Top 10 Threat Intelligence Platforms in 2022 | #emailsecurity | #phishing | #ransomware | #education | #technology | #infosec


A threat intelligence platform is defined as a software tool that leverages millions of data sources to aggregate, curate, correlate, and visually represent information on cybersecurity threats, attacks, and vulnerabilities to make IT teams aware of potential risks. This article explains how threat intelligence works and shares some threat intelligence solution recommendations for 2022. 

What Is a Threat Intelligence Platform?

A threat intelligence platform is a software tool that leverages millions of data sources to aggregate, curate, correlate, and visually represent information on cybersecurity threats, attacks, and vulnerabilities to make IT teams aware of potential risks.

A threat intelligence platform is: 

  • Connected to internal systems and external security research feeds 
  • Updated in real-time to reflect the latest global and internal events 
  • Integrated with incident handling systems 

Enterprises leverage threat intelligence platforms to collect intel data from multiple sources and formats. Once the threat intel data is aggregated and organized, enterprise cybersecurity teams can leverage the threat intelligence solution to gain information on known threats. With cybercrime rates higher than ever, threat intelligence platforms are rapidly gaining popularity in the post-pandemic corporate landscape.

Threat intelligence platforms aggregate threat data from across organizations. This gives security teams external knowledge about threats, allowing proactive action and improved decision-making. The inflow of threat intelligence data from thousands of varying sources can be difficult to aggregate and manage manually. Therefore, more and more organizations are relying on threat intelligence solutions for identifying, investigating, and countering cyberattacks in an accurate and timely manner.

With threat intelligence platforms, security analysts can spend more time analyzing security data and patching potential vulnerabilities rather than investing resources in data collection and management. Another key advantage of threat intelligence platforms is their ability to share intelligence with other internal and external stakeholders swiftly and efficiently. Threat intelligence platforms can be deployed either on-premises or through a software-as-a-service (SaaS) model.

See More: What Is Cyber Threat? Definition, Types, Hunting, Best Practices, and Examples

5 Key Must-Have Features of Threat Intelligence Platforms

Today, various threat intelligence platforms like independent tools, suite solutions, commercial products and free and open-source solutions are available in the market. Irrespective of the type of tool you choose, you must evaluate it against the following five parameters.

Key Features of Threat Intelligence Platforms

1. Dynamic intelligence feed

The primary purpose of threat intelligence is to provide regular and up-to-date information on cybersecurity attacks. This includes both internal and global data. The platform should be linked with IT endpoints and security systems to monitor the landscape for threats. Furthermore, it should curate a steady stream of new and emerging threats around the world. The most sophisticated solutions provide case-by-case analysis to reduce the internal workload. 

2. Automated workflows

A threat intelligence platform may deploy automation at multiple levels. It can automatically fetch and refresh information feeds without manual updates or ad-hoc report generation. It could even integrate with incident management systems to raise automated alerts and initiate auto-remediation. Next-gen threat intelligence platforms use cognitive technologies to filter out the noise and surface only high-priority information automatically. 

3. Integration with the IT ecosystem

The threat intelligence platform you choose must support seamless integration with the rest of your IT infrastructure. Ideally, this should be a bidirectional integration, which means that your IT systems deliver internal threat data to the platform while the platform streams a real-time data feed to your security operations center. Most platforms include flexible applications programming interfaces (APIs) to connect them to virtually any software system. 

4. Smart data visualization

Data visualization is at the heart of threat intelligence. Data can be useful to IT teams only when represented in a smart and easy-to-consume manner. The platform should have dashboards that support role-based access, data filtering and search, layout customization, etc. Threat intelligence data should be visualized via maps, trend graphs, timelines, tables, and charts – as necessary – so that you can easily spot correlations and perform a deeper analysis. 

5. Analysis tools

A feature that’s now increasingly popular when selecting threat intelligence platforms is built-in analysis tools. While the platform can be integrated with an external analysis tool using APIs, it can be helpful to include built-in tools for threat analysis and investigation. For instance, prebuilt search dimensions could help you navigate the dense information contained in the threat intelligence feed. Some platforms also support collaborative analysis. 

