Security threat intelligence services: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
Turning threat intelligence data from multiple sources into actionable, contextual information is a challenge that many organizations face today. That's because it's easy to miss connections between data points or to misinterpret the significance of noise when reviewing the vast amounts of data that must be cleansed, crunched and turned into usable intelligence.
A threat intelligence platform, or threat intelligence management platform, is one way to address this issue because it gathers, filters and analyzes data, and provides it in standard formats for inclusion into a variety of security appliances and systems. Most services also provide detailed threat reports that are customized by industry or by organization.
Choosing the threat intelligence provider that's best for an organization is a time-consuming process, however. It begins with a needs analysis -- an internal assessment of an organization's business processes, IT infrastructure and security posture, as well as the ability to manage threat intelligence -- to develop clear intelligence requirements. Then, because the cost of threat intelligence can be expensive, an organization should thoroughly research service features and interview service providers, as well as customers in the same industry.
This article compares the data feeds and capabilities, alerts and reports, relative subscription prices, and support offered by top-rated threat intelligence services companies, such as FireEye, Infoblox, LookingGlass, McAfee, RSA, SecureWorks, Symantec and Verisign.
With the exception of McAfee, all of the service providers mentioned offer data feeds by subscription or contract, which vary by how they're packaged and whether or not they require specialized equipment or platforms. Independent lab test results are not available for threat intelligence services at this time, so we can't compare the accuracy or reliability of data feeds among vendors.
For example, LookingGlass provides data feeds in many different formats for high-risk hosts, domain names, websites, malicious payloads, IP addresses, new domain registrations, command-and-control servers, and confirmed malware infection records, all in a single contract.
Infoblox offers three core ActiveTrust data feeds for host names, IP addresses and URLs. ActiveTrust offers Standard, Plus and Advanced subscription packages. Standard includes a basic threat data set for the Infoblox DNS Firewall. Plus expands that data set, includes data from Infoblox partner SURBL and lets customers choose one of the data feeds. Advanced includes all the data sets and all the data feeds.
SecureWorks offers vulnerability and threat feeds that subscribers can integrate into their current infrastructure via XML, STIX or CSV. The company's advisory information includes strategic security reports about significant events, attacks and threats, along with actionable recommendations.
Symantec offers three DeepSight Intelligence data feeds: IP reputation, domain/URL reputation and vulnerabilities. Reputation data feeds are available in XML, CSV and CEF formats. The vulnerability data feeds are available in XML only. Customers choose how often they want to receive updates, such as every 15 minutes, every hour or every day.
FireEye sells five different iSIGHT Intelligence subscriptions, which are designed for security job roles. Machine-to-machine intelligence feeds are delivered through the iSIGHT API.
RSA Live data is a key differentiator in the industry. RSA Live data is converted into clickable metadata, enabling open source and other intelligence to be merged with a customer's data, making it more valuable. Because RSA Live is integrated with the RSA NetWitness Suite, customers must have NetWitness Suite to access RSA Live data feeds.
Feeds from Infoblox may be used with the Infoblox DNS Firewall or a customer's security equipment; RSA and Verisign may be used only with a proprietary or limited number of third-party security systems.
Rather than requiring customers to download and handle data feeds, McAfee integrates reputation information from its cloud-based McAfee Global Threat Intelligence for files, web, web categorization, messages, network connections and certificates. These reputation services are enabled by default in many Intel Security products, including McAfee Threat Intelligence Exchange.
Alerts and reports
LookingGlass sends customized threat-related email alerts, and provides custom threat intelligence services and reports for executive security and brand security, as well as analyst support.
SecureWorks offers targeted intelligence reports to customers, which are customized to an organization's brand and/or executives, as well as weekly intelligence summary reports and emerging threat bulletins.
The FireEye subscription includes intelligence reports through the Intel portal. The reports include trends and analysis about advanced threats and actors.
McAfee ePolicy Orchestrator is the management component of McAfee Threat Intelligence Exchange that provides a console and dashboards from which administrators can manage reports, alerts, system status and so on. In the lineup of vendors, McAfee can uniquely detect a networked system or device affected by some threat and immediately push that information to other connected systems, effectively stopping the threat from spreading.
An RSA NetWitness Suite subscription includes threat reports and alerts, open source community intelligence, common protocols and command-and-control reports, exploit kit identification, zero-day and compromise indicators, and prioritized risk levels.
Verisign offers both global intelligence reports and customized reports based on an organization's industry or specific circumstances.
Symantec's DeepSight Intelligence provides a customer portal with support tools that provide early warnings and alerts, patch details, and business impact information related to each customer's runtime environment.
Data feeds typically come in one-year, two-year and three-year subscriptions, which are often based on the number of users they serve, but may be based on the number and type of appliance (if a vendor's appliance is necessary).
As the number of users increases, volume discounts often apply. Expect to pay at least $1,500 to $3,000 per month for a single data feed, but be aware that the cost can increase greatly depending on the type of feed involved.
Another tip for readers is to ask providers if they have a return on investment calculator for threat intelligence services. These calculators are usually available online or in spreadsheet format.
Most of the companies offer 24/7 year-round standard support via phone or a customer portal, as well as web knowledge bases. Standard support is included in the subscription. All the companies offer assistance with takedowns and escalated support issues for an additional fee.
Which threat intelligence services are right for you?
Organizations that are mainly seeking threat intelligence data feeds for existing security defense equipment should consider Infoblox ActiveTrust, LookingGlass Cyber Threat Center and Symantec DeepSight. All three offer a choice of comprehensive, standard format feeds, along with reports and excellent support.
For detailed global threat reports and custom company- or industry-specific threat intelligence reports, look to LookingGlass, Verisign and SecureWorks. Organizations that prefer both threat intelligence and security equipment in a single package should consider FireEye products, which are considered by many experts to be the best in the industry, as well as McAfee.
Finally, RSA Live focuses on enterprise log analysis, event management and incident investigation -- with solid threat intelligence built into the platform.
Remember, budget will play a major role in an organization's choice of threat intelligence services, as will the equipment it currently runs, and the results of its research into the industry type and similarities with other customers for each service on your short list.
The best approach is to strive for consistency when interviewing potential services -- ask the same questions, compare the answers and be prepared for a second round of interviews when evaluating your short list.