What is a Threat Intelligence Platform?by Iwan Price-Evans on Security • April 20, 2022
Organizations need to ensure the security of the physical and digital assets that they value. Threat intelligence platforms give them the ability to predict, identify, and respond to cyber security threats and attacks.
A threat intelligence platform (TIP) productizes threat intelligence, performing the functions of collection, processing, analysis, and dissemination of threat data.
Threat intelligence platforms typically integrate with security automation tools, developer pipelines, and incident response workflows to help organizations to understand the threat landscape and to pre-empt and defeat cyber security threats intelligently.
These security platforms typically have four primary functions for effective security monitoring and response.
Threat data collection
Threat data must be collected from a wide range of sources, including internal and external logs, public or open-source information, honeypots, and proprietary data from first or third parties. TIPs automate this process rapidly ingesting threat data feeds.
Useful threat data includes IP addresses, domains, and file hashes, but it can also include vulnerability information, such as the personally identifiable information of customers, raw code from paste sites, and text from news sources or social media.
Threat data processing
TIPs can process and filter enormous volumes of data. Processing includes sorting, organizing with metadata tags, and filtering out redundant information or false positives and false negatives.
What matters most in this phase though is the ability to process data quickly and reliably to ensure information and analysis can be made available quickly.
The volume and complexity of threats encountered by large organizations produce millions of lines of data every day. A timely analysis depends on the simplification and acceleration of the data processing step.
Threat data analysis
Threat intelligence platforms perform rapid analysis and categorization of the filtered security data. Modern threat intelligence platforms use machine learning to support this analysis ensuring threat prediction can be performed in real-time.
Effective analysis can identify indicators of compromise (IOC) which enables security teams to take steps to prevent attacks.
IOCs can be:
- The contents of emails such as addresses, subjects, links, or attachments;
- Domain names, URLs, or IP addresses that are abnormally communicating with known or unknown applications on an internal network;
- The discovery of files, components, or other vulnerabilities already identified as threats or risks.
Threat data dissemination
TIPs efficiently distribute threat and risk information to digital and human audiences. Threat intelligence has to get to the right people or systems, at the right time, and in a way that they can understand and use.
Once the recipients of threat intelligence have been identified, integrations and reporting can be configured. TIPs can provide threat reports and trend visualizations to management and security teams. They can also integrate with other systems that need this information to monitor or respond to threats, for example, Security Information Event Management (SIEM) systems.
Threat intelligence must provide information to the relevant audience:
- Strategic management structures,
- Tactical security personnel,
- Operational response teams and systems.
Threat intelligence platforms provide visibility of the threats organizations face and offer insights into how best to pre-empt or mitigate those threats.