions of discrete entities and sees continuous additions and enhancement.
Intelligence Platform provides a modular experience to make integration with other Enterprise-level security suites convenient and seamless. The whole package is also capable of fine-tuning its delivered intelligence with specific personnel or roles within the company in mind. The result is a context-rich and always up-to-date risk platform that claims to ameliorate risks in supply chains and elsewhere up to 50% faster than other platforms.
- One of the world’s most comprehensive data sets to draw from
- A modular design makes adoption simple no matter the existing infrastructure
- Breaks down threat types into intuitive categories, including brand intelligence, SecOps intelligence, geopolitical intelligence and others
AT&T Cybersecurity – formerly AlienVault – Unified Security Management (USM) receives threat intelligence from AlienVault Labs and its massive Open Threat Exchange (OTX), the world’s largest crowd-sourced collaborative threat exchange. It provides centralized threat detection, incident response and compliance management for cloud and on-premises environments. With threat intelligence provided by AT&T Alien Labs, USM is updated automatically every 30 minutes, remaining at the forefront of evolving and emerging threats. This allows security teams to focus on responding to alerts rather than identifying them.
- Asset discovery
- Threat detection
- Incident response
- Compliance management
- Access to OTX
For more, see our in-depth look at AlienVault Unified Security Management.
Other threat intelligence market leaders
RSA NetWitness Platform is a threat detection and response platform that allows security teams to rapidly detect and understand the scope of a compromise by leveraging logs, packets, NetFlow, endpoints and threat intelligence.
Cisco Threat Intelligence Director (TID) is a feature in Cisco’s Firepower Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID serves Cisco’s Next-Generation Firewall (NGFW) product.
SonicWall Network Security services platform includes real-time threat intelligence from the aggregation, normalization, and contextualization of security data.
Symantec DeepSight Intelligence consists of visibility provided by the Symantec Global Intelligence Network, the largest civilian threat collection network and tracks over 700,000 global adversaries.
Accenture iDefense provides security intelligence through the IntelGraph platform that provides context, visualizations, advanced searching and alerting.
Proofpoint Emerging Threat (ET) Intelligence provides threat intelligence feeds to identify suspicious or malicious activity.
CenturyLink Adaptive Threat Intelligence gives users access to actionable, prioritized threat data that is correlated to customer IP addresses.
Imperva ThreatRadar combines threat research from Imperva security researchers, threat intelligence from a variety of partners, and live data crowdsourced.
Check Point ThreatCloud combines threat prevention technology with threat analysis to prevent attacks.
What are threat intelligence platforms?
Threat Intelligence Platforms (TIP) are critical security tools that use global security data to help proactively identify, mitigate and remediate security threats. New and continually evolving threats are surfacing every day. While security analysts know the key to staying ahead of these threats is to analyze data on them, the problem that arises is how to efficiently collect high volumes of data and consequently derive actionable insights to proactively thwart future attacks.
How threat intelligence platforms work
TIPs aggregate security intelligence from vendors, analysts and other reputable sources about threats and suspicious activity detected all around the world through a tool called threat intelligence feeds. This data can come in the form of malicious IP addresses, domains, file hashes and more. TIPs then convert these advanced analytics into actionable intelligence for detecting malicious activity inside your network. These feeds are often integrated into other security products, like EDR, SIEM and next-gen firewalls.
Threat intelligence platform features
The main key feature of any threat intelligence platform is the ability to analyze and share threat data. These tools can identify signatures of threats on a network and relay that information to other installations, as well as pull information about new dangers from threat feeds. This makes threat intelligence platforms integral to stopping zero-day threats.
Another key feature is the ability to triage data and alerts when threats are identified. They will only send out alerts when legitimate threats arise to avoid an unnecessary flood of notifications that can muddy the waters for remediation, although the platforms may require some fine-tuning. To further assist with remediation, they can also assign a risk score so security teams can prioritize which issues to act on first.
Vulnerability management rounds out threat intelligence platforms’ features. These solutions can contain threats when they’re identified, saving security teams precious time to resolve the issues. They can also offer remediation instructions on common and emerging threats to further speed up the process.
Threat intelligence vs. anti-virus software
There are two methods for generating threat intelligence: human intelligence providers or machine-generated intelligence. Human intelligence comes from security expert-operated research labs that identify attack trends and send out updates to security products, from enterprise security tools like EDR, SIEM and NGFWs, down to consumer products like antivirus software. These labs are often run by the vendor of the product.
Machine-generated intelligence comes from the security products themselves. As they identify attack signatures and anomalous behavior, they can transmit that data to all other security products from that vendor in real-time. This process also includes live threat feeds that can pull new attack signatures from multiple sources, including security expert research labs, to keep up with advanced and evolving threats.
Most traditional ant-virus solutions receive updates on new threats from a single source – the vendor’s research team. Relying solely on a team of researchers can be slow and limited with the flow of information. They may not be able to keep up with new threats as they arise.
Threat intelligence platforms that use machine-generated intelligence platforms have the upper hand when it comes to identifying new threats quickly. Each installed program acts as a composite detection, analysis and remediation bundle so they can do everything a research team can.
Devin Partida contributed research and writing to this report.