See More: What Is Unified Threat Management (UTM)? Definition, Best Practices, and Top UTM Tools for 2021

Top 10 Threat Intelligence Platforms in 2022

From $5.28 billion in 2020, the threat intelligence market will be worth $13.9 billion by 2026, as per Mordor Intelligence Research. The leading companies in this fast-growing space are listed below (alphabetically).

Disclaimer: This list is based on publicly available information and may include vendor websites that sell to mid-to-large enterprises. Readers are advised to conduct their final research to ensure the best fit for their unique organizational needs.

1. Anomali ThreatStream 

Overview: Anomali is a U.S.-based cybersecurity company founded in 2013. It specializes in enterprise-facing threat intelligence products.

Key features: The key features of this threat intelligence platform include:

  • Dynamic intelligence feed: It collects data from hundreds of sources and converges it into a single high-fidelity set.
  • Automated workflows: It automatically fetches and updates data to be shared with the necessary stakeholders. 
  • Integration with the IT ecosystem: It integrates with existing tools through a workbench.
  • Smart data visualization: You can gain from interactive dashboards of tactical, technical, operational, and strategic cyber threat intelligence. 
  • Analysis tools: Anomali has a visual link analysis investigation tool to correlate threat indicators with higher-level threat models.

USP: Anomali ThreatStream is very effective at reducing false positives. It can automatically correlate different attack Tactics, Techniques, and Procedures (TTPs) through a Visual Explorer tool.

Pricing: You can purchase dedicated feeds and tools starting at $500. Editorial comments: Anomali is meant primarily for research. Rather than focusing on real-time threat intelligence, it helps you collect and collate global data and investigate the attacker’s infrastructure.

2. Dataminr Pulse

Overview: Dataminr is a 2009-founded company based in the U.S. specializing in threat detection and alerts. It is known for its proprietary AI technology. 

Key features: The key features of this threat intelligence platform include:

  • Dynamic intelligence feed: You can visualize real-time information at customizable levels and degrees of specificity, sourced from 200,000+ public data sources.
  • Automated workflows: It automates data collation, analysis, and alerts. 
  • Integration with the IT ecosystem: The Dataminr Pulse hub gives you integrated visibility into the end-to-end IT and user landscape. 
  • Smart data visualization: It has an AI-based dashboard that delivers insights via an intuitive interface and real-time alerts.
  • Analysis tools: It uses geo-visualization to help correlate incidents so your team can collaboratively analyze and resolve them. 

USP: Dataminr leverages AI-based geo-visualization to provide the visual context needed to address complex security threats. 

Pricing: Pricing for Dataminr Pulse starts at $15,000 per year.

Editorial comments: The solution is suitable for distributed companies. You can create flexible location groups for asset analysis and threat intelligence. 

3. IBM X-Force Exchange

Overview: Founded in 1911, IBM is among the world’s leading technology service providers. X-Force Exchange is the company’s threat intelligence research initiative and data-sharing platform. 

Key features: The key features of this threat intelligence platform include:

  • Dynamic intelligence feed: It dynamically curates data and reports from various public and gated sources. 
  • Automated workflows: Exchange data feeds are automatically updated, and you can set up API-based automation. 
  • Integration with the IT ecosystem: You can integrate X-Force Exchange with firewalls, intrusion prevention systems, and security information and event management (SIEMs).
  • Smart data visualization: It uses maps, graphs, activity reports, timelines, etc., to visualize threat data. 
  • Analysis tools: You can purchase or subscribe to various analysis tools from the IBM X-Force Exchange App Exchange.

USP: The platform allows you to dive into specific threat types, reports, regions, and activities before investing. Companies only need to pay for the insights they use. 

Pricing: Reports and APIs are custom priced, starting at $2,000.

Editorial comments: IBM X-Force Exchange is responsible for a lot of the public sector research on cyber attacks. Independent threat analysts can gain from its thriving community. 

