Threat Intelligence: Difference Between Platforms and Providers
By RFSID on October 12, 2017
- Threat intelligence terminology can be confusing on the surface, but it doesn’t have to be. Once you understand the difference between a source, a feed, a platform, and a provider, the whole field will make a lot more sense.
- Threat intelligence platforms are a popular choice in the industry. However, because they “listen” to many sources and feeds simultaneously without providing additional context, platforms often overwhelm human analysts with false positives.
- Context is king. When properly contextualized, threat intelligence becomes invaluable to security operations. Without context, it quickly becomes a tremendous burden.
- Instead of thinking about threat intelligence, think about threat context. To qualify, incoming alerts must be relevant, contextualized, and in a format that is both easy to digest and easily actionable.
The world of threat intelligence can be a bit confusing.
Take a scan through any resource or blog related to threat intelligence (including ours) and you’ll see references to threat intelligence platforms, sources, providers, feeds … the list goes on. And, naturally, they all mean something slightly different.
But if you aren’t yet familiar with the way a powerful threat intelligence facility operates, these terms can be difficult to wrap your head around.
To find some clarity, let’s go over the most commonly used buzzwords, with a particular focus on the ubiquitous threat intelligence platform. After all, there are many platforms on the market right now, and it would be useful to understand exactly what they do (and don’t).
Threat Intelligence 101
First things first, let’s set the record straight on threat intelligence terminology.
A threat intelligence source is literally the origin of threat intelligence coming into your organization — for example, open source intelligence (OSINT) or network telemetry. Regardless of your approach to threat intelligence, you’ll always have at least one source, and probably more.
A threat intelligence feed is a collection of intelligence from a variety of sources, usually of the same type. Feeds are often freely available, and usually rely exclusively on open source intelligence.
A threat intelligence platform is defined as a piece of software, typically developed by a security vendor, which organizes one or more feeds into a single stream of threat intelligence. Typically, threat intelligence platforms rely on open source feeds, but most can also integrate premium feeds via STIX/TAXII or similar.
Finally, a threat intelligence provider is a security organization that actively produces threat intelligence through a variety of means, and offers it up either as a premium threat feed, a pre-packaged software product, or as a customer-specific report. Most (but not all) of these services utilize a mixture of human and automated security operations, and harvest intelligence from both open and closed sources.
With that out of the way, let’s take a deeper look at the most popular starting point for organizations interested in developing a threat intelligence capability.
How and Why Threat Intelligence Platforms Became Prominent
There are dozens of threat intelligence platforms available for comparison, but since they largely perform the same set of functions, we’ll take a look at a “standard” offering.
Leaving aside the most basic (typically free) offerings, most platforms offer a set of benefits that looks something like this:
- Combines thousands of feeds into a single location.
- Receives alerts in real time.
- Normalizes feed data (remove duplicates, enables user-set rules, etc.)
- Integrates with SIEM, firewall logs, etc.
- Creates reports
What else could you need?
For an organization looking to “get started” with threat intelligence, threat intelligence platforms seem like the obvious starting point. After all, they are (in some cases) freely available, and can be quickly setup to monitor any number of open source feeds.
If that same organization wants to go a stage further, they have the option to pay for one or more premium feeds.
The ability to integrate with existing SIEM solutions is particularly appealing, as it enables organizations to combine a very large quantity of potentially valuable intelligence into a single, convenient location.
For these reasons, many organizations have concluded that implementing a threat intelligence platform is the logical way to initiate a threat intelligence capability without the requirement for significant up-front investment.
Sounds good, doesn’t it? After all, “more is better,” right?
Here’s where we hit a problem. Nearly every organization that takes this approach will quickly realize that more isn’t better. In fact, more can be a nightmare.
Let’s imagine, for a moment, that you implement a standard threat intelligence platform, and set it up to “listen” to a dozen or so open source threat feeds. Naturally, you’ll require at least one analyst to man the platform, and it’s his or her job to identify relevant threats and act upon them.
By definition, the scope of open source intelligence is huge, but only a tiny fraction is relevant to any one organization. Combining so-called “big data” into a single location might seem like a great idea, but without an automated mechanism to differentiate the useful from the irrelevant, analyst overwhelm is inevitable.
So, what happens? Your analyst spends a few days attempting to investigate every single alert, quickly realizes it isn’t possible, and stops responding to alerts altogether.
Discouraged, many organizations drift away from threat intelligence, and set their sights elsewhere.
What can we learn from this?
Quite simply, more isn’t better. Better is better.
Context (or Lack Thereof)
So, how do we get better intelligence? First, we have to start from the realization that intelligence is only useful if it can be acted upon in a timely manner.
It’s no use knowing about something you can’t change, just as it’s no use finding out about a threat after it’s taken place.
To be truly valuable, your threat intelligence capability must deliver actionable intelligence in a timely manner. When this happens, your security operations staff are able to make informed decisions at speed. When this doesn’t happen, they aren’t.
Again, the goal isn’t to obtain more intelligence, it’s to gain better intelligence. In this case, “better” means relevant.
This is where context comes in. The very best threat intelligence solutions are able to contextualize intelligence by comparing alerts with other sources, internal telemetry, and a detailed understanding of your organization’s infrastructure. As a result, the alerts pushed to human analysts are far fewer in number, but much higher in quality, enabling security operations staff to make informed, proactive decisions at speed.
A Different Way of Thinking
So far we’ve been talking exclusively about intelligence. In this case, though, perhaps a different term is more appropriate: Threat context.
In a previous article, we explained in detail the difference between data, information, and intelligence. In that piece, we explained that threat intelligence platforms don’t actually provide intelligence, they provide a mixture of threat data and threat information.
To truly count as threat intelligence, an output must be relevant, fully contextualized, and actionable.
Unfortunately, the term threat intelligence has been misused to such an extent that it no longer holds this distinction. Security vendors, experts, and practitioners alike have taken to labelling anything delivered by a threat feed as intelligence, irrespective of its operational value.
For that reason, we’d like you to consider valuable outputs in a slightly different light: Not as threat intelligence, but as threat context.
As with any other information-based field (whether it’s news media, blogs, or podcasts) threat context is only worthy of the title if it is relevant, easily digestible, and includes the necessary details.
After all, nobody in Minnesota orders daily copies of the Mumbai Mirror. It’s news, yes, but it’s not relevant news.
Naturally, Recorded Future is the result of our concerted effort to consistently deliver true threat context to each of our customers.
Recorded Future combines threat data and information from a huge range of sources, using natural language processing (NLP) to ensure even threat actor chatter on hidden foreign-language forums is identified. Using powerful AI — including machine learning and predictive analytics — this broad range of inputs is automatically processed, contextualized, and converted into an easily digestible format.
Vitally, unlike many solutions, Recorded Future doesn’t rely on a database of intelligence, as this dramatically hinders the speed with which important alerts can be pushed to human analysts. Instead, our threat intelligence machine is organic and grows in real time, enabling relevant threats to be pushed to human analysts the moment they are identified.
In addition, Recorded Future can be easily integrated with SIEM solutions, instantly providing the context necessary for a human analyst to triage security events from a firewall log 10 times faster than the manual alternative.
To start seeing the benefits of powerful threat context for free, sign up for our Cyber Daily email. Each day, you’ll receive up-to-the-minute results for technical indicators such as the most targeted industries, threat actors, and exploited vulnerabilities.