Being aware of the threat in your environment is very important to cybersecurity teams.
Cyberattacks and Advanced Persistent Threats are all on an upward trend, giving Information Technologies many additional challenges to consider around security.
Collecting threat data has resulted in information overload in many cases, and companies are not necessarily getting value from all of the different data points relating to threat data.
In an effort to combat this phenomenon many businesses have deployed Threat Intelligence platforms as a means to track, manage and combat cyber threats.
Most businesses, if not all, are vulnerable to the current generation of cybercriminal activity.
The most visible threats are ransomware, DDoS, Zero-Day attacks and many other constant threats that could be described as APTs.
Smaller businesses are especially at risk because most do not have a well defined security plan in place to ensure that they can combat these threats effectively, leading to increased vulnerability. Part of this is because of the prohibitively costly outlays that a proper security plan and cyber threat detection and elimination system come with.
However, the vast majority of security conscious SMBs are putting safety measures in place to protect their data and digital systems.
As a result, the threat intelligence segment is forecast to grow by staggering margins, making the sector a very well developed one.
This means that many more competitors are beginning to come to the market with innovative and impressive products, which gives business consumers more options than ever before.
With this in mind we will be delving into the current state of the market so that we can evaluate some of the current generation products that are finding their way onto corporate networks.
Here's the Best Threat Intelligence Platforms of 2019:
Anomali Threat Platform
Anomali Threat Platform is a system that is built on the premise that it is better to know who your enemies are than it is to randomly protect yourself from unknown threats.
Anomali uses advanced threat detection at the core of its product, and this helps it to defend your network against intruders and malware.
It gives your security team the ability to collect and analyze data from multiple feeds such as OSINT, STIX/TAXII, ISACs.
You only need to use the feeds that you want, meaning that you can purchase additional feeds from the Anomali APP Store as and when the need arises.
Another powerful tool in this security stack is the product’s Machine Learning feature. This allows your team to leverage advanced threat intelligence which has the added benefit of reducing false positives.
The way that Anomali gathers and normalizes data from multiple sources means that you can have a single point and source of information while accepting multiple feeds from different systems.
This gives you a centralized view of the current threats on your network and will ultimately allow you to have the visibility that you need to monitor and evaluate your organization’s current vulnerability state. This gives security analysts a true advantage a they are able to quickly and easily observe the data in a single view.
Threat detection is another area where this product starts to shine. Anomali is able to apply a weighted scoring algorithm to the gathered data, and ultimately makes it easy for you to rank the most serious threats in order. This allows for a more effective threat response.
On top of standard threat detection Anomali is able to look at the historical data that you gather and compare it to new threats that are identified.
This can help you to establish trends and historical data and measure it against past incidents.
Anomali can also be integrated into your current stack, which is an additional layer of security to your security measures.
Detection is also assisted through the use of some of the best threat intelligence sources available. This is also customizable so that you can iteratively arrange your response patterns.
Automation is another huge part of this platforms appeal, as many of the detection and reporting steps are done without human intervention.
This means that all the repetitive and tedious tasks can be set up to run on a schedule, or whenever they are needed.
This eliminates the need to evaluate and standardize your massive payloads of threat data, which saves time.
You can add additional insight to each of the indicators in order to enrich your data collection efforts. You can also greatly strengthen your workflows by integrating with your existing orchestration platforms.
Further integration is therefore possible with SIEM and EDR solutions as Anomali allows for enhanced alert generation through integrations.
This helps with prioritizing and alerting your teams about any potential incidents and breaches. You can also actively block high severity threats through integrations with FW and IPS.
BlueVoyant Threat Intelligence Services
BlueVoyant Threat Intelligence Services seek to protect networks from malicious activity such as data theft, brand impersonation and other forms of cyber criminality.
This includes fake websites, phishing schemes and typo squatting.
The main premise is that you are dealing with well-financed and well established bad actors that are capable of initiating advanced threats and attacks.
