Threat intelligence is a critical security tool that uses global security intelligence to detect malicious activity inside your network.
These solutions can take a number of different forms. Threat intelligence feeds take security data from vendors, analysts and other sources about threats and unusual activity happening all around the world. Malicious IP addresses, domains, file hashes and other data stream in constantly from external parties. This can help companies understand behaviors that might be affecting their own networks.
Threat intelligence platforms (TIPs) take this a step further. They incorporate one or many data feeds and subject the data to detailed analysis. Advanced analytics are used to isolate unusual patterns in systems and mine other valuable data.
At a minimum, a threat intelligence platform should have actionable indicators that can be used to identify potential threats to an organization (such as known bad IP addresses and URLs, and malware hashes), and support collaboration and investigation workflow for the security analyst and broader community.
Here are eight of the top threat intelligence platforms – some offer a free version for lower-volume users – and we also include a chart comparing the products' features at the bottom of this page. The vendors covered in this guide are those that most closely meet the criteria for threat intelligence platforms as laid out by Forrester Research in Rules Of Engagement: A Call To Action To Automate Breach Response and Vendor Landscape: External Threat Intelligence, 2017. Key features include the consolidation of threat intelligence feeds from multiple sources, automated identification and containment of new attacks, security analytics, and integration with other security tools.
- IBM X-Force Exchange
- Anomali ThreatStream
- Palo Alto Networks AutoFocus
- RSA NetWitness Suite
- LogRhythm Threat Lifecycle Management (TLM) Platform
- FireEye iSIGHT Threat Intelligence
- LookingGlass Cyber Solutions
- AlienVault Unified Security Management (USM)
- Honorable Mentions
IBM X-Force Exchange is a collaborative threat intelligence platform that helps security analysts research threat indicators to help speed time to action – and is free up to 5,000 records a month. It boasts unlimited scalability and queries, and offers intelligence on IP and URL reputation, web applications, malware, vulnerabilities and spam.
See our in-depth look at IBM X-Force Exchange.
Anomali ThreatStream aggregates millions of threat indicators to identify new attacks, discover existing breaches, and enable security teams to quickly understand and contain threats. Features include: de-duplication of data, removal of false positives; integration with other security tools and extracting data from suspected phishing emails for immediate blocking. The company also offers a couple of free threat intelligence tools.
See our in-depth look at Anomali ThreatStream.
Palo Alto Networks AutoFocus contextual threat intelligence service makes threat analytics, with full context, available to organizations of all sizes. This hosted security service arms security operations professionals with the intelligence, correlation, context and automated prevention workflows needed to identify and respond to events in real time.
See our in-depth look at Palo Alto Networks AutoFocus.
RSA NetWitness Suite is a threat detection and response platform that allows security teams to rapidly detect and understand the scope of a compromise by leveraging logs, packets, NetFlow, endpoints and threat intelligence. By aligning business context with security risks, it can analyze, prioritize and investigate threats. The threat intelligence product has no scalability limits.
See our in-depth look at RSA NetWitness Suite.
LogRhythm Threat Lifecycle Management (TLM) Platform delivers a coordinated collection of data analysis and incident response capabilities to enable organizations around the globe to rapidly detect, neutralize and recover from security incidents. It can process 26 billion messages a day.
See our in-depth look at LogRhythm Threat Lifecycle Management.
See LogRhythm Threat Lifecycle Management user reviews.
FireEye iSIGHT Threat Intelligence adds context and priority to global threats before, during and after an attack. Data is gleaned from the adversarial underground, virtual network detection sensors and Mandiant IR investigations from the world’s largest breaches. FireEye has more than 1,000 experts responding to incidents and researching attacks.
See our in-depth look at FireEye iSIGHT Threat Intelligence.
LookingGlass Cyber Solutions is an open source-based threat intelligence platform that delivers unified threat protection against sophisticated cyberattacks to global enterprises and government agencies by operationalizing threat intelligence. Augmenting it is a worldwide team of security analysts who enrich the data feeds.
See our in-depth look at LookingGlass Cyber Solutions.
AlienVault Unified Security Management (USM) receives threat intelligence from AlienVault Labs and its massive Open Threat Exchange (OTX) crowd-sourced collaborative threat exchange. It provides centralized threat detection, incident response and compliance management for cloud and on-premises environments. It scales from very small to large companies.
SolarWinds Threat Monitor offers threat intelligence, SIEM, log correlation and analysis, network intrusion and host intrusion detection systems.
Cisco Threat Intelligence Director (TID) is a feature in Cisco's Firepower Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID serves Cisco's Next Generation Firewall (NGFW) product.
SonicWall Network Security services platform includes real-time threat intelligence from the aggregation, normalization, and contextualization of security data.
Crowdstrike Falcon integrates threat intelligence into endpoint protection, automating incident investigations and speeding breach response. It is supported by the CrowdStrike Falcon Intelligence team.
ThreatConnect provides intelligence, automation, analytics, and workflows in one platform.
Symantec DeepSight Intelligence consists of visibility provided by the Symantec Global Intelligence Network, the largest civilian threat collection network and tracks over 700,000 global adversaries.
LookingGlass Strategic Intelligence Subscription Service offers a digital library of actionable and relevant finished intelligence reports, augmented by analysts who enrich the data feeds and provide timely insights.
Accenture iDefense provides security intelligence through the IntelGraph platform that provides context, visualizations, advanced searching and alerting.
Proofpoint Emerging Threat (ET) Intelligence provides threat intelligence feeds to identify suspicious or malicious activity.
McAfee Advanced Threat Defense includes threat intelligence sharing to locate hidden threats.
CenturyLink Analytics and Threat Management gives uses access to actionable, prioritized threat data that is correlated to customer IP addresses.
Imperva Threat Intelligence combines threat research from Imperva security researchers, threat intelligence from a variety of partners, and live data crowdsourced.
Check Point ThreatCloud combines threat prevention technology with threat analysis to prevent attacks.