4. Mandiant Advantage

Overview: Mandiant is a 2004-founded cybersecurity company that is publicly traded on the NASDAQ. It specializes in cyber threat intelligence and security managed services. 

Key features: The key features of this threat intelligence platform include:

  • Dynamic intelligence feed: It visualizes enterprise threats and public security data in real-time. 
  • Automated workflows: You can automate incident response through the platform’s Mandiant Automated Defense capability.
  • Integration with the IT ecosystem: It integrates with internal cyber security controls to perform validations and enforce policies. 
  • Smart data visualization: Mandiant’s intuitive, role-based dashboards provide actionable information to all stakeholders. 
  • Analysis tools: You can see your attack surface through the eyes of external malicious entities to detect and address every risk. 

USP: The platform is built on the company’s proprietary intelligence repository called Mandiant Intel Grid. This provides access to knowledge obtained from 900+ incident response engagements per year.

Pricing: Pricing information is undisclosed, but there is a freemium version available. 

Editorial comments: Companies with a multi-vendor security operations center (SOC) can confidently invest in this threat intelligence platform. It is designed for vendor-agnostic intelligence. 

5. McAfee Threat Intelligence Exchange

Overview: McAfee is a U.S.-based cybersecurity software company known for its consumer and business offerings. It was founded in 1987 and is traded on the NASDAQ. 

Key features: The key features of this threat intelligence platform include:

  • Dynamic intelligence feed: It uses a data exchange layer (DXL) to create data feeds from all connected security systems, along with global data.
  • Automated workflows: You can automate endpoint protection through customizable policies based on risk tolerance.
  • Integration with the IT ecosystem: It can integrate and fetch data from various third-party IT systems. 
  • Smart data visualization: The McAfee Threat Intelligence Exchange dashboard reveals unknown threat indicators and potentially malicious files.
  • Analysis tools: Information from threat intelligence can be analyzed and leveraged to protect against emerging attacks. 

USP: McAfee Threat Intelligence Exchange has an adaptive detection feature that enables faster time to protection for unknown file types. 

Pricing: Pricing starts at $18 per node per year. 

Editorial comments: It focuses solely on endpoint protection and related threats. Enterprises with a growing endpoint ecosystem can use the solution in conjunction with McAfee’s other offerings for complete protection.

See More: What Is Malware Analysis? Definition, Types, Stages, and Best Practices

6. Mimecast Threat Intelligence

Overview: Mimecast is a 2003-founded technology company traded on the NASDAQ. It is based in the U.K. and offers various cloud security tools. 

Key features: The key features of this threat intelligence platform include:

  • Dynamic intelligence feed: It offers information specific to your environment, blocked threats, and attack tactics. 
  • Automated workflows: It assesses incoming information to prioritize and deliver threat insights automatically. 
  • Integration with the IT ecosystem: You can use connectors and APIs to set up integrations with your SIEM and other systems.  
  • Smart data visualization: The Mimecast Threat Intelligence Dashboard lets you view overall trends, perform drill-down analysis, and view research reports. 
  • Analysis tools: You can leverage Mimecast Threat Remediation to analyze and act on the insights. 

USP: Mimecast has its own Threat Center, a research hub where analysts can continually monitor the global threat landscape for new vulnerabilities and attacks.   

Pricing: Pricing for Mimecast Threat Intelligence is not disclosed.

Editorial comments: While Mimecast is known for email security, its threat intelligence platform is surprisingly comprehensive. Companies should leverage Mimecast’s various APIs for targeted intelligence on malware, endpoint threats, and other use cases. 

7. MISP Threat Sharing

Overview: Malware Information Sharing Platform (MISP) is an open-source project that seeks to develop threat intelligence utilities by sharing indicators of compromise (IoCs). It was started in 2011. 

