Threat intelligence is a critical security tool that uses global security intelligence to detect malicious activity inside your network.
These solutions can take a number of different forms. Threat intelligence feeds take security data from vendors, analysts and other sources about threats and unusual activity happening all around the world. Malicious IP addresses, domains, file hashes and other data stream in constantly from external parties. This can help companies understand behaviors that might be affecting their own networks.
Threat intelligence platforms (TIPs) take this a step further. They incorporate one or many data feeds and subject the data to detailed analysis. Advanced analytics are used to isolate unusual patterns in systems and mine other valuable data.
At a minimum, a threat intelligence platform should have actionable indicators that can be used to identify potential threats to an organization (such as known bad IP addresses and URLs, and malware hashes), and support collaboration and investigation workflow for the security analyst and broader community.
Here are eight of the top threat intelligence platforms – some offer a free version for lower-volume users – and we also include a chart comparing the products' features at the bottom of this page. The vendors covered in this guide are those that most closely meet the criteria for threat intelligence platforms as laid out by Forrester Research in Rules Of Engagement: A Call To Action To Automate Breach Response and Vendor Landscape: External Threat Intelligence, 2017. Key features include the consolidation of threat intelligence feeds from multiple sources, automated identification and containment of new attacks, security analytics, and integration with other security tools.
- IBM X-Force Exchange
- Anomali ThreatStream
- Palo Alto Networks AutoFocus
- RSA NetWitness Suite
- LogRhythm Threat Lifecycle Management (TLM) Platform
- FireEye iSIGHT Threat Intelligence
- LookingGlass Cyber Solutions
- AlienVault Unified Security Management (USM)
- Honorable Mentions
IBM X-Force Exchange is a collaborative threat intelligence platform that helps security analysts research threat indicators to help speed time to action – and is free up to 5,000 records a month. It boasts unlimited scalability and queries, and offers intelligence on IP and URL reputation, web applications, malware, vulnerabilities and spam.
See our in-depth look at IBM X-Force Exchange.
Anomali ThreatStream aggregates millions of threat indicators to identify new attacks, discover existing breaches, and enable security teams to quickly understand and contain threats. Features include: de-duplication of data, removal of false positives; integration with other security tools and extracting data from suspected phishing emails for immediate blocking. The company also offers a couple of free threat intelligence tools.
See our in-depth look at Anomali ThreatStream.
Palo Alto Networks AutoFocus contextual threat intelligence service makes threat analytics, with full context, available to organizations of all sizes. This hosted security service arms security operations professionals with the intelligence, correlation, context and automated prevention workflows needed to identify and respond to events in real time.
See our in-depth look at Palo Alto Networks AutoFocus.
RSA NetWitness Suite is a threat detection and response platform that allows security teams to rapidly detect and understand the scope of a compromise by leveraging logs, packets, NetFlow, endpoints and threat intelligence. By aligning business context with security risks, it can analyze, prioritize and investigate threats. The threat intelligence product has no scalability limits.
See our in-depth look at RSA NetWitness Suite.
LogRhythm Threat Lifecycle Management (TLM) Platform delivers a coordinated collection of data analysis and incident response capabilities to enable organizations around the globe to rapidly detect, neutralize and recover from security incidents. It can process 26 billion messages a day.
See our in-depth look at LogRhythm Threat Lifecycle Management.
See LogRhythm Threat Lifecycle Management user reviews.
FireEye iSIGHT Threat Intelligence adds context and priority to global threats before, during and after an attack. Data is gleaned from the adversarial underground, virtual network detection sensors and Mandiant IR investigations from the world’s largest breaches. FireEye has more than 1,000 experts responding to incidents and researching attacks.
See our in-depth look at FireEye iSIGHT Threat Intelligence.
LookingGlass Cyber Solutions is an open source-based threat intelligence platform that delivers unified threat protection against sophisticated cyberattacks to global enterprises and government agencies by operationalizing threat intelligence. Augmenting it is a worldwide team of security analysts who enrich the data feeds.
