What is a Threat Intelligence Platform
Threat Intelligence Platform Definition
A Threat Intelligence Platform (TIP) is a technology solution that collects, aggregates and organizes threat intel data from multiple sources and formats. A TIP provides security teams with information on known malware and other threats, powering efficient and accurate threat identification, investigation and response. It enables threat analysts to spend their time analyzing data and investing potential security threats rather than spending their time collecting and managing data. Moreover, a TIP allows security and threat intelligence teams to easily share threat intelligence data with other stakeholders and security systems. A TIP can be deployed as either a software-as-a-service (SaaS) or as an on-premises solution.
What Threat Intelligence Is and Why Companies Need It
Threat intelligence is any data or knowledge—ranging from technical and human knowledge to predictions about future threats—that helps companies:
- Detect, identify, validate and investigate potential security threats, attacks, malicious threat actors and indicators of compromise (IOCs).
- Understand the broader context and implications of security threats and attacks.
- Regularly provide threat-related information to security, incident response, risk management, executive and other teams.
Threat intelligence platforms aggregate threat data from across organizations, arming security teams with external knowledge about threats, allowing them to be more proactive, predictive and make better decisions. However, since threat intelligence data frequently comes from hundreds of sources, aggregating this information manually is a very time-consuming task. A task that is ripe for automation.
In most security operations centers (SOCs) threat intelligence is a function, but in large organizations it can also be handled by a dedicated team.
Why Companies Need a Threat Intelligence Platform
In the past, security and threat intelligence teams used multiple tools and processes to manually gather and review threat intelligence data from a variety of sources, identify and respond to potential security threats and share threat intelligence with other stakeholders (usually through email, spreadsheets or an online portal).
Increasingly, this approach no longer works because:
- Today, companies are collecting massive amounts of data in a wide variety of different formats such as STIX/TAXII, JSON, XML,PDF, CSV, email and so on.
- With each passing year, the number and type of security threats (from malicious actors, malware, phishing, botnets, denial-of-service (DDoS) attacks, ransomware, etc.) continues to increase in both scope and sophistication.
- Millions of potential threat indicators are spun up every day.
- Companies need to respond to potential security threats much quicker than they have had to in the past in order to prevent widespread damage.
All of these factors can leave security and threat intelligence teams drowning in noise and false positives making it difficult for them to know and sort out: 1) which data is the most relevant and useful to their company so they can analyze it and identify potential security threats; and 2) which
threats are real and which ones aren’t, so that they can focus their time accordingly.
On top of this, security and threat intelligence teams must also:
- Oversee other important security-related activities such as security planning, monitoring, feedback, response and remediation.
- Continually provide the most up-to-date threat intelligence data to other stakeholders and security systems.
It’s not hard to see how the traditional approach to gathering and compiling threat intelligence is outdated, ineffective and inefficient and unable to scale.
The Value of a TIP
By comparison, a TIP helps security and threat intelligence teams:
- Automate, streamline and simplify the entire process of researching, collecting, aggregating and organizing threat intelligence data, as well as normalizing, de-duping and enriching that data.
- Monitor and quickly detect, validate and respond to potential security threats in real-time.
- Get vital information such as the background and details about current and future security risks, threats, attacks and vulnerabilities, as well as information on threat adversaries and their tactics, techniques and procedures (TTPs).
- Set up security incident escalation and response processes.
- Share threat intelligence data with other stakeholders via dashboards, alerts, reports, etc.
- Continually feed the most up-to-date threat intelligence data to security systems such as Security Information and Event Management (SIEM) solutions, endpoints, firewalls, Application Programming Interfaces (APIs), Intrusion Prevention Systems (IPSs) and others.
How Threat Intelligence Teams Work with Other Teams
Another major advantage to security and threat intelligence teams using a TIP is that it offers built-in workflows and processes for sharing threat intelligence data with other teams such as:
- Analysts, who use that data to detect, verify, investigate and prioritize threats.
- A SOC team, which oversees the company’s day-to-day security operations and responds to threats. This team may use a TIP to automate routine tasks such as data enrichment, scoring and integration.
- Executive and management teams, who may use a TIP to view reports and get information about security risks, threats and attacks.
This way, if/when a security attack does occur, threat intelligence teams can immediately alert, coordinate and collaborate with other stakeholders on appropriate countermeasures.
The Advantages and Drawbacks of Using a TIP
Threat intelligence platforms are not without faults. Standalone TIPs lack integration with other security tools, and generally do not automate communication with team members outside of the threat intelligence organization who may need to take response actions. Having a siloed TIP therefore reduces both the contextualization of the threat intelligence and the ability to act on the insights. Most TIPs are:
But May Struggle With…
Static IOC scoring.
Score matching, which means more noise.
Enriching intel, which may result in less confidence to act.
Automated enforcement, which costs time.
Security orchestration, automation and response (SOAR) solutions have developed as a way to weave threat intelligence management more seamlessly into workflows by combining TIP capabilities with incident management, orchestration and automation capabilities. When investing in a TIP, look for SOAR solutions that can weave threat intelligence into a more unified and automated workflow—one that matches alerts both to their sources and to compiled threat intelligence data, and that can automatically execute an appropriate response.
For more information on Threat Intelligence Platforms visit https://www.paloaltonetworks.com/cortex/threat-intelligence.
More Threat Intelligence Platform Articles: