close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

How to Choose the Right Threat Intelligence Platform for You

Understand it's "job" and what you and your team need

The first step to choosing the right threat intelligence platform (TIP) for you is to figure out what you actually want the TIP to do. One pitfall that security teams often fall into is that they approach the selection with a checklist of criteria, without really evaluating the problems they're trying to solve and they end up with a product that "checks all the boxes" but ends up collecting dust.

For example, if you're buying a car, here are some things you might be looking for:

  • Safety, e.g. five star crash-test ratings
  • A decent sound system
  • "Sporty," whatever that means
  • Good gas mileage
  • Lane assist

Those are all admirable features or qualities for a car to have, but consider the reason you're buying the car (in other words, the thing you're buying the car to do):

  • Get the kids to school and soccer practice, and maybe keep them entertained on longer trips
  • Show up the other guys and gals at the firm with their fancy imports
  • Survive the ultimate road trip

The five "features" listed above might all factor into the three "reasons," but imagine if the status-seeker showed up with a minivan, or the soccer parent showed up with a convertible coupe? The features are the same, but the final product, what's really needed, is totally different.

So the first step in selecting a TIP is not picking out the key features - it's nailing down the "job" of a TIP.

What's the "job" of a TIP?

Your mileage may vary, and introspection is certainly keyhere, but for most teams the main jobs of a TIP are:

  1. Aggregation. Get all of my feeds and reports into a central location - a "source of truth" - where they can be accessed in a standardized format by anyone who needs them.
  2. Analysis. Figure out what's really relevant to me and my team. "Is this a threat to me?"
  3. Action. Send the right intel to my detection and defense devices. Some might call this "operationalizing" the intelligence.

Major "check the box" items like DNS lookups, machine-readable threat intelligence, STIX/TAXII, etc., are all features in service of those larger goals. Even key capabilities like automation and orchestration are just better ways of accomplishing the jobs: automation can help make teams more effective in the Analysis job, for example, by streamlining key enrichment tasks. Orchestration can help on the Action side by linking together all manner of disconnected systems.

What matters, though, is how effectively the TIP can actually do the job you want it to do. You're probably doing those jobs today already: with spreadsheets, cutting and pasting, Word docs, custom Python scripts, prayer, etc. The TIP makes you more effective at those jobs.

Let's take a look at how TIP help you accomplish these three key jobs of Aggregation, Analysis, and Action.

Aggregation -Get All Your Stuff in One Place

The first job you might want to hire a TIP for is to centralize all of your intelligence. So the question is, what intelligence are you collecting today, and how do you receive it? Consider making a checklist of the intelligence and its delivery mechanism. It might look something like this:

Intelligence Delivery Mechanism
Premium feed Proprietary API and PDF reports
ISAC alerts Sent via email in plain text or STIX
My favorite researcher blog Website
Internal network activity Available in my SIEM
Internal threat reports Spreadsheets and corporate wiki
Open source feed TAXII

Once you understand what you want to bring in, you can start to review how effective the TIP is at adding the data. For example, does the TIP have native integrations with your premium feeds, or would you need to write something custom (and possibly hire software developers)? Can the TIP automatically extract indicators from your ISAC alert emails, or would your analysts need to cut and paste? Understanding how the TIP "gets the job done" can help you understand how effective that TIP is at doing the job. For example:

Intelligence TIP #1 TIP #2
Premium feed Native integration and in-app PDF report display Native integration
ISAC alerts Parses email alerts and converts into machine-readable threat intelligence (MRTI) Cut and paste
My favorite researcher blog Aggregates popular blogs and converts into MRTI Cut and paste or custom script for web scraping
Internal network activity Bidirectional integration with my SIEM Requires custom app
Internal threat reports SDK and API allows integration with internal wiki Not available
Open source feed TAXII client TAXII client

While both TIPs in the above example have ways to do the job, TIP #1 is going to be more effective.