See our in-depth look at LookingGlass Cyber Solutions.
AlienVault Unified Security Management (USM) receives threat intelligence from AlienVault Labs and its massive Open Threat Exchange (OTX) crowd-sourced collaborative threat exchange. It provides centralized threat detection, incident response and compliance management for cloud and on-premises environments. It scales from very small to large companies.
SolarWinds Threat Monitor offers threat intelligence, SIEM, log correlation and analysis, network intrusion and host intrusion detection systems.
Cisco Threat Intelligence Director (TID) is a feature in Cisco's Firepower Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID serves Cisco's Next Generation Firewall (NGFW) product.
SonicWall Network Security services platform includes real-time threat intelligence from the aggregation, normalization, and contextualization of security data.
Crowdstrike Falcon integrates threat intelligence into endpoint protection, automating incident investigations and speeding breach response. It is supported by the CrowdStrike Falcon Intelligence team.
ThreatConnect provides intelligence, automation, analytics, and workflows in one platform.
Symantec DeepSight Intelligence consists of visibility provided by the Symantec Global Intelligence Network, the largest civilian threat collection network and tracks over 700,000 global adversaries.
LookingGlass Strategic Intelligence Subscription Service offers a digital library of actionable and relevant finished intelligence reports, augmented by analysts who enrich the data feeds and provide timely insights.
Accenture iDefense provides security intelligence through the IntelGraph platform that provides context, visualizations, advanced searching and alerting.
Proofpoint Emerging Threat (ET) Intelligence provides threat intelligence feeds to identify suspicious or malicious activity.
McAfee Advanced Threat Defense includes threat intelligence sharing to locate hidden threats.
CenturyLink Analytics and Threat Management gives uses access to actionable, prioritized threat data that is correlated to customer IP addresses.
Imperva Threat Intelligence combines threat research from Imperva security researchers, threat intelligence from a variety of partners, and live data crowdsourced.
Check Point ThreatCloud combines threat prevention technology with threat analysis to prevent attacks.
|IBM||Retailers, financial services, enterprise||Unlimited queries per month, and up to 5,000 records per month||Machine learning and IBM Watson analytics||Via web browser or through an API interface to interface with existing security solutions||The API is free for 5,000 records/month; the commercial API starts at $2,000 per user/month|
|Anomali||Financial services, enterprise||Can process millions of Indicators of Compromise (IOCs)||Machine learning and integration with other security platforms||Saas, on-premises, or hybrid||Pricing varies based on customer environment|
|Palo Alto Networks||Large enterprises||Receives hundreds of millions of samples per month, and over a trillion artifacts across petabytes of data||Statistical analytics, correlation and machine learning||Saas-based security services||Licensed as a per-user annual subscription or enterprise-wide|
|RSA||Financial institutions, governments and oil/gas/energy/telcos||Can ingest 30,000 EPS per system and up to 100k endpoints per system||Automated segmentation and enforcement||On premises, in private clouds,on virtual machines, or public cloud||Tiered throughput or subscription licensing|
|LogRhythm||Financial services, retail, manufacturing, and government||26 billion messages per day and over 10K gigabytes per day||Pattern matching and advanced correlation to machine learning and statistical ana lysis||Software and hardware||Pricing begins at $27,000|
|FireEye||Financial services, government and IT||More than 1,000 experts responding to incidents and researching attacks||Automation enables it to go from alert to fix in seconds||Via API integration, intelligence portal, and email delivery||Subscriptions range from $100,000 to $500,000|
|LookingGlass Cyber Solutions||Enterprise and third party risk monitoring||Over 140 sources of threat data gathered||Machine-readable threat intelligence||Hosted or on-premise||Open-source business model|
|AlienVault||Companies with smaller IT security teams||Receives 10 million indicators of compromise every day||Automation and machine learning||Cloud, virtual or hardware appliance||Monthly subscription; Tiers start at $1,575/month for a 250 GB data volume|