These kinds of attacks have traditionally managed to escape the normal detection methods and countermeasures that are in place.
BlueVoyant is different because it is able to assess emerging risks and analyze the external threat sources and surfaces of your company.
BlueVoyant provides you with an early warning feature that will help you to prepare for a cyber attack.
This helps to reduce the risk of malicious activity from outside of your network through the internet.
This is all made possible thanks to the experts behind the scenes that help to classify and create a profile for your network based on their data collection.
They are able to build an accurate picture of how easy your systems are to compromise from an attacker’s perspective.
BTIS (BlueVoyant Threat Intelligence Services) are a series of solutions that apply large proprietary data sets to your sites.
From this data set they are able to identify and examine specific risks that are present on your network, and they can help you to remain safe from those threats.
The total number of services that are on offer are many, and more information can be found here about all of these, as well as new services.
Threat Enrichment is a type of alerting system but with a few enhancements.
It provides you with a way to look at a holistic picture of the threat landscape and allows your team to focus on the areas that need the most visibility.
The analysis and Threat Intelligence teams are then able to give you a proper explanation of what is likely the best way to protect your network from any potential attacks.
Threat Operations is a way to access the deep and often neglected threat information that relates to your network.
It is able to give you a deeper in-depth investigation toolset that helps you to unearth new information about cyber attacks and attempts on your network.
It also has insider threat capabilities, making it very valuable to your cyber security team.
BlueVoyant also uses an embedded critical component and differentiator that is built into the system. Other components include:
- Bin Watcher:
Identifies stolen credit card numbers and helps to protect you and your customers from bad transactions
- Brand Watcher:
Finds any deception tactics relating to your brand such as look alike domain names and webpages. It features a malicious take down service too.
- Credential Watcher:
This highlights the employee and username credentials that appear in compromised lists, giving you the ability to lock down or change passwords on such accounts.
For more information about BlueVoyant and to request a demo be sure to check here.
Request Demo button on their Website!
Cisco’s Talos Security Intelligence and Research Group is a collective of professionals that perform some of the world’s foremost threat research.
They have advanced systems at their disposal to help create some of the world’s most advanced threat detection systems.
It plugs into Cisco’s existing technologies and helps to detect, analyze and protect against both known and upcoming threats.
Talos is responsible for maintaining the rule set for snort.org, ClamAV, SenderBase.org and SpamCop, so its acceptance in the market is massively apparent.
Talos is slightly different to the other software products that we will be looking at today, mainly because it is not a single application.
Instead, it is a series of tools and professionals that are able to assist their customers with advanced threat detection and management.
Each of the following tools listed are available from their website here and can help you to understand the kinds of threats that they are there to help you with.
An open source intrusion prevention system that also acts as a real-time traffic analyzer and packet logger.
This is a barebones packet logger that allows users to soft tap on NSM network environments.
This is a opensource antivirus engine that is really good at detecting trojans, viruses and malware, as well as other malicious threats.
This is a software security framework that contains an assortment of automated tools that allows for vulnerability scans.
This tool is for analyzing and detecting PE section hashes associated with executable files. It feeds into ClamAV and lets you create simple ClamAV based signatures.
This is a malware protection system that uses cloud computing and social networking sources to help plug security gaps with community security.
- Synful Knock Scanner:
This is a network scanner that detects SYNFul Knock router malware and alerts you of what to do if your systems are infected.
- TeslaCrypt Decryption Tool:
This is an opensource command line tool that is used for decrypting TeslaCrypt ransomware.
- MBR Filter:
This is a Disk filter that blocks access to a hard drive’s Master Boot Record, which is where certain types of malware write themselves to avoid detection and to propagate themselves.
- Thanatos Decrypter:
This is another decryption tool that is to be used via the command line to decrypt files affected by Thanatos ransomware.
Also known as Function Identification and Recover Signature Tool, this is an IDA Pro plugin that is used by reverse engineers.