Key features: The key features of this threat intelligence platform include:

  • Dynamic intelligence feed: It has a dynamic database of IoCs, which includes information about malware samples, incidents, attackers, and related intelligence.
  • Automated workflows: It automatically correlates attributes and indicators with granular control over the correlation engine. 
  • Integration with the IT ecosystem: It has a flexible API to integrate existing tools. 
  • Smart data visualization: MISP has an intuitive GUI, an event graph, and data export capabilities.
  • Analysis tools: It is designed for collaboration so that stakeholders can quickly analyze and resolve incidents. 

USP: MISP is among the few large-scale threat intelligence communities that offer a software platform. You can obtain knowledge and reduce effort duplication when investigating threats at zero capex. 

Pricing: MISP Threat Sharing is free to use. 

Editorial comments: IT teams require Python expertise to set up this solution. It is an excellent open-source tool with no compromise on features, provided you are ready to navigate the initial implementation process. 

8. OpenCTI

Overview: OpenCTI is an open-source threat intelligence management and sharing platform developed by the French National Agency for the Security of Information Systems (ANSSI) and the non-profit organization, Luatix. 

Key features: The key features of this threat intelligence platform include:

  • Dynamic intelligence feed: OpenCTI displays operational and strategic information linked through a unified data model based on STIX2 standards.
  • Automated workflows: Its engine arrives at logical inferences automatically to deliver insights and real-time correlations.
  • Integration with the IT ecosystem: Its open-source architecture enables easy integration with all homegrown and third-party systems. 
  • Smart data visualization: Analysts can visualize entities and their relationships, including nested relationships, with multiple view options. 
  • Analysis tools: All information and indicators are linked to a primary source to drive analysis, scoring, and remediation. 

USP: OpenCTI relies on a sophisticated knowledge hypergraph based on graph analytics. This lets you plot hyper-entities and hyper-relationships for highly accurate threat predictions.

Pricing: OpenCTI is free to use. 

Editorial comments: OpenCTI is ideal for comparative analysis. You can set up multiple data views with unique widgets to compare attack scenarios. 

9. Palo Alto Networks AutoFocus

Overview: Founded in 2005, Palo Alto Networks is a U.S.-based cybersecurity company traded on the NASDAQ. AutoFocus gives you access to the company’s massive repository of threat research. 

Key features: The key features of this threat intelligence platform include:

  • Dynamic intelligence feed: It is informed by 14+ billion unique threat samples and 7+ trillion granular artifacts and growing. 
  • Automated workflows: You can automate security tasks using prebuilt connectors and embedded intel cards.
  • Integration with the IT ecosystem: AutoFocus can be linked with various incident management systems and workflows for consolidated visibility. 
  • Smart data visualization: You can gain from customizable dashboards, reports, and alerts, tailored for your company. 
  • Analysis tools: You can analyze data using 130+ search dimensions and built-in analysis tools. 

USP: 84% of the threat samples discovered are tagged with further context by Palo Alto’s Unit 42 Threat Intelligence team. This means that you gain from automated analysis as well as human cognitive judgment. 

Pricing: Pricing starts at $35,000 per year. 

Editorial comments: It is advisable that you undertake Palo Alto’s AutoFocus Security Lifecycle Review to assess your landscape and how the platform can help before investing. 

10. VirusTotal Intelligence

Overview: VirusTotal is a 2004-launched solution that Google acquired in 2012. It is now owned by Chronicle Security (part of Google Cloud). 

Key features: The key features of this threat intelligence platform include:

  • Dynamic intelligence feed: It couples Google-scale search engine capabilities with Facebook-scale relationship and profile characterization to create information feeds. 
  • Automated workflows: It automatically detonates files in virtual sandbox environments to study and analyze their impact. 
  • Integration with the IT ecosystem: In addition to global sources, it can integrate with local IT systems. 
  • Smart data visualization: It visualizes data and allows you to hunt for threat information. 
  • Analysis tools: It has multiple tools for threat analysis such as contextualized search, relationship matching, sandbox executions, clustering, etc. 