Analysis - Weed out the Irrelevant Stuff

Once you've collected the data, the next step is to identify the relevant intelligence so you can take action while avoiding false positives. Just like with the "Aggregate" job, the first step is to lay out what sort of analysis you want to do:

  • Check log files for malicious indicators
  • Look up data in third party enrichment tools
  • Monitor your domains for spoofing attempts
  • Analyze malware files
  • Track threat actors across multiple campaigns
  • Weed out false positives

And once again, we look to see how each TIP accomplishes the job you want it to do:

Analysis TIP #1 TIP #2
Check log files for malicious indicators Drag-and-drop files for immediate analysis and enrichment Import files, manually parse out indicators, and review
Look up data in third party enrichment tools Automate lookups in any enrichment service that offers a REST API Out of the box integrations with several (but limited) popular enrichment services
Monitor your domains for spoofing attempts Domain-spinning workbench Domain monitoring for-hire
Analyze malware files Automate analysis in multiple third party AMAs Integrated sandbox, limited support for other AMAs
Track threat actors across multiple campaigns Flexible data model aligned to the Diamond Model of Intrusion Analysis Rigid data model with some Kill Chain support
Weed out false positives Globally crowdsourced reports of known false positives Manual tagging

Analysis can be more challenging to evaluate than aggregation because there are so many more options, but that's okay: what's important is that you understand what your team needs and what the TIP provides. For example, if your team is just ramping up and needs room to grow, you'll want a TIP that offers some basic enrichment while still being extensible. If you have a mature team, you'll want one that is flexible enough to adapt to your processes (rather than the other way around).

Action - Send the Relevant Stuff Where It Can Protect You

Getting intelligence out of a TIP is just as important as getting data in. I'd argue that, while taking Action depends on Aggregation and Analysis, Action is the most important job a TIP can do for you.

Action Destination
Deploy to defensive devices SIEM, EDR, firewall, etc.
Publish internal intelligence Security team, executives, risk management
Publish external intelligence ISAC, sharing community, law enforcement
Loop in other teams on critical intel SOC, Incident Response, IT, etc.

So really, the question becomes: what form do you want your intelligence to take, and where do you need it to go?

Action TIP #1 TIP #2
Deploy to defensive devices Integrations, rule-based runtime apps, flexible automation/orchestration engine Integrations, rule-based runtime apps
Publish internal intelligence Export, PDFs, integrations with ticketing systems, scheduled delivery Export
Publish external intelligence TAXII server, export, anonymous crowdsourced analytics TAXII server, export
Loop in other teams on critical intel In-app notifications, email, Slack Email

There's a wide variety of possible outputs, so due to the importance of the Action job it's worthwhile to take the time to assess the desired end state of your intelligence, and how that end state is achieved with any particular TIP.

A Word on Orchestration

I've mentioned several instances above where the job being done is accomplished by way of orchestration or automation. With all the buzz around orchestration, it can be tempting to think that orchestration is something separate from what you want out of a TIP, but that's a mistake. Orchestration is simply a means to an end. If orchestration can make the job you want the TIP to do more effective, then why not consider a TIP with orchestration?

Consider seat belts, airbags, and lane assist. All of those features are designed to do the job of keeping you safe and contribute in different ways and with different levels of effectiveness. Orchestration in a TIP is no different. For example, you might need to detonate malware in an Automated Malware Analysis (AMA) tool. There's lots of ways to accomplish that from a TIP:

  1. Download a file from the TIP and manually upload it to the AMA
  2. Use the TIP's build-in sandbox
  3. Use the TIP's out-of-the-box AMA integration
  4. Use a TIP's orchestration capability to automatically send malware to an AMA, detonate it, retrieve the results, and get notified if something relevant is found

In all four cases, the job being done is the same: malware analysis. What's different is the tools being used and how effective the TIP is at getting the job done resulting in significant time savings. In nearly every case, orchestration is a fantastic tool for making a TIP more effective and a better fit for the specific job you need done for the simple reason that orchestration gives you total control over how that job is performed.

In the end, when we talk about selecting a TIP based on what you and your team need it to do, keep these tips in mind:

  1. Make a checklist of what you and your team need the TIP to aggregate, analyze, and operationalize. Don't rely on a wishlist of features, rely on the jobs you want done.
  2. For each item on the list, consider how it's being done now.
  3. For every TIP you're evaluating, consider how that TIP accomplishes the jobs on your checklist.
  4. Remember that orchestration is just another way to accomplish one of those jobs.

Want to learn more? Sign up for a TC Open account! It's Free

TC Open™ is a completely free way for individual researchers to get started with threat intelligence. While this is not a free trial of the full platform, TC Open allows you to see and share open source threat data, with support and validation from our free community.

ABOUT THE AUTHOR

Dan Cole, Director of Product Management at ThreatConnect, has spent the last decade as a product manager working to create awesome software that gets to the core of solving the unique problems faced by a myriad of industry verticals. From large financial and insurance providers, to global telecom carriers, to federal agencies, Dan believes that the right software can free companies and users to focus on and enable their key missions.