Threat Intelligence Platform Definition
A Threat Intelligence Platform (TIP) is a technology solution that collects, aggregates and organizes threat intel data from multiple sources and formats. A TIP provides security teams with information on known malware and other threats, powering efficient and accurate threat identification, investigation and response. It enables threat analysts to spend their time analyzing data and investing potential security threats rather than spending their time collecting and managing data. Moreover, a TIP allows security and threat intelligence teams to easily share threat intelligence data with other stakeholders and security systems. A TIP can be deployed as either a software-as-a-service (SaaS) or as an on-premises solution.
What Threat Intelligence Is and Why Companies Need It
Threat intelligence is any data or knowledge—ranging from technical and human knowledge to predictions about future threats—that helps companies:
Threat intelligence platforms aggregate threat data from across organizations, arming security teams with external knowledge about threats, allowing them to be more proactive, predictive and make better decisions. However, since threat intelligence data frequently comes from hundreds of sources, aggregating this information manually is a very time-consuming task. A task that is ripe for automation.
In most security operations centers (SOCs) threat intelligence is a function, but in large organizations it can also be handled by a dedicated team.
Why Companies Need a Threat Intelligence Platform
In the past, security and threat intelligence teams used multiple tools and processes to manually gather and review threat intelligence data from a variety of sources, identify and respond to potential security threats and share threat intelligence with other stakeholders (usually through email, spreadsheets or an online portal).
Increasingly, this approach no longer works because:
All of these factors can leave security and threat intelligence teams drowning in noise and false positives making it difficult for them to know and sort out: 1) which data is the most relevant and useful to their company so they can analyze it and identify potential security threats; and 2) which
threats are real and which ones aren’t, so that they can focus their time accordingly.
On top of this, security and threat intelligence teams must also:
It’s not hard to see how the traditional approach to gathering and compiling threat intelligence is outdated, ineffective and inefficient and unable to scale.
The Value of a TIP
By comparison, a TIP helps security and threat intelligence teams:
How Threat Intelligence Teams Work with Other Teams
Another major advantage to security and threat intelligence teams using a TIP is that it offers built-in workflows and processes for sharing threat intelligence data with other teams such as:
This way, if/when a security attack does occur, threat intelligence teams can immediately alert, coordinate and collaborate with other stakeholders on appropriate countermeasures.
The Advantages and Drawbacks of Using a TIP
Threat intelligence platforms are not without faults. Standalone TIPs lack integration with other security tools, and generally do not automate communication with team members outside of the threat intelligence organization who may need to take response actions. Having a siloed TIP therefore reduces both the contextualization of the threat intelligence and the ability to act on the insights. Most TIPs are:
But May Struggle With…
Static IOC scoring.
Score matching, which means more noise.
Enriching intel, which may result in less confidence to act.
Automated enforcement, which costs time.
Security orchestration, automation and response (SOAR) solutions have developed as a way to weave threat intelligence management more seamlessly into workflows by combining TIP capabilities with incident management, orchestration and automation capabilities. When investing in a TIP, look for SOAR solutions that can weave threat intelligence into a more unified and automated workflow—one that matches alerts both to their sources and to compiled threat intelligence data, and that can automatically execute an appropriate response.
For more information on Threat Intelligence Platforms visit https://www.paloaltonetworks.com/cortex/threat-intelligence.
More Threat Intelligence Platform Articles: