Top Threat Intelligence Platforms for 2021

Top Threat Intelligence Platforms

1 IBM

Visit website

IBM X-Force Exchange is a cloud-based, collaborative threat intelligence platform that helps security analysts research threat indicators to help speed up time to action. This TIP combines human-generated intelligence with its global security feed, offering a unique perspective on potential threats. The X-Force Exchange dashboard is customizable, allowing users to prioritize relevant intelligence according to their needs, such as advisories and vulnerabilities.

Learn more about IBM

2 Anomali

Visit website

Anomali ThreatStream aggregates millions of threat indicators to identify new attacks, discover existing breaches, and enable security teams to quickly understand and contain threats. A key differentiator for Anomali is its highly accurate machine-learning algorithm that assigns scores to indicators of compromise (IOCs) so security teams can prioritize mitigation tasks. ThreatStream also allows for integration with many popular SIEMs and orchestration platforms.

Learn more about Anomali

3 SolarWinds

Visit website

SolarWinds Security Event Manager (SEM) is a powerful tool that combines event tracking with a threat intelligence feed. Not only is it able to identify both potential and active threats, but it can also deploy responses to remediate them. SolarWinds SEM was designed with a clear, centralized dashboard and command interface that makes it easy to keep track of identified threats and quickly take action to resolve security issues. This dashboard can also be used to create intelligence reports.

Learn more about SolarWinds

4 Palo Alto Networks

Visit website

Palo Alto Networks AutoFocus contextual threat intelligence service makes threat analytics, with full context, available to organizations of all sizes. This hosted service gives security operations teams the intelligence, correlation, context and automated prevention workflows they need to identify and respond to events in real-time. AutoFocus also includes access to a repository of actionable intelligence from Unit 42, Palo Alto Networks’s internal threat research team.

Learn more about Palo Alto Networks

5 LogRhythm

Visit website

LogRhythm Threat Lifecycle Management (TLM) Platform delivers a coordinated collection of data analysis and incident response capabilities to enable organizations around the globe to rapidly detect, neutralize and recover from security incidents. It can process 26 billion messages a day. The platform can also automate threat detection and prioritization with pattern matching and advanced correlation to machine learning and statistical analysis.

Learn more about LogRhythm

6 FireEye Mandiant Advantage

Visit website

FireEye Mandiant Advantage adds context and priority to global threats before, during and after an attack. What sets FireEye apart from the competition is how its platform tailors strategic intelligence to an organization’s corporate risk management and business goals by providing highly-contextual data so users can align security strategies to respond to the most likely threats taking aim at an organization.

Learn more about FireEye Mandiant Advantage

7 LookingGlass

Visit website

LookingGlass Cyber Solutions is an open source-based threat intelligence platform that delivers unified threat protection against sophisticated cyberattacks to global enterprises and government agencies by operationalizing threat intelligence. It provides the most relevant data to a business by categorizing network elements into a repository called Collections. Its Threat Indicator Confidence scoring tool then uses this information to identify the highest priority risks facing an organization.

Learn more about LookingGlass

8 AT&T Cybersecurity

Visit website

AlienVault Unified Security Management (USM), a product of AT&T CyberSecurity, receives threat intelligence from AlienVault Labs and its massive Open Threat Exchange (OTX), the world’s largest crowd-sourced collaborative threat exchange. It provides centralized threat detection, incident response and compliance management for cloud and on-premises environments. With threat intelligence provided by AT&T Alien Labs, USM is updated automatically every 30 minutes.

Learn more about AT&T Cybersecurity


 

IBM X-Force ExchangeIBM X-Force logo

 

IBM X-Force Exchange is a cloud-based, collaborative threat intelligence platform that helps security analysts focus on the most important threats and help speed up time to action. This TIP combines human-generated intelligence with a global security feed, offering a unique perspective on potential threats. Between the internal research team and the software behind its feed, IBM X-Force Exchange monitors over 25 billion websites around the world.

The X-Force Exchange dashboard is customizable, allowing users to prioritize relevant intelligence according to their needs, such as advisories and vulnerabilities. Analysts can also easily view the risk level assigned for potential threats, as well as how the risk level has changed over time using the Timeline view.

