Features of a Threat Intelligence Platform

A Threat Intelligence Platform (TIP) is a fantastic way to manage intelligence and its process amongst individual teams and communities, including clients. With so many options to choose from, selecting the best TIP can be a daunting task. If you’re new to cyber threat intelligence, you likely don’t know what a TIP can do, and thus what strengths to focus on in your selection. As mentioned in previous blogs, it is essential to have a strategic road map in place to best approach your intelligence integration and operational needs before acquiring a TIP.

Attributes of the TIP Company

Because TIPs are an emergent solution space, some of the earlier developers have more mature, integrated, and stable solutions. Consider things like how long the company has been in business, how they are funded, how many clients they have, their financial stability, do they have compliance certifications in their product and/or services to lower third-party risk, who are the leaders of the company and are they known or accomplished in the field, etc.

A startup is commonly associated with higher risk and less stability but with increased agility as well as the ability to customize to meet your needs as one of a few clients as opposed to hundreds. More mature solutions offer additional options, but this often results in higher costs and the vendor may not be as agile or responsive in meeting specific needs. 

Attributes of a TIP

Individual attributes or functionality of a TIP must be prioritized to ensure it best meets a company’s unique needs. The following list is not comprehensive but is is detailed enough to illustrate how one may consider evaluating various categories of features and capabilities for a TIP when comparing vendors:

COLLECTIONS

Multiple SIEM Ingestions

Industry protocols for ingestion (JSON, XML, etc)

REPUTATION/ENRICHMENT/BEHAVIORAL

Automated IOC Enrichment

Vulnerability Prioritization

Threat Correlation

Named Threat Attribution

Anonymized/Sanitized Threat Sharing/Community

WORKFLOW MANAGEMENT

Custom Dashboards

Case Management (IR/SOC/*) Framework

Task Management (actions, escalations, etc.)

Visual Threat Correlation

Custom Objects & Meta-Data Editing

ORCHESTRATION & AUTOMATION (O&A)

Custom Risk Rating & Alerting

Custom Objects/Tagging/Meta-data

Predictive Analytics

Playbook/Templates & Integration APIs

DISSEMINATION

Weekly Threat Landscape Reports by Vendor

STIX 1.x/TAXII/MISP, etc Framework Support

STIX 1.x/TAXII/MISP, etc Framework Support

ServiceNow Records & Updates Integration

Private/Public Communities

Splunk Integration & App

Cloud/remote client login/portal support

MONITORING

Brand monitoring (OSINT/Deep/DarkWeb)

YARA/Retro Hunts

SUPPORT

Technical Support 5/9 Coverage

Assigned Engineer/Account Manager & Advisory Consultation

Intel Analyst Q&A

Universal Shared Accounts Supported

Flexible Pricing and Support

Free Playbook Configuration/Integration Use Case Development

Cloud Solution

On-Premise (remember costs associated)

PRICING

Total users

API usage rate

GB Data Transfer rate

Product/Flat Rate

Discounts/Working with us

Friends & Family / Referral Discounts

Consider Staff, Pricing and Create an Organized Review of Options

Big picture: Some TIPs vendors sometimes offer a free consultation or even free onboarding while others sell you more of a product or service and then you’re on your own. Depending upon your staff capabilities and your security program maturity, this may be an essential thing to consider in terms of what the vendor is providing and how your experience fits with that. How much can you internally deploy and support? 

Cost is always the bottom line, pun intended, so be sure to apply the pricing model to your known environment. For example, if pricing is determined via total GB of data transferred into or out of a TIP, knowing how much data is currently being utilized or is likely to be transferred in a TIP is critical to ensure its affordability in production. This type of pricing model can be reduced by being creative, such as only sending to the TIP a sub-set of actionable data that is of the greatest interest, while remaining data can exist in a data lake. Be sure to consider all disseminations and integration of intel required for the TIP to ensure you can affordably orchestrate with the TIP in production as is necessary when working various groups towards actionability (e.g. sending reports to the Incident Response (IR) team, Indicators of Compromise (IOC) to network and email IT, etc.)

.

TIP Vendor Choice Must Be Carefully Thought Out

Performing an organized, detailed review of all potential TIPs, with clear strategic priorities for the intelligence program, is an effective approach. It helps to clarify priorities and apply them directly to the TIP being considered. It also shows comparisons and return on investment for each TIP strength and weakness as applied to an organization’s requirements. It can also be used to help leverage a strategic road map and alignment towards a future state, such as purchasing scalable options or a different TIP over time, to best meet the changing needs of an environment.