Threat Intelligence Platforms (TIP) are critical security tools that use global security data to help proactively identify, mitigate and remediate security threats. New and continually evolving threats are surfacing every day. While security analysts know the key to staying ahead of these threats is to analyze data on them, the problem that arises is how to efficiently collect high volumes of data and consequently derive actionable insights to proactively thwart future attacks.
How threat intelligence platforms work
TIPs aggregate security intelligence from vendors, analysts and other reputable sources about threats and suspicious activity detected all around the world through a tool called threat intelligence feeds. This data can come in the form of malicious IP addresses, domains, file hashes and more. TIPs then convert these advanced analytics into actionable intelligence for detecting malicious activity inside your network.
Top threat intelligence platforms
Key features in a top threat intelligence platform include the consolidation of threat intelligence feeds from multiple sources, automated identification and containment of new attacks, security analytics and integration with other security tools like SIEM, next-gen firewalls (NGFW) and EDR.
- IBM X-Force Exchange
- Anomali ThreatStream
- Palo Alto Networks AutoFocus
- FireEye iSIGHT
- LookingGlass Cyber Solutions
- AlienVault USM
- Other leaders
IBM X-Force Exchange is a cloud-based, collaborative threat intelligence platform that helps security analysts research threat indicators to help speed up time to action. This TIP combines human-generated intelligence with its global security feed, offering a unique perspective on potential threats. Between the internal research team and the software behind its feed, IBM X-Force Exchange monitors over 25 billion websites around the world.
The X-Force Exchange dashboard is customizable, allowing users to prioritize relevant intelligence according to their needs, such as advisories and vulnerabilities. Analysts can also easily view the risk level assigned for potential threats, as well as how the risk level has changed over time using the Timeline view.
- Human-generated threat intelligence data
- Threat intelligence collaboration
- Centralized data platform
- Integration with third-party intelligence tools
- Early warning feed
For more, see our in-depth look at IBM X-Force Exchange.
Anomali ThreatStream aggregates millions of threat indicators to identify new attacks, discover existing breaches, and enable security teams to quickly understand and contain threats. In addition to the 140 open-source feeds included with the product, Anomali makes it easy to extend the information collected by the TIP through the Anomali App store. Here, users can evaluate and purchase additional intelligence feeds. This additional information contextualizes threats to greatly reduce the occurrence of false positives.
A key differentiator for Anomali is its highly accurate machine-learning algorithm that assigns scores to indicators of compromise (IOCs) so security teams can prioritize mitigation tasks. ThreatStream also allows for integration with many popular SIEMs and orchestration platforms in order to strengthen threat identification and remediation workflows.
- De-duplication of data
- Removal of false positives
- Integration with third-party intelligence tools
- Data extraction from suspected phishing emails
- Offers some free threat intelligence tools
For more, see our in-depth look at Anomali ThreatStream.
SolarWinds Security Event Manager (SEM) is a powerful tool that combines event tracking with a threat intelligence feed. Not only is it able to identify both potential and active threats, but it can also automatically deploy responses to remediate them. SEM is able to identify and respond to threats in on-premises data centers as well as in cloud environments.
SolarWinds SEM was designed with a clear, centralized dashboard and command interface that makes it easy to keep track of identified threats and quickly take action to resolve security issues. This dashboard can also be used to create intelligence reports.
- Log event Tracking
- Log correlation and analysis
- Centralized interface
- Alarm system
- Compliance reports
For more our in-depth look at SolarWinds Security Event Manager.
Palo Alto Networks AutoFocus contextual threat intelligence service makes threat analytics, with full context, available to organizations of all sizes. This hosted service gives security operations teams the intelligence, correlation, context and automated prevention workflows they need to identify and respond to events in real-time.
AutoFocus also includes access to a repository of actionable intelligence from Unit 42, Palo Alto Networks’s internal threat research team. Unit 42 warns users of adversaries and campaigns that are targeting specific organizations so they can stop the threats.
- Researcher-curated context from Unit 42
- Integration with third-party systems
- Automated prevention workflows
For more, see our in-depth look at Palo Alto Networks AutoFocus.
LogRhythm Threat Lifecycle Management (TLM) Platform delivers a coordinated collection of data analysis and incident response capabilities to enable organizations around the globe to rapidly detect, neutralize and recover from security incidents. It can process 26 billion messages a day. The platform can also automate threat detection and prioritization with pattern matching and advanced correlation to machine learning and statistical analysis.