It boasts unlimited scalability and queries and offers intelligence on IP and URL reputation, web applications, malware, vulnerabilities and spam.

Key Features:

  • Human-generated threat intelligence data
  • Threat intelligence collaboration
  • Centralized data platform
  • Integration with third-party intelligence tools
  • Early warning feed

For more, see our in-depth look at IBM X-Force Exchange.

Anomali ThreatStreamAnomali logo

Anomali ThreatStream aggregates millions of threat indicators to identify new attacks, discover existing breaches, and enable security teams to quickly understand and contain threats. In addition to the 140 open-source feeds included with the product, Anomali makes it easy to extend the information collected by the TIP through the Anomali App store. Here, users can evaluate and purchase additional intelligence feeds. This additional information contextualizes threats to greatly reduce the occurrence of false positives.

A key differentiator for Anomali is its highly accurate machine-learning algorithm that assigns scores to indicators of compromise (IoCs) so security teams can prioritize mitigation tasks. ThreatStream also allows for integration with many popular SIEMs and orchestration platforms in order to strengthen threat identification and remediation workflows.

Key features:

  • De-duplication of data
  • Removal of false positives
  • Integration with third-party intelligence tools
  • Data extraction from suspected phishing emails
  • Offers some free threat intelligence tools

For more, see our in-depth look at Anomali ThreatStream.

SolarWinds Security Event ManagerSolarwinds logo

SolarWinds Security Event Manager (SEM) is a powerful tool that combines event tracking with a threat intelligence feed. Not only is it able to identify both potential and active threats, but it can also automatically deploy responses to remediate them. SEM is able to identify and respond to threats in on-premises data centers as well as in cloud environments.

SolarWinds SEM was designed with a clear, centralized dashboard and command interface that makes it easy to keep track of identified threats and quickly take action to resolve security issues. This dashboard can also be used to create intelligence reports.

Key features:

  • Log event Tracking
  • Log correlation and analysis
  • Centralized interface
  • Alarm system
  • Compliance reports

For more our in-depth look at SolarWinds Security Event Manager.

Palo Alto Networks AutoFocusPalo Alto Networks logo

Palo Alto Networks AutoFocus contextual threat intelligence service makes threat analytics, with full context, available to organizations of all sizes. This hosted service gives security operations teams the intelligence, correlation, context and automated prevention workflows they need to identify and respond to events in real-time.

AutoFocus also includes access to a repository of actionable intelligence from Unit 42, Palo Alto Networks’s internal threat research team. Unit 42 warns users of adversaries and campaigns that are targeting specific organizations so they can stop the threats.

Key Features:

  • Researcher-curated context from Unit 42
  • Integration with third-party systems
  • Automated prevention workflows

For more, see our in-depth look at Palo Alto Networks AutoFocus.

LogRhythm Threat Lifecycle Management (TLM) PlatformLogRhythm logo

LogRhythm Threat Lifecycle Management (TLM) Platform delivers a coordinated collection of data analysis and incident response capabilities to enable organizations around the globe to rapidly detect, neutralize and recover from security incidents. It can process 26 billion messages a day. The platform can also automate threat detection and prioritization with pattern matching and advanced correlation to machine learning and statistical analysis.

Using big data technology and machine learning, this robust platform can deliver SIEM, log management, endpoint monitoring, Network Behavior Analytics (NB), User Entity Behavior Analytics (UEBA) and Security Automation Orchestration (SAO) capabilities. This combination of features culminates in a comprehensive, end-to-end threat management workflow.

Key Features:

  • Automated threat detection
  • Third-party integrations
  • Reduced alarm fatigue

For more, see our in-depth look at LogRhythm Threat Lifecycle Management.

FireEye Mandiant Threat Intelligence SuiteFireEye logo

The FireEye Mandiant Threat Intelligence Suite adds context and priority to global threats before, during and after an attack. Data is gleaned from the adversarial underground, virtual network detection sensors and Mandiant IR investigations from the world’s largest breaches. FireEye has more than 1,000 experts responding to incidents and researching attacks.

