Security threat intelligence services: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
A threat intelligence service gathers raw data about emerging threats from several sources and then analyzes and filters that data to produce useable information in the form of management reports and data feeds for automated security control systems. Its primary purpose is to help organizations understand the risks of (and better protect against) zero-day threats, advanced persistent threats (APTs) and exploits, especially those most likely to affect their particular environments.
Learning about relevant threats as soon as possible gives organizations the best chance to proactively block security holes and take other actions to prevent data loss or system failures.
Threat intelligence service models
Threat intelligence services are relative newcomers to the security industry, so there are still a lot of differences in the types of services each offering delivers.
Some such services simply provide a data feed that has been cleansed of most false positives, much like the free feeds available from the SANS Internet Storm Center or CERT. The most common for-a-fee services provide aggregated and correlated data feeds (usually two or more), as well as customized alerts and warnings specific to a customer's risk landscape. The third type of threat intelligence service is a managed service that handles data aggregation and correlation; incorporates information automatically into security devices (firewalls, security information and event management (SIEM), etc.); and provides industry-specific threat assessments and security consulting.
Each type of threat intelligence service is sold on a subscription basis, usually at two or three capability levels, and is delivered via a cloud platform. Several companies offer managed services for delivery across on-premises systems.
Because subscription costs tend to run moderately high to very expensive, and because of the equipment needed for on-premises deployment, threat intelligence services are currently geared toward larger midmarket organizations and enterprises. As the cloud continues to move down-market, however, threat intelligence services are bound to do likewise.
The history behind threat intelligence services
Threat intelligence services came into being mainly because of the plethora of data available, whether generated internally or acquired from external feeds, on current and emerging IT security threats. It takes considerable time, effort and expertise to sift through the data and transform it into information that's pertinent to an organization, however.
Security companies, such as Symantec, that make it their business to track threats and provide current antivirus signatures for their products, have maintained global threat databases for years that are populated from software agents running on millions of client computers and other devices. That data, along with feeds from other sources, is the foundation for the information provided by a threat intelligence service.
A look inside threat intelligence service data
Data from various threat intelligence sources differs in quality and structure, and must be validated. Validating data involves human and machine analysis for processing, sorting and interpretation.
Apparent threats are also correlated against the entire pool of threat data to identify patterns that indicate suspicious or malicious activity, and are also linked to technical indicators for categorization purposes. Finally, the data is converted into contextual information that provides insights about the tactics and behavior patterns of emerging or advanced threats and threat actors.
In the end, the threat information that's usable and actionable must be accurate, timely, relevant to the customer, align with the customer's security strategies, and be easily incorporated into existing security systems.
Characteristic features of threat intelligence services
Now that we've addressed the purpose and benefits of threat intelligence, let's take a look at the most common features found in these kinds of services:
- Data feeds: Many types of data feeds are available through threat intelligence services. Examples include IP addresses, malicious domains/URLs, phishing URLs, malware hashes and many more. A vendor's threat intelligence feeds should draw data from its own global database, as well as from open source data, information from industry groups and so on, to produce a pool of data that is both broad and deep.
- Alerts and reports: Some services provide real-time alerts along with daily, weekly, monthly and quarterly threat reports. Intelligence may include information about specific types of malware, emerging threats, and threat actors and their motives.
Security analysts or IT security staff members are needed to manage data feed information. It is either incorporated into proprietary equipment (typically from the same vendor that provides the feed), or the information may be available in standard file formats such as XML and CSV for use in a variety of security management tools and platforms.
Depending on the level of information in the data feeds, staff might need specialized training from the vendor.
As mentioned previously, some companies offer managed security services that offload most of the administrative burden associated with a proactive security approach. A managed service may include experts that provide threat intelligence reports, monitor an organization's assets 24/7, and provide threat mitigation and incident response.
The costs of threat intelligence services vary as much as the services themselves. Data feeds alone can cost thousands of dollars per month, and related expenses include the costs of maintaining a 24/7 security operations center staffed with technicians and analysts. (To compare, managed security services are typically tens of thousands of dollars per month, easily running into six or seven figures per year for larger environments.)
As with most things in business, the least expensive services require more human time and effort on the customer side.
A threat intelligence service can dramatically improve the efficiency of security staff in proactively blocking security incidents. Because threat intelligence services vary widely, a key challenge in selecting such a service is knowing what the organization needs (how the information will be used) and having the right staff in place to use that service appropriately. The next article in this series looks at the business case for threat intelligence services to help organizations determine if such a service should be added to their IT security budgets.