Threat Intelligence Platform

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of threat data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform.

Traditional approach to enterprise security

The traditional approach to enterprise security involves security teams using a variety of processes and tools to conduct incident response, network defense, and threat analysis. Integration between these teams and sharing of threat data is often a manual process that relies on email, spreadsheets, or a portal ticketing system. This approach does not scale as the team and enterprise grows and the number of threats and events increases. With attack sources changing by the minute, hour, and day, scalability and efficiency is difficult. Large Security Operations Centers (SOCs), for example, produce hundreds of millions of events per day, making it difficult to filter down to a manageable number of suspicious events for triage.

Threat intelligence platforms

Threat intelligence platforms make it possible for organizations to gain an advantage over the adversary by detecting the presence of threat actors, blocking and tackling their attacks, or degrading their infrastructure. Using threat intelligence, businesses and government agencies can also identify the threat sources and data that are the most useful and relevant to their own environment, potentially reducing the costs associated with unnecessary commercial threat feeds.[1]

Tactical use cases for threat intelligence include security planning, monitoring and detection, incident response, threat discovery and threat assessment. A TIP also drives smarter practices back into SIEMs, intrusion detection, and other security tools due to the finely curated, relevant, and widely sourced threat intelligence that a TIP produces.

An advantage held by TIPs, is the ability to share threat intelligence with other stakeholders and communities. Adversaries typically coordinate their efforts, across forums and platforms. A TIP provides a common habitat which makes it possible for security teams to share threat information among their own trusted circles, interface with security and intelligence experts, and receive guidance on implementing coordinated counter-measures. Full-featured TIPs enable security analysts to simultaneously coordinate these tactical and strategic activities with incident response, security operations, and risk management teams while aggregating data from trusted communities.[2]

Threat intelligence platform capabilities

Threat intelligence platforms are made up of several primary feature areas[3] that allow organizations to implement an intelligence-driven security approach. These stages are supported by automated workflows that streamline the threat detection, management, analysis, and defensive process and track it through to completion:

Operational Deployments

Threat intelligence platforms can be deployed as a software or appliance (physical or virtual) on-premises or in dedicated or public clouds for enhanced community collaboration.

References

  1. "Threat Intelligence Platforms: The Next 'Must-Have' For Harried Security Operations Teams". Dark Reading. Retrieved 2016-02-03.
  2. Poputa-Clean, Paul (January 15, 2015). "Automated Defense Using Threat Intelligence to Augment Security". SANS Institute InfoSec Reading Room.
  3. "Technology Overview for Threat Intelligence Platforms". www.gartner.com. Retrieved 2016-02-03.
  4. "The Diamond Model of Intrusion Analysis | ActiveResponse.org". www.activeresponse.org. Retrieved 2016-02-03.
  5. Eric M. Hutchins; Michael J. Cloppert; Rohan M. Amin (2009). "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" (PDF). Lockheed Martin.
  6. MacGregor, Rob (May 29, 2015). "Diamonds or chains".
  7. "What's in a true threat intelligence analysis platform?". ThreatConnect | Enterprise Threat Intelligence Platform. Retrieved 2016-02-03.

External links

This article is issued from Wikipedia - version of the 11/14/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.