This is another opensource tool that lets users extract Locky configurations and dump them to a file location. This has all known variants of Locky covered, such as .locky, .zepto and .odin based ransomware.
There are many more tools available via the Cisco Talos website, as well as a very detailed blog, which covers the current state of information security as it relates to new threats and treds within the information sector.
More information about this invaluable resource can be found here.
CrowdStrike Falcon X
CrowdStrike Falcon is another threat intelligence platform that seeks to integrate with endpoint protection and automated incident investigations.
This speeds-up the overall incident response and investigation process and is a valuable tool for your cybersecurity team.
The product offers instant threat analysis as each threat reaches your endpoints on the network as well as collaboration with the global CrowdStrike Falcon Intelligence team.
The overall process helps to enable a predictive analysis model, which is good news for information security professionals.
FalconX offers a few other compelling features that make it an ideal choice for any enterprise that is looking to button down their security and strengthen their cyber security protection efforts. They are:
- Threat Intelligence:
This is the automatic investigation component that all incidents pass through, allowing the system to learn from all attacks that occur on the network and within your environment. These threats are then analyzed very quickly, usually within minutes, which lets users of the software respond much more quickly.
- Custom Indicators:
Orchestration is an important aspect of any cyber security effort, and FalconX allows for custom indicators to be used in this process. Indicators of Compromise (IOC) are generated by threats, which are then used to mount an active defense against attacks that might come in the future.
- CrowdStrike Expertise:
Having professional support is vital in cybersecurity, so CrowdStrike makes their teams available to their customers. There are threat analysts, security researchers and cultural experts and linguists that all work together to provide you with a solution that helps to identify and neutralize threats much faster than conventional standalone systems.
FalconX has many other features that are especially useful in a cyber security context, such as:
- Endpoint Integration:
All files that get quarantined by CrowdStrike can also be automatically investigated by FalconX if it is configured in this way.
- Threat Intelligence:
In order to successfully deal with an attack, there needs to be an understanding of who is carrying it out. Threat Intelligence is there to help identify and predict future attacks based on information from past and present ones.
- Malware Analysis:
File analysis is done within Falcon’s Sandbox environment so that no damage can occur to external systems. A full range of tests are performed on the malware instances that are sent to this environment so that all information about the instance can be learned.
- Malware Search:
Being able to automatically discover threats is crucial in complicated network environments that span many different locations. FalconX helps to find related instances and campaigns of malware, which it then uses to help defend against future attacks.
- Custom Intelligence:
FalconX generates custom IOC data for threats that your system has already dealt with. From this information it generates information about threats that you are likely to encounter going forward. This information can also be shared with other systems so that added protection is available where FalconX cannot be installed.
Other features include weekly threat reports, actor profiles and indicators, threat orchestration and cloud based architecture.
Digital Shadows Shadow Search
Digital Shadows is a company that specializes in digital security.
They offer a wide range of products such as Phishing Protection, Dark Web Monitoring, Account Takeover Prevention, Threat Intelligence, Data Leakage Detection and Digital Footprint Monitoring.
Digital Shadows Searchlight is part of the Threat Intelligence solution that they offer.
It protects against threats that are external to your site, and it runs on a continual basis.
It provides you with the context that you need in order to properly understand the risk as well as your next course of action in order to remediate the situation and neutralize threats.
What makes Searchlight different from other solutions that are available on the market is the fact that it is so widely used.
Another aspect to consider is the fact that there are many different disciplines that the solution provides protection from.
It offers wider coverage across the internet, and the dark web.
This allows it to draw from many other sources, giving deeper context to the threat intelligence that it is able to gather.
SearchLight is customizable so that only the most relevant information is available for you and your team.
They have partnered with businesses such as splunk, servicenow, Symantec, Anomali and Cisco.
SearchLight works by first identifying the key assets of your environment.
They need to understand what is most important to your operational needs, so this is the best place to start.
It helps to keep only the most relevant information flowing to your systems and staff so that they can make better decisions when dealing with threats.