What sets FireEye apart from the competition is how its platform tailors strategic intelligence to an organization’s corporate risk management and business goals by providing highly-contextual data so users can align security strategies to respond to the most likely threats aimed at their organization.

Key Features:

  • Strategic intelligence
  • Dark Web monitoring
  • Research tools and alerting

For more, see our in-depth look at FireEye iSIGHT Threat Intelligence.

LookingGlass Cyber SolutionsLookingGlass logo

LookingGlass Cyber Solutions is an open source-based threat intelligence platform that delivers unified threat protection against sophisticated cyberattacks to global enterprises and government agencies by operationalizing threat intelligence. It’s augmented by a worldwide team of security analysts who enrich the data feeds.

LookingGlass aggregates structured and unstructured data from over 87 out-of-the-box feeds, as well as other commercial feeds purchased separately. It provides the most relevant data to a business by categorizing network elements into a repository called Collections. Its Threat Indicator Confidence scoring tool then uses this information to identify the highest priority risks facing an organization.

Key features:

  • Comes with a large collection of out-of-the-box feeds
  • Threat Indicator Confidence scoring tool
  • Collections repository

See our in-depth look at LookingGlass Cyber Solutions.

AT&T CybersecurityAT&T logo

AT&T Cybersecurity – formerly AlienVault – Unified Security Management (USM) receives threat intelligence from AlienVault Labs and its massive Open Threat Exchange (OTX), the world’s largest crowd-sourced collaborative threat exchange. It provides centralized threat detection, incident response and compliance management for cloud and on-premises environments. With threat intelligence provided by AT&T Alien Labs, USM is updated automatically every 30 minutes, remaining at the forefront of evolving and emerging threats. This allows security teams to focus on responding to alerts rather than identifying them.

Key features:

  • Asset discovery
  • Threat detection
  • Incident response
  • Compliance management
  • Access to OTX

For more, see our in-depth look at AlienVault Unified Security Management.

Other threat intelligence market leaders

RSA NetWitness Suite is a threat detection and response platform that allows security teams to rapidly detect and understand the scope of a compromise by leveraging logs, packets, NetFlow, endpoints and threat intelligence.

Cisco Threat Intelligence Director (TID) is a feature in Cisco’s Firepower Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID serves Cisco’s Next-Generation Firewall (NGFW) product.

SonicWall Network Security services platform includes real-time threat intelligence from the aggregation, normalization, and contextualization of security data.

Crowdstrike Falcon integrates threat intelligence into endpoint protection, automating incident investigations and speeding breach response. It is supported by the CrowdStrike Falcon Intelligence team.

ThreatConnect provides intelligence, automation, analytics, and workflows in one platform.

Symantec DeepSight Intelligence consists of visibility provided by the Symantec Global Intelligence Network, the largest civilian threat collection network and tracks over 700,000 global adversaries.

Accenture iDefense provides security intelligence through the IntelGraph platform that provides context, visualizations, advanced searching and alerting.

Proofpoint Emerging Threat (ET) Intelligence provides threat intelligence feeds to identify suspicious or malicious activity.

McAfee Advanced Threat Defense includes threat intelligence sharing to locate hidden threats.

CenturyLink Analytics and Threat Management gives users access to actionable, prioritized threat data that is correlated to customer IP addresses.

Imperva Threat Intelligence combines threat research from Imperva security researchers, threat intelligence from a variety of partners, and live data crowdsourced.

Check Point ThreatCloud combines threat prevention technology with threat analysis to prevent attacks.

What are threat intelligence platforms?

Threat Intelligence Platforms (TIP) are critical security tools that use global security data to help proactively identify, mitigate and remediate security threats. New and continually evolving threats are surfacing every day. While security analysts know the key to staying ahead of these threats is to analyze data on them, the problem that arises is how to efficiently collect high volumes of data and consequently derive actionable insights to proactively thwart future attacks.

How threat intelligence platforms work

TIPs aggregate security intelligence from vendors, analysts and other reputable sources about threats and suspicious activity detected all around the world through a tool called threat intelligence feeds. This data can come in the form of malicious IP addresses, domains, file hashes and more. TIPs then convert these advanced analytics into actionable intelligence for detecting malicious activity inside your network.

