One of this year's new categories, threat intelligence products, can generally be thought of in two ways: as an intelligence feed that is consumed by various other products, or as a product that utilizes intelligence to block malware and sophisticated attacks.
The prevailing trend in the space is to have security controls that can consume threat information to block malicious activity --a characteristic of all three of the finalists --though these products will need to evolve in the near future, according to Rick Holland, principal analyst at Cambridge, Mass.-based Forrester Research Inc. "When you go with the big security vendors themselves, they don't want to share outside the 'McAfee' ecosystem," says Holland. "We need the ability to take threat information and apply it all across security controls instead of just putting it on vendor X's controls."
Three products came out on top in a crowded category, teeming with a wide range of platforms and services. We congratulate the winners chosen by Information Security readers as the best of Threat Intelligence 2014.
Winner: FireEye Threat Intelligence, FireEye Inc.
FireEye's Threat Intelligence services and products impressed readers this year both with how quickly they can react to new threats, and the service and support offered by the vendor. Of course, FireEye's ability to profile and react to threats was buoyed by its $1 billion acquisition in 2013 of Mandiant, a high-profile incident response and forensics firm. FireEye continues to be out in front, announcing plans in September to offer native threat intelligence in the cloud with an analytics product for Amazon Web Services.
The company offers three subscription levels for its Threat Intelligence service: Dynamic Threat Intelligence, Advanced Threat Intelligence and Advanced Threat Intelligence Plus. Dynamic is the most basic level and allows customers with FireEye's own technologies to share threat intelligence with the FireEye cloud, with the promise of being able to block attacks based on the returned data. Advanced adds more context to the threat intelligence being returned, including details on known threat actors and malware as well as other indicators of compromise. The most complete level, Advanced Threat Intelligence Plus, provides comprehensive reports on hacker groups and targeted industries using news, trends and analysis, and allows enterprises to share information directly with trusted partners.
To take full advantage of FireEye's Threat Intelligence services, organizations will also need to deploy some of the other products in the vendor's Threat Prevention Platform. That includes a number of cloud-based products and physical appliances that defend various areas of an enterprise environment, including network, email, endpoint and mobile. All of the Threat Prevention technologies rely on FireEye's proprietary multi-vector virtual execution (MVX) engine to detect advanced malware through real-time analysis techniques. FireEye delivers auto-generated indicators of compromise based on information taken from customer deployments, promising to reduce the time until an attack is detected and blocked.
Taken as a whole, readers found the FireEye Threat Intelligence services and related products to be "cutting edge" and definitely "nice to have" for enterprise security programs.
Winner: WebPulse, Blue Coat Systems Inc.
Readers scored Blue Coat Systems' WebPulse offering highly in a number of areas, including its ability to react quickly to new threats, the service and support offered by the vendor and rated it a good value overall based on the investment. Much like other products in this category, WebPulse is a cloud-based repository where information on threats --and specifically in this case, Web-borne threats --is collected from other Blue Coat products including Blue Coat's ProxySG and its PacketShaper appliances. Those products then make use of that threat intelligence to block attacks before they strike.
WebPulse works by analyzing and categorizing all URLs that a protected user visits. If a URL has already been visited recently by a different Blue Coat user and the details were uploaded to the cloud, WebPulse will automatically assign the site a rating that can then be used by administrators to block or allow it within their organization. If a URL hasn't been visited previously --a possibility with the millions of URLs created every month --then WebPulse will utilize its cloud-based ratings engine to analyze the requested URL's language content, registration information, history, and more, to determine whether the site can be trusted. WebPulse's analysis relies on a number of techniques, including antimalware and AV scanning, sandboxing and the use of proprietary content scanners, to determine whether a site hosts malicious content.
That information is then relayed to the WebPulse cloud so that other users can benefit from the analysis. Users of Blue Coats' ProxyAV inline Web traffic scanning appliances also feed data to the WebPulse cloud to similar effect. The benefits of the Blue Coat ecosystem led one reader to note that one of WebPulse's strengths is that it is "good in conjunction with other products."
Winner: Advanced Malware Protection, Cisco
Cisco's Advanced Malware Protection (AMP) offering, the result of the vendor's blockbuster $2.7 billion acquisition of security firm Sourcefire in 2013, received some of the highest ratings from readers in this category for its ability to respond quickly to new threats. Readers also felt the Cisco product provided good overall awareness of a situation based on security context.
AMP's threat intelligence hinges in part on its integration with ThreatGrid, a malware analysis service, available on-premises or in the cloud, that uses sandboxing and a proprietary threat database to detect potential exploits. Cisco is expected to tighten its integration with ThreatGrid after acquiring the longtime partner of Sourcefire in May.
The AMP technology can be deployed in a number of ways, from being integrated into dedicated ASA firewalls and other network security appliances to working on endpoints and mobile devices. Products throughout the Cisco ecosystem such as Cisco Cloud Web Security and Cisco Web and Email Security appliances can also utilize AMP as an integrated feature.
Cisco's AMP mostly serves to analyze, detect and block malware throughout the attack lifecycle. File reputations can be analyzed inline, files with unknown behavior can be analyzed in a sandbox environment and, perhaps the most unique selling point for AMP, files will continually be analyzed to determine if a threat has emerged from a previously innocent file. With that latter capability, Cisco promises AMP customers that it can detect unknown threats when they are discovered and block similar attacks before they happen based on the collected information. Those capabilities led one reader to note that Cisco's AMP "provides complete protection" from attacks.
The threat intelligence gathered from AMP's analysis activity is fed into Cisco's Talso threat research group, with the promise that information on fending off threats will be shared with the Cisco community and fed into the company's products to block future attacks. Intriguingly, in a move that Holland pointed to as a potential indicator of the future, Cisco also recently signed a deal that made data from AMP's sandboxing available to customers of Symantec's managed security services.
Send comments on this article to firstname.lastname@example.org.
Can your SIEM product utilize threat intelligence feeds to evaluate potential attacks?
Learn how threat intelligence can give your enterprise security team the upper hand over attackers.