SearchLight is able to search across multiple data sources to find out if any key information is being shared about your organization such as usernames, passwords and even code related to your internal applications.
Any information relating to your company and systems that trigger the alert system can be customized so that your teams are notified whenever a positive result occurs.
A lot of data is collected by the system, so context is very important for the effective filtering of information for your teams.
SearchLight is able to flow the rules that have been set up so that only the most important and impacting information is made available to the right teams.
Once a scenario has been identified that requires action a playbook is launched.
This can trigger events such as website takedown requests where sensitive data is being shared.
The datasheet covers a lot of technical specifications relating to the application, including how to minimize risk to your business, as well as what the critical components of your threat intelligence solution should be comprised of.
For more information and to request a demo be sure to check out the link here.
FireEye Threat Intelligence
FireEye Threat Intelligence is a subscription based solution that provides you with an intelligence toolbox to help combat cybercrime.
Strategic intelligence means that you can learn how to set up your security strategy so that you can align it with the most likely threats and actors that are taking aim at your organization.
It helps you to manage both the business and technical risks that are associated with big business decisions, as well as security and resource planning related to security.
Operational intelligence is another area where FireEye makes sense for businesses.
You can prioritize and add context to your alerts so that you can respond in a more effective and impactful way, sooner rather than later.
It also helps to improve the defenses of your current infrastructure by using high fidelity machine-readable indicators of compromise.
(IOC) This provides highly valuable context to a technical subject, letting the decision makers act faster than was previously possible with traditional threat intelligence systems.
Vulnerability Intelligence helps your team to prioritize and order threats that are the most dangerous to your organization, allowing them to act more effectively.
It helps your decision makers understand the options that they have for patching and mitigating vulnerabilities, giving them greater control over the operational environment.
Cyber Crime Intelligence helps your team to understand the threat actors, as well as their financial motives behind the methods that they employ in an attack.
Knowing what motivates your attacker is a good way to minimize your threat surface by making their objectives more obscured, thus deterring any attempts on your systems.
You also have access to fraud analysis, credential collections and underground market places that trade in these commodities.
Cyber Espionage Intelligence helps you to understand what the objectives are of your attackers, and why they are targeting your organization.
You can use the insights into their activities and procedures so that you can defend your organization from high level attackers. Fusion Intelligence is a package that includes Operational, Cyber Crime and Cyber Espionage intelligence solutions to safeguard your company from bad actors and hacking groups.
It enables your team to better understand the full attack lifecycle of each method, and will help to prepare your team for the worst case attack scenarios.
FireEye Threat Intelligence enablement and support offers 3 different layers of support to your team.
Baseline is an introduction to the basic materials and procedures require to use the Intelligence portal.
It allows you to interact with the Customer Support Desk and helps you to configure the Intelligence API into your organization.
Coordination provides access to FireEye’s Threat Intelligence analysts, and access to a designated Intelligence Enablement Manager for a more personalized experience.
The IEM becomes you primary point of contact and is you trusted advisor in all things relating to FireEye.
Optimization gives you an additional designated Intelligence Optimization Analyst that works to address your own specific requirements.
More information can be found here.
Infoblox Threat Intelligence Data Exchange
Infoblox Threat Intelligence gives you access to real-time threat data. It allows you to stop threats with a better turnaround time and is accurate with massive data sources.
It will help you to minimize the risks to your business by protecting your infrastructure against cyberattacks.
Their data is sourced from many different areas, such as leading threat intelligence providers, government agencies, the Department of Homeland Security’s Automated Indicator Sharing (AIS) system as well as universities.
The system is easy to use for your security team and gives your responders a single interface that they can work from. This makes it much easier to distribute Infoblox’s information throughout your organization to help combat cyber-crime.
The end result is that your security teams will be able to leverage hundreds of thousands of valuable indicators that are published daily.
This means that your team will be current and up to date with the most recent threats that have surfaced within the present time.
