What is a Threat Intelligence Platform?
A threat intelligence platform is made up of many primary features that allow an organization to implement a data-driven approach to security operations that builds on their existing security investments — infrastructure and people. It helps security teams quickly understand the most relevant threats facing the organization, make better decisions and take the right actions faster. While threat intelligence platforms vary from vendor to vendor, the core features include the ability to:
Aggregate
A threat intelligence platform serves as a central repository for threat data from both external and internal sources. It aggregates global data – from commercial sources, open source, government, industry, and existing security vendors – in one manageable location and translates it into a uniform format. It also brings together internal threat and event data from sources including the security information and event management (SIEM) system, log management repository, ticketing systems and case management systems.
Correlate and Contextualize
With all threat data in one place, a threat intelligence platform correlates events and indicators from inside the environment with external data on indicators, adversaries and their methods to provide context to understand the who, what, where, when, why and how of an attack.
Integrate
As a baseline, a threat intelligence platform integrates with and automatically exports intelligence on the highest priority threats to the organization’s ecosystem of tools. This includes SIEM and case management solutions, allowing these technologies to work more efficiently and effectively to deliver fewer false positives, as well as integration with the sensor grid (firewalls, IPS/IDS, Netflow, routers, web and email security, endpoint protection, etc.) to generate and apply updated policies and rules.
Act
A threat intelligence platform empowers security operations centers (SOCs), threat intelligence analysts, incident response, risk management and vulnerability teams with the curated threat intelligence they need to take action quickly against the most relevant threats the organization faces. They can reduce time to detect and respond to threats, and gain valuable insights to anticipate threats and become more proactive.
Why do you need a threat intelligence platform?
From the boardroom to the SOC, executives and analysts alike can benefit from a threat intelligence platform as the foundation to data-driven security operations.
CISOs
Chief information security officers can reduce risk, improve defenses and execute on strategic and tactical enterprise goals while staying on budget. They can arm their SOCs, Incident Response (IR) teams and threat intelligence analysts with a platform to efficiently structure, organize and utilize threat intelligence across the enterprise.
SOC Analysts
Security operations center analysts can improve situational understanding, accelerate detection and response, maximize existing security investments and collaborate more effectively as a team.
IR Teams
Incident response teams can automate prioritization of threats and security incidents, accelerate investigations and push intelligence automatically to detection and response tools.
Threat Intelligence Analysts
Threat intelligence analysts can efficiently structure and organize threat intelligence with context and prioritization to build adversary dossiers, make better decisions and take action.
THREATQ AS A THREAT INTELLIGENCE PLATFORM
How is ThreatQ different from other threat intelligence platforms?
ThreatQuotient offers a complete data-driven security operations solution which includes ThreatQ, a robust threat intelligence platform. In addition to the core features, ThreatQ provides a unique combination of capabilities that streamline threat operations and management to accelerate security operations. These include:
CUSTOMER-DEFINED SCORING
The volume of indicators published today outstrip the capabilities most defensive technologies have to actually monitor. In addition, all intelligence is not created equal; what poses a threat to one organization may not to another. ThreatQ reduces the noise for more efficient and effective security operations. Customers can customize scores and automatically prioritize intelligence for their specific environment based on parameters the organization sets around indicator source, type, attributes and context, as well as adversary attributes. Security teams can change scoring ranges for greater granularity and automatically recalculate and reprioritize intelligence as new data, events and learnings are added.
INVESTIGATIONS
ThreatQ Investigations is the first cybersecurity situation room, designed for collaborative threat analysis, shared understanding and coordinated response. Built on top of the ThreatQ threat intelligence platform, it embeds visualization and documentation in a shared environment for greater understanding and focus throughout the analysis process. It accelerates investigations and improves collaboration among and across teams and enables team leaders to direct actions, assign tasks and see the results unfold in near real time.
INTEGRATIONS
Bidirectional integrations (data flowing into and out of the threat intelligence platform) are the wave of the future because they offer a full-circle automated capability. ThreatQ supports bidirectional integrations with all the security technologies in an organization’s ecosystem. This allows analysts to make significantly faster and better decisions using the data already at their fingertips. Some of the key use cases include integration with:
- SIEMs or log repositories to increase efficiencies of these systems, reduce false positives and simplify ‘rear-view mirror’ investigations
- Ticketing systems to enrich and jump-start investigations with deeper intelligence
- Vulnerability management solutions to discover possible attack routes, prioritize patching and continuously re-adjust to stay ahead of the adversary
DATA OWNERSHIP
Sharing enriched threat data externally such as with technology vendors and Information Sharing and Analysis Centers (ISACs) helps strengthen defenses across a larger community of users. However, organizations must have a clear understanding of how much of their information these groups will share and with whom. ThreatQ provides granular controls over what, when and how much data is shared. Deployment options also impact data ownership. In contrast to a cloud-based platform that typically stipulates customers surrender their data which can even be repackaged by a vendor as part of their own data feed, ThreatQ is an on-premise platform that allows organizations to maintain complete data ownership rights.
The ThreatQ Platform goes beyond the typical threat intelligence platform to support the following use cases:
Threat Intelligence Management | Turn threat data into threat intelligence through context and automatically prioritize based on user-defined scoring and relevance. Learn More> |
---|---|
Threat Hunting | Empower teams to proactively search for malicious activity that has not yet been identified by the sensor grid. Learn More > |
Incident Response | Gain global visibility to adversary tactics, techniques and procedures to improve remediation quality, coverage and speed. Learn More > |
Spear Phishing | Simplify the process of parsing and analyzing spear phish emails for prevention and response. Learn More > |
Alert Triage | Send only threat intelligence that is relevant to reduce the amount of alerts that need to be investigated. Learn More > |
Vulnerability Management | Focus resources where the risk is greatest and prioritize vulnerabilities with knowledge about how they are being exploited. Learn More > |