Security threat intelligence services: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
LookingGlass acquired Cyveillance Inc. in December 2015, expanding its own threat intelligence offerings with Cyveillance's unstructured and open source intelligence.
The company's cloud-based LookingGlass Cyber Threat Center platform is designed for use by security and threat analysts, whether an organization is new to threat intelligence or has a mature security program.
The platform gathers digital and physical threat data from millions of online sources, which include web searches, online images and global intelligence. Physical threats are activities targeted against individuals or facilities as a result of protests and geopolitical unrest (for example, posts on social media sites or underground channel information).
LookingGlass' automated tools search for indicators across the internet, and may uncover upwards of five million per day. The actual number varies. Weekend days tend to result in a higher number of hits than a Tuesday, for example. The data is filtered, tagged and scored, with human analysts choosing the most relevant information (perhaps 50 to 100 items) to share with customers.
The Cyber Threat Center information portal provides 24/7 access to a suite of tools, global intelligence reports and databases that include phishing attacks, URL and domain names, IP addresses, hosts, targets, cyberattacks, threat actors and dark web forums. The portal's main page displays management dashboards for the source, volume and categories of collected data and saved items.
In addition, LookingGlass sends customized threat-related email alerts, and provides custom threat intelligence services and reports for executive security and brand security, as well as analyst support, with fluency in over 20 languages. Cyber Threat Center customers can choose self-service or have analysts deliver reports. Other services include takedowns and recovery and forensics.
LookingGlass provides data feeds for phishing URLs and in-the-wild malicious URLs, which cover high-risk hosts, domain names, websites, malicious payloads and IP addresses. The company also offers data feeds for new domain registrations, command-and-control servers and confirmed malware infection records. Feeds are available in XML, CSV, OpenTPX and REST APIs.
Customers can incorporate LookingGlass data feeds into perimeter defense systems, such as firewalls and security information and event management, and can integrate them with other feeds if admins desire.
A LookingGlass customer is typically a larger midmarket or enterprise customer with its own security operations center or threat intelligence center, with at least one full-time security analyst on staff. However, the customer base is changing.
Small companies face many of the same threats as their larger counterparts, and -- if regulated -- must meet the same audit and reporting requirements. As a result, LookingGlass also supports small organizations that have a high attack profile or that must protect highly valuable assets or intellectual property, such as a regional bank, legal practice or medical center.
Pricing and licensing
Customers may purchase an annual contract to the LookingGlass Cyber Threat Center portal, which gives them access to analyst insights and other threat information. Pricing is based on the volume of data consumed.
Machine-readable data feeds incur additional costs. For example, a small organization with a low threat profile might pay $12,000 per year. Alternatively, an enterprise or other high-profile company with a lot of activity associated with its brand could pay $75,000 or more per year.
LookingGlass engages customers on a trial basis to monitor usage, upon which the annual contract price is determined. Consulting and custom reports are not part of the monthly subscription fee.
Customers can reach LookingGlass by phone or web forum for assistance with a LookingGlass subscription. For an additional cost, LookingGlass performs takedowns of phishing sites, fake Facebook accounts, imposter accounts and rogue mobile apps, and can provide malware sandboxing.