It also helps to reduce time to solving and remediating issues, sometimes by as much as tow thirds faster. It will help to make your team three times more effective y leveraging multiple sources of data and using automated tasks to increase speeds and efficiencies within your organization.
By unifying your security policies, you can share curated threat intelligence in real-time, giving your teams much needed and increased visibility.
These integrations include systems such as firewalls, web proxies, SIEM and SOAR platforms.
All of this information helps your decision makers and teams get all of the most important information as and when it is needed. You can also gain valuable insight into the state of current threats thanks to Infoblox’s Cyber Intelligence Unit.
The Cyber Intelligence Unit has over 10 years of experience, which allows them to create and aggregate information on threats.
This allows you to take action against the discovered threats that you come across and minimizes the amount of false positives that you encounter daily in the operations of your security infrastructure.
Infoblox also generates Cyber Threat Reports that are published often, providing you with useful and valuable information.
These detailed reports leverage all of the knowledge, skills and experience that are provided by their threat intelligence teams, making for readable and interesting reports.
This is an invaluable resource as it helps your team to identify current threats and vulnerabilities that other organizations are dealing with.
This helps you to create and manage a cyber security plan that is relevant and up to date with regards to the current threat state around your company.
A whitepaper can be found here.
LookingGlass Scout Prime
LookingGlass offers a wide range of cybersecurity and threat intelligence software for modern organizations.
They offer Cyber Intelligence, Managed Services, Threat Platforms and Automated Response as part of their solutions.
Cyber Intelligence is a high-quality data suite that is customized to your organization’s specific requirements.
It has data feeds that are dynamic and static, and allow for a great deal of information to be analyzed by your team.
It has a credential monitor that also helps to detect any leaked Personally Identifiable Information for both your users and your customers.
This also allows for the platform to use strategic intelligence to support whatever policies, compliance requirements and operational security considerations you might have.
On-Demand Investigations and Analysis is an augmented offering that adds value to your security team.
Their Threat Platforms have two different offerings, scoutTHREAT and scoutPRIME.
The scoutPRIME offering gives your team the ability to uniquely identify activities and actors by using a unique foot printing capability set that is built into the system.
It allows you to rapidly create dynamic footprints that are uniquely identifiable to any internet accessible asset or network of interest.
It essentially gives you a view from the attacker’s perspective of your organization and helps you to identify immediate risks to your company.
Data relevance is critical when there is so much information being gathered about your organization.
This is why scoutPRIME is able to aggregate so many different data sources, around 88 of them in total.
These data sources are threat related and will help to generate a threat score based on what it finds.
This score helps you to look at the current state of your organization, and what possible remediation steps can be taken in order to rectify the situation.
All of this is combined together to give your organization a much needed efficiency that comes with this application.
The amount of data that needs to be processed is staggering and making it meaningful is no easy task.
This is why scoutPRIME automates the threat intelligence data and ingests it so that it can be correlated and used in advanced reporting.
It frees up precious cycles for your cybersecurity team so that they can concentrate on the tasks that they need to accomplish in real time.
The system runs 24 hours a day and lets you run continuous monitoring around the clock.
It monitors your vendors, networks and suppliers as well as third parties that are associated with your brand.
This helps to create a wall of information that is valuable to the correlation techniques that scoutPRIME uses to gather threat intelligence for your teams.
If you wish to find out more about this platform then be sure to take a look at the data sheet that they have put together.
It explains a lot of the technical details that we have outlined and goes into more detail about how everything works and fits together.
Recorded Future Express
Recorded Future Express is a Threat Intelligence platform that seeks to give everybody access to some form of the technology.
Recorded Future realizes that the major problem faced by most information security professionals today is not that they don’t have enough data to make informed cybersecurity decisions.
Instead, there is too much information available to threat intelligence experts.
This means that tit is very difficult to filter out what is important and what is noise, making the job of threat analysis that much harder.
Recorded Future Express is a licensed product that ships with a browser extension, making it easy to instantly get context for any IP address or domain, as well as vulnerabilities and file hashes directly from inside your browser.