Threat intelligence platform features

The main key feature of any threat intelligence platform is the ability to analyze and share threat data. These tools can identify signatures of threats on a network and relay that information to other installations, as well as pull information about new dangers from threat feeds. This makes Threat intelligence platforms integral to stopping zero-day threats.

Another key feature is the ability to triage data and alerts when threats are identified. They will only send out alerts when legitimate threats arise to avoid an unnecessary flood of notifications that can muddy the waters for remediation, although the platforms may require some fine-tuning. To further assist with remediation, they can also assign a risk score so security teams can prioritize which issues to act on first.

Vulnerability management rounds out threat intelligence platforms’ features. These solutions can contain threats when they’re identified, saving security teams precious time to resolve the issues. They can also offer remediation instructions on common and emerging threats to further speed up the process.

Threat intelligence vs. anti-virus software

There are two methods for generating threat intelligence: human intelligence providers or machine-generated intelligence. Human intelligence comes from security expert-operated research labs that identify attack trends and send out updates to security products. These labs are often run by the vendor of the product.

Machine-generated intelligence comes from the security products themselves. As they identify attack signatures and anomalous behavior, they can transmit that data to all other security products from that vendor in real-time. This process also includes live threat feeds that can pull new attack signatures from multiple sources, including security expert research labs, to keep up with advanced and evolving threats.

Most traditional ant-virus solutions receive updates on new threats from a single source – the vendor’s research team. Relying solely on a team of researchers can be slow and limited with the flow of information. They may not be able to keep up with new threats as they arise.

Threat intelligence platforms that use machine-generated intelligence platforms have the upper hand when it comes to identifying new threats quickly. Each installed program acts as a composite detection, analysis and remediation bundle so they can do everything a research team can.

Other threat intelligence market leaders

RSA NetWitness Suite is a threat detection and response platform that allows security teams to rapidly detect and understand the scope of a compromise by leveraging logs, packets, NetFlow, endpoints and threat intelligence.

Cisco Threat Intelligence Director (TID) is a feature in Cisco’s Firepower Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID serves Cisco’s Next-Generation Firewall (NGFW) product.

SonicWall Network Security services platform includes real-time threat intelligence from the aggregation, normalization, and contextualization of security data.

Crowdstrike Falcon integrates threat intelligence into endpoint protection, automating incident investigations and speeding breach response. It is supported by the CrowdStrike Falcon Intelligence team.

ThreatConnect provides intelligence, automation, analytics, and workflows in one platform.

Symantec DeepSight Intelligence consists of visibility provided by the Symantec Global Intelligence Network, the largest civilian threat collection network and tracks over 700,000 global adversaries.

LookingGlass Strategic Intelligence Subscription Service offers a digital library of actionable and relevant finished intelligence reports, augmented by analysts who enrich the data feeds and provide timely insights.

Accenture iDefense provides security intelligence through the IntelGraph platform that provides context, visualizations, advanced searching and alerting.

Proofpoint Emerging Threat (ET) Intelligence provides threat intelligence feeds to identify suspicious or malicious activity.

McAfee Advanced Threat Defense includes threat intelligence sharing to locate hidden threats.

CenturyLink Analytics and Threat Management gives users access to actionable, prioritized threat data that is correlated to customer IP addresses.

Imperva Threat Intelligence combines threat research from Imperva security researchers, threat intelligence from a variety of partners, and live data crowdsourced.

Check Point ThreatCloud combines threat prevention technology with threat analysis to prevent attacks.

What are threat intelligence platforms?

How threat intelligence platforms work

TIPs aggregate security intelligence from vendors, analysts and other reputable sources about threats and suspicious activity detected all around the world through a tool called threat intelligence feeds. This data can come in the form of malicious IP addresses, domains, file hashes and more. TIPs then convert these advanced analytics into actionable intelligence for detecting malicious activity inside your network.

Kyle Guercio
Kyle Guercio
Kyle Guercio has worked in content creation for six years contributing blog posts, featured news articles, press releases, white papers, and more for a wide variety of subjects in the technology space. He covers topics relating to servers and cybersecurity and has contributed to ServerWatch and Webopedia.com.

Latest articles

Related articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here