USP: VirusTotal is powered by Google’s infrastructure and has more than 2.4 billion files in its dataset. This ensures that you get comprehensive threat profiles, relationships, and characterizations, represented through unique charts. 

Pricing: VirusTotal offers many services for free and its premium offerings are custom priced. 

Editorial comments: VirusTotal’s primary purpose is to streamline the search phase of threat investigation. It has to be leveraged with other infosec systems to unlock its full potential for your enterprise. 

See More: Threat Hunting: What It Is and Why It’s Necessary 

Product Comparison of Top 10 Threat Intelligence Platforms in 2022

While choosing the best-fit platform for your organization, it is imperative to match your present and future business requirements to the offerings on the market. Here is a comparison of the best threat intelligence platforms for your reference.

Company Overview USP Pricing
Anomali ThreatStream It is a U.S.-based cybersecurity company that specializes in enterprise-facing threat intelligence products.  It reduces false positives by correlating different attack TTPs.  Pricing starts at $500.
Dataminr Pulse It is a U.S.-based company that delivers threat detection and alerts using proprietary AI technology. It gives you visual context for threats using AI-based geovisualization.  Pricing starts at $15,000.
IBM X-Force Exchange It is IBM’s threat intelligence research initiative and data-sharing platform.  It lets you dive into insights before investing so that you pay only for what you use.  Pricing starts at $2,000.
Mandiant Advantage It is a publicly-traded company that offers cyber threat intelligence and security managed services. It offers access to insights gained from 900+ incident response engagements per year through the Mandiant Intel Grid.   Pricing information is undisclosed, with a freemium option available.
McAfee Threat Intelligence Exchange It is a consumer and business-facing cybersecurity software company based in the U.S. It has an adaptive detection feature that enables faster time to protection for unknown files. Pricing starts at $18 per node.
Mimecast Threat Intelligence It is a 2003-founded company based out of the U.K. that offers cloud security tools. IIt delivers insights on the world’s top threats through the Mimecast Threat Center.  Pricing information is undisclosed.
MISP Threat Sharing It is an open-source project started in 2011 to share indicators of compromise (IoCs) It combines collaborative knowledge sharing with a software platform to reduce threat investigation efforts.  It is free to use. 
OpenCTI It is an open-source platform developed by the French ANSSI and the non-profit, Luatix. It generates accurate threat predictions using a sophisticated knowledge hypergraph. It is free to use. 
Palo Alto Networks AutoFocus It is a U.S.-based cybersecurity company traded on the NASDAQ, with a massive repository of threat research. It augments automatically generated insights with human assessment in 84% of cases.  Pricing starts at $35,000 per year. 
VirusTotal It is a threat intelligence, hunting, and graph analysis solution that Google acquired in 2012. It leverages Google’s infrastructure to build threat profiles, plot relationships, and summarize threat characteristics.  Pricing information is undisclosed, with a freemium option available.

Takeaway

As cyber-attacks become more complex, our defense mechanisms must evolve in tandem. Threat intelligence platforms make it possible for IT teams to gain from the entire breadth of knowledge of the global cybersecurity community. Data feeds are updated in real-time by experts and enterprises from around the world so that you remain aware of every possible attack variant even if it has not affected you personally. And, when integrated with security tools like SIEM, they can help preempt even the most dangerous zero-day attacks. That’s why threat intelligence adoption is continually rising and will grow further in 2022. 

Have you leveraged threat intelligence to drive a proactive security strategy in your company? Tell us on LinkedIn, Twitter, or Facebook. We would love to hear from you!

MORE ON THREAT INTELLIGENCE

  • What Is Cyber Threat Intelligence? Definition, Objectives, Challenges, and Best Practices
  • What Is a Cyber Threat? Definition, Types, Hunting, Best Practices, and Examples
  • What Is Threat Modeling? Definition, Process, Examples, and Best Practices
  • Top 10 Threat Modeling Tools in 2021
  • What Is an Advanced Persistent Threat? Definition, Lifecycle, Identification, and Management Best Practices





Source link