This is a very user friendly approach and is sure to find favor with many professionals that find themselves with an open browser on their desktop at any given moment, day or night.
This convenience makes it very quick and easy to apply the threat intelligence capabilities of Recorded Future Express at any given moment.
They have also identified the fact that too much knowledge is only one part of the threat intelligence problem.
The second issue is the lack of context that is available to be used in conjunction with the information that is gathered from a threat intelligence platform.
By unifying threat intelligence with existing cyber security technologies, Recorded Future is hoping to better integrate the role of threat intelligence within a cyber security context, instead of treating it as a separate service entity.
The idea is that users that need access to threat intelligence should be able to view and work with it when they need to, without too many barriers or obstacles, especially when there are time critical issues that need to be dealt with immediately.
This approach takes a ‘threat intelligence exclusively for all’ approach, which opens up this data source to more users than most traditional threat intelligence platforms.
This results in a few key benefits, mainly:
- Alert Triage Response Time Decreases:
The more eyes that are on a problem, the better. With more access to alerts you will find that more people become aware of issues much faster, reducing down time.
- Patching Priorities:
A more selective approach to patching is possible thanks to enhanced threat intelligence. This saves bandwidth and time on patching, with les downtime due to system restart during updates.
- Enhanced Incident Response:
Indicators of Compromise combined with context provide your teams with all of the data that they need in order to deal effectively with an issue before it becomes a major issue.
- Faster Data Analysis:
With Recorded Future it is much faster to go through massive amounts of information. You can quickly find the most relevant parts of the reports and data and how it applies to your unique situation, and then act from there.
Additional resources such as whitepapers can be found right here.
Webroot BrightCloud Threat Intelligence Services
BrightCloud Threat Intelligence offers is a unified service that gives developers access to a list threat intelligence services.
This is accomplished through their SDKs and APIs which can be integrated into applications at a development level.
This is part of the secure software design process and is a common development approach.
Security considerations are often included in the product design from the planning stages, and frameworks such as this help to facilitate this development philosophy. Some of the features that are available from their services are:
- Web Classification and Web Reputation:
This is where content classification occurs and it is run against 2 different categories, which equals billions of webpages. This helps to keep end users safe as each site has its own threat rating and can advise users not to proceed if certain parameters are met.
- IP Reputation:
If there are enough recorded instances of IP threats originating from a specific source then that IP will be designated with an IP Reputation, This will advise users whether or not a link s safe to proceed with, and if the IP is safe or not. This can also block malicious IPs that are know to be malicious, such as with inbound malicious IP traffic.
- Real-Time Anti Phishing:
A purpose built solution that helps users to quickly identify phishing activity that is suspicious. This is done before the phishing sites can open, alerting users of any abnormalities with the sites that they are trying to open.
- Streaming Malware Detection:
Streaming Malware Protection helps the user to stay safe by blocking malicious traffic as it is streaming via the user’s connection. If files are deemed to be unsafe, or from an unknown or untrustworthy source, then that traffic s blocked by the service.
- File Reputation:
If there have been malicious reports associated with specific files that have a name or size and signature that matches, then users will either be warned not to execute such files, or they will be blocked from downloading them all together.
- Mobile Security SDK:
So many users access the internet via their smartphones primarily, which has meant that mobile security has had to catch up with the ever evolving cyber threats that are aimed specifically at mobile devices. The UI-less SDK can be embedded directly into mobile solutions and help to prevent malicious activity from affecting users.
The solution also offers Supplementary Intelligence in the form of contextual Database APIs and Threat Insight APIs, which are incredibly useful for software developers.
There are many different Threat Intelligence Platforms available today, mainly dude to the vast amount of continually evolving threats that surface daily on the internet.
As each threat becomes more sophisticated and difficult to detect, the counter measures that you implement will have to keep up.
Depending on your budget and requirements there is something for everyone in our list.
We hope that you have found this useful and that you can make better decisions after looking at each of these product’s core features.