Throughout the enterprise there are security personnel using a variety of processes and tools to conduct their incident response, network defense, and threat and risk analysis. Generally speaking, either most security teams haven't centralized their efforts at all, or they have done it incompletely, relying on rudimentary, outdated technologies such as email, spreadsheets, a SharePoint portal, or a ticketing system. These techniques, although better than nothing, do not scale as the team grows and as the number of malicious events and security processes increases. This same problem was once commonplace in other parts of the business, and platforms were created to address these concerns and to support the end user in their quest for automation, collaboration across use-cases, and better management processes. For example, PeopleSoft for human resources, Salesforce for sales, SAP for manufacturing, and Eloqua for marketing.
Tools are purpose built and difficult to extend beyond the original purpose for which they were built. Platforms are extensible, transformative and make up the foundation of a solution. As an example, picture Legos. Each individual brick is a foundational building block (literally) of countless different types toys, from a Disney castle to the Millenium Falcon. You can buy specific sets of Legos that include the building blocks of specific things. So rather than buy a dinosaur, you could buy the dinosaur Lego set and that could be integrated together to form a larger structure. Like Legos, a platform allows the specific need to be solved while at the same time providing an integrated solution for longer term solution development.
Tool vs. Platform
There are new tools coming on the market every day, but many are just that - a simple tool and not a true platform. A tool may solve immediate needs, but you must evaluate your needs across multiple stakeholders throughout your organization (i.e., SOC, IR, Threat Team, CIO, CISO, Board) and look to a single platform to bring everyone together. The platform must support the integration of all the stakeholders and data that is relevant to each in such a way that all interested parties can work together as a team. Customization of the platform is key, as each organization will have different processes, and the need for data customization across those processes for aggregation, analysis, and action.
Leveraging a Solution
Unlike a tool, a Threat Intelligence Platform (TIP) enables personnel throughout the enterprise to manage processes on the relevant security data that they care about. Additionally, other personnel processes such as incident response and event triage in the SOC can be uniformly integrated on top of that same threat data all within a single, adaptive platform. Different processes may take advantage of different features within the platform as well. Additionally, newer, more efficient applications can take the place of inefficient or outdated applications. From a management perspective, the platform must present trends, supply real-time updates, as well as support threat-driven strategic prioritization of risk across the business.
A platform is a foundational capability. It should be extensible, conducive to enterprise collaboration and evolve as your organization’s strategies shift. We agree with ExactTarget (Salesforce) in their definition of a tool vs. a platform, and in addition to that put forth our spin on the features you want to look for in a Threat Intelligence Platform:
- Go Broad and Deep with Threat Intelligence Data: A Threat Intelligence Platform (TIP) must capture and aggregate all relevant data from across your internal network, partners, and vendors. This includes customizable data elements that require storage and management, processes and workflow capabilities across various teams, as well as the input fields that help staff more quickly support data entry tasks. Ability to extend the platform with compatible applications is also critical for extension of the platform to support new and evolving needs without requiring platform upgrades.
- Numbers Matter: The TIP should support the specific metrics you want to track, filter, and analyze via customizable reports to understand risk to the business and efficacy across organizational processes for risk avoidance. It should provide analytics that can be reported to your team members and to the organization as a whole.
- Go Beyond Sharing with Collaboration and Workflow: The TIP should mature with your security strategy with the ability to share data with your team, across the company, with the external supply chain, and in support of threat information sharing organizations, such as an ISAC. It should have the ability to coordinate intelligence informed action among your team which enables streamlined and efficient workflows. Access to the intelligence needs to be balanced with its operational sensitivity, so it must control data visibility with strong role-based access control to ensure data is given to only those who need to see it.
- Single Source: The TIP must be able to coordinate, track, and measure all security data from within the platform. This avoids wasting time jumping back and forth from inside and outside multiple tools to capture valuable information.
- Growth and Efficiency: The TIP should be able to integrate your security products across the organization. Verify that not only can the platform consume actionable information, but also that it can digest external information feeds for continued analysis and reporting of intelligence driven events across the organization. Additionally, a TIP should enable growth and automation across all aspects of your business.
For many, cyber security can be a tedious, foreboding challenge. This is particularly true without any automated features available to support your workflow. Simply put, copying indicators from disparate information sources and pasting them into a platform will cripple your organization’s security capacity, and severely delay response-time. As your security program matures, analysts must prioritize threat detection, threat response and risk mitigation, relying on the platform to dot the i’s and cross the t’s on their behalf. Moreover, your team needs to spend that time focusing on the high priority information that a platform helps decipher, not spending time manually gathering information across multiple tools.
Stop looking for tools to solve your problems, rather look for a platform to manage all of your problems.
How do you draw the line between what is a tool and what is a platform? Learn more about how we define a Threat Intelligence Platform here.