Threat Intelligence Platform

Last updated

Threat Intelligence Platform is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.


Traditional approach to enterprise security

The traditional approach to enterprise security involves security teams using a variety of processes and tools to conduct incident response, network defense, and threat analysis. Integration between these teams and sharing of threat data is often a manual process that relies on email, spreadsheets, or a portal ticketing system. This approach does not scale as the team and enterprise grows and the number of threats and events increases. With attack sources changing by the minute, hour, and day, scalability and efficiency is difficult. The tools used by large Security Operations Centers (SOCs), for example, produce hundreds of millions of events per day, from endpoint and network alerts to log events, making it difficult to filter down to a manageable number of suspicious events for triage.

Threat intelligence platforms

Threat intelligence platforms make it possible for organizations to gain an advantage over the adversary by detecting the presence of threat actors, blocking and tackling their attacks, or degrading their infrastructure. Using threat intelligence, businesses and government agencies can also identify the threat sources and data that are the most useful and relevant to their own environment, potentially reducing the costs associated with unnecessary commercial threat feeds. [1]

Tactical use cases for threat intelligence include security planning, monitoring and detection, incident response, threat discovery and threat assessment. A TIP also drives smarter practices back into SIEMs, intrusion detection, and other security tools because of the finely curated, relevant, and widely sourced threat intelligence that a TIP produces.

An advantage held by TIPs, is the ability to share threat intelligence with other stakeholders and communities. Adversaries typically coordinate their efforts, across forums and platforms. A TIP provides a common habitat which makes it possible for security teams to share threat information among their own trusted circles, interface with security and intelligence experts, and receive guidance on implementing coordinated counter-measures. Full-featured TIPs enable security analysts to simultaneously coordinate these tactical and strategic activities with incident response, security operations, and risk management teams while aggregating data from trusted communities. [2]

Threat intelligence platform capabilities

Threat intelligence platforms are made up of several primary feature areas [3] that allow organizations to implement an intelligence-driven security approach. These stages are supported by automated workflows that streamline the threat detection, management, analysis, and defensive process and track it through to completion:

Operational Deployments

Threat intelligence platforms can be deployed as a software or appliance (physical or virtual) on-premises or in dedicated or public clouds for enhanced community collaboration.

Related Research Articles

An intrusion detection system (IDS) is a device, or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

Application security encompasses measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities. Different techniques are used to surface such security vulnerabilities at different stages of an applications lifecycle such as design, development, deployment, upgrade, maintenance.

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like “Where am I most vulnerable to attack?”, “What are the most relevant threats?”, and “What do I need to do to safeguard against these threats?”.

Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information. This is accomplished by looking for and analyzing relationships between events.

Prelude SIEM is a Security information and event management (SIEM).

TriGeo Network Security

TriGeo Network Security is a United States-based provider of security information and event management (SIEM) technology. The company helps midmarket organizations proactively protect networks and data from internal and external threats, with a SIEM appliance that provides real-time log management and automated network defense - from the perimeter to the endpoint.

Security information and event management (SIEM) is a subsection within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

Information security operations center Facility where enterprise information systems are monitored, assessed, and defended

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

Geographic information systems (GIS) play a constantly evolving role in geospatial intelligence (GEOINT) and United States national security. These technologies allow a user to efficiently manage, analyze, and produce geospatial data, to combine GEOINT with other forms of intelligence collection, and to perform highly developed analysis and visual production of geospatial data. Therefore, GIS produces up-to-date and more reliable GEOINT to reduce uncertainty for a decisionmaker. Since GIS programs are Web-enabled, a user can constantly work with a decision maker to solve their GEOINT and national security related problems from anywhere in the world. There are many types of GIS software used in GEOINT and national security, such as Google Earth, ERDAS IMAGINE, GeoNetwork opensource, and Esri ArcGIS.

Counter-IED efforts Strategy in C-IED

Counter-IED efforts are done primarily by military and law enforcement with the assistance of the diplomatic and financial communities. It involves a comprehensive approach of countering the threat networks that employ improvised explosive devices (IEDs), defeating the devices themselves, and training others. Counter-IED, or C-IED, is usually part of a broader counter-terrorism, counter-insurgency, or law enforcement effort. Because IEDs are a subset of a number of forms of asymmetric warfare used by insurgents and terrorists, C-IED activities are principally against adversaries and not only against IEDs. C-IED treats the IED as a systemic problem and aims to defeat the IED threat networks themselves.

AT&T Cybersecurity is a developer of commercial and open source services to manage cyber attacks, including the Open Threat Exchange, the world's largest crowd-sourced computer-security platform. In July 2017, the platform had 65,000 participants who contributed more than 14 million threat indicators daily. The company has raised $116 million since it was founded as AlienVault in 2007. On July 10, 2018, it was acquired by AT&T Communications, becoming a wholly owned subsidiary when the transaction was completed on August 22, 2018. In February 2019, AlienVault was renamed AT&T Cybersecurity.

Vectra AI, Inc. applies artificial intelligence that detects and responds to hidden cyberattackers inside cloud, data center and enterprise networks.

User behavior analytics (UBA) as defined by Gartner is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats. Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms like Apache Hadoop are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.

The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.

Cyber threat intelligence is information about threats and threat actors that helps mitigate harmful events in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence or intelligence from the deep and dark web.

Open Threat Exchange (OTX) is a crowd-sourced computer-security platform. It has more than 80,000 participants in 140 countries who share more than 19 million potential threats daily. It is free to use.

Cyber threat hunting is an active cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.

A blue team is a group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and to make certain all security measures will continue to be effective after implementation.

Threat intelligence is the "cyclical practice" of planning, collecting, processing, analyzing and disseminating information that poses a threat to applications and systems. Threat intelligence collects information in real-time to showcase the threat landscape for identifying threats to a computer, application or network. This information is gathered from a number of resources and compiled into a single database enabling visibility into vulnerabilities and exploits actively being used on the internet by threat actors. Threat intelligence is not to be confused with vulnerability management.


  1. "Threat Intelligence Platforms: The Next 'Must-Have' For Harried Security Operations Teams". Dark Reading. Retrieved 2016-02-03.
  2. Poputa-Clean, Paul (January 15, 2015). "Automated Defense Using Threat Intelligence to Augment Security". SANS Institute InfoSec Reading Room.
  3. "Technology Overview for Threat Intelligence Platforms". Retrieved 2016-02-03.
  4. "The Diamond Model of Intrusion Analysis |". Retrieved 2016-02-03.
  5. Eric M. Hutchins; Michael J. Cloppert; Rohan M. Amin (2009). "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" (PDF). Lockheed Martin.
  6. MacGregor, Rob (May 29, 2015). "Diamonds or chains".
  7. "What's in a true threat intelligence analysis platform?". ThreatConnect | Enterprise Threat Intelligence Platform. Retrieved 2016-02-03.