Using big data technology and machine learning, this robust platform can deliver SIEM, log management, endpoint monitoring, Network Behavior Analytics (NB), User Entity Behavior Analytics (UEBA) and Security Automation Orchestration (SAO) capabilities. This combination of features culminates in a comprehensive, end-to-end threat management workflow.
For more, see our in-depth look at LogRhythm Threat Lifecycle Management.
- Automated threat detection
- Third-party integrations
- Reduced alarm fatigue
FireEye iSIGHT Threat Intelligence adds context and priority to global threats before, during and after an attack. Data is gleaned from the adversarial underground, virtual network detection sensors and Mandiant IR investigations from the world’s largest breaches. FireEye has more than 1,000 experts responding to incidents and researching attacks.
What sets FireEye apart from the competition is how its platform tailors strategic intelligence to an organization’s corporate risk management and business goals by providing highly-contextual data so users can align security strategies to respond to the most likely threats taking aim at an organization.
For more, see our in-depth look at FireEye iSIGHT Threat Intelligence.
- Strategic intelligence
- Dark Web monitoring
- Research tools and alerting
LookingGlass Cyber Solutions is an open source-based threat intelligence platform that delivers unified threat protection against sophisticated cyberattacks to global enterprises and government agencies by operationalizing threat intelligence. It’s augmented by a worldwide team of security analysts who enrich the data feeds.
LookingGlass aggregates structured and unstructured data from over 87 out-of-the-box feeds, as well as other commercial feeds purchased separately. It provides the most relevant data to a business by categorizing network elements into a repository called Collections. Its Threat Indicator Confidence scoring tool then uses this information to identify the highest priority risks facing an organization.
See our in-depth look at LookingGlass Cyber Solutions.
- Comes with a large collection of out-of-the-box feeds
- Threat Indicator Confidence scoring tool
- Collections repository
AlienVault Unified Security Management (USM), a product of AT&T CyberSecurity, receives threat intelligence from AlienVault Labs and its massive Open Threat Exchange (OTX), the world’s largest crowd-sourced collaborative threat exchange. It provides centralized threat detection, incident response and compliance management for cloud and on-premises environments.With threat intelligence provided by AT&T Alien Labs, USM is updated automatically every 30 minutes, remaining at the forefront of evolving and emerging threats. This allows security teams to focus on responding to alerts rather than identifying them.
For more, see our in-depth look at AlienVault Unified Security Management.
- Asset discovery
- Threat detection
- Incident response
- Compliance management
- Access to OTX
RSA NetWitness Suite is a threat detection and response platform that allows security teams to rapidly detect and understand the scope of a compromise by leveraging logs, packets, NetFlow, endpoints and threat intelligence.
Cisco Threat Intelligence Director (TID) is a feature in Cisco’s Firepower Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID serves Cisco’s Next-Generation Firewall (NGFW) product.
SonicWall Network Security services platform includes real-time threat intelligence from the aggregation, normalization, and contextualization of security data.
Crowdstrike Falcon integrates threat intelligence into endpoint protection, automating incident investigations and speeding breach response. It is supported by the CrowdStrike Falcon Intelligence team.
ThreatConnect provides intelligence, automation, analytics, and workflows in one platform.
Symantec DeepSight Intelligence consists of visibility provided by the Symantec Global Intelligence Network, the largest civilian threat collection network and tracks over 700,000 global adversaries.
LookingGlass Strategic Intelligence Subscription Service offers a digital library of actionable and relevant finished intelligence reports, augmented by analysts who enrich the data feeds and provide timely insights.
Accenture iDefense provides security intelligence through the IntelGraph platform that provides context, visualizations, advanced searching and alerting.
Proofpoint Emerging Threat (ET) Intelligence provides threat intelligence feeds to identify suspicious or malicious activity.
McAfee Advanced Threat Defense includes threat intelligence sharing to locate hidden threats.
CenturyLink Analytics and Threat Management gives users access to actionable, prioritized threat data that is correlated to customer IP addresses.
Imperva Threat Intelligence combines threat research from Imperva security researchers, threat intelligence from a variety of partners, and live data crowdsourced.
Check Point ThreatCloud combines threat prevention technology with threat analysis to prevent attacks.