Five criteria for purchasing from threat intelligence providers
Expert Ed Tittel explores key criteria for evaluating threat intelligence providers to determine the best service for an enterprise's needs.
Once an organization has determined it is a candidate for threat intelligence providers, the next order of business is to select the service that provides the best fit for its needs. Because the threat intelligence services market is still relatively new, however, it's often a challenge to compare service details side by side to get an accurate picture of which vendor offers what.
For example, a few services may have three levels of data feeds in standard file formats that can be used in a variety of security equipment from different manufacturers. Another threat intelligence service may offer access to analysis tools and security analyst reports, with data feeds as a separate subscription. Some services provide the opportunity to join a trusted community of threat intelligence customers who share intel, experiences and insights, without the risk of publicly divulging security gaps or tarnishing their reputations with current or prospective clients.
Also, consider that it takes time and a certain level of skill to deal with threat intelligence, regardless of how much analysis, filtering and general cleansing the service providers handle on their end.
The majority of threat intelligence providers operate under the assumption that customers have, at a minimum, a security staff whose responsibilities include planning for and implementing proactive security measures. In fact, many enterprise customers have security operations centers. This skill/expertise requirement eliminates most small businesses and a lot of midsize organizations from the get-go because they simply don't have the manpower to devote to such activities.
However, a smallish organization that's also high profile -- and that perhaps draws attention for its political or social views -- may need to find money in the budget for threat intelligence. The number and sophistication of attacks continue to increase. Today's small companies are just as vulnerable to attacks as their larger counterparts because almost all companies hold information that's tempting to the cybercriminal community. In this case, a managed threat intelligence service may be a good choice.
What to look for in threat intelligence providers
Before evaluating services, Rick Holland, former principal analyst at Forrester, and now VP of Digital Shadows, recommends that organizations thoroughly understand their mission, business requirements and intelligence requirements. Then, when evaluating prospective providers, determine whether each provider's intelligence requirements align with that of the organization's.
The following is a list of key evaluation points to use when researching and comparing threat intelligence services.
Data feeds
Because data feeds are an important product offered by threat intelligence providers, you should find out as much as possible about each vendor's data feed characteristics and sources of data.
- How many data feeds are available, and what is their focus? Feeds may cover IP/domain URLs, reputation, security risks, vulnerabilities and more.
- What platform does the provider use to process data? Does it require proprietary equipment?
- Which file formats are the data feeds? Formats are typically CSV, XML, STIX and JSON. Many service providers accommodate API management, which enables customers to pull data through a web service.
- From how many different data sources does the company draw?
- What are the sources? Most providers are willing to disclose their sources of threat intelligence data upon request, while others can't or won't do so because it's considered confidential information.
Threat intelligence alerts and reports
Does the company provide real-time alerts and analyst reports as part of the base subscription, or is a higher priced subscription required? How frequently are reports or summaries issued? Are they industry-specific? Are organization-specific reports available?
Reports are highly useful to security staff, especially if they're geared to the organization's industry and include information on relevant malware, emerging threats, threat actors and their motives. Report summaries could be included in status updates to senior execs and in security awareness training, so everyone is aware of the same info.
Price
Typically, customers purchase threat intelligence as a subscription to one or more data feeds -- in one-year, two-year and three-year increments. Service providers may offer tiered pricing based on the number of users, and offer volume discounts as that number increases.
For example, a service provider might offer the same data feeds, but different pricing for one to 2,500 users; 2,501 users to 10,000 users; and so on. The cost of a data feed subscription varies from company to company, but is in the range of roughly $1,500 to $10,000 per month, depending on the number of data feeds in the subscription. Some services require customers to buy their security devices along with a threat intelligence data feed subscription, which can add thousands of dollars to overall costs.
Industry reports, especially those that are tailored to organizations, typically incur an additional fee, whether monthly, quarterly or annually. And special services, such as recovery from malware, takedowns and so on, always come at an additional cost.
Service provider support
Service provider support in the threat intelligence industry is a lot like life insurance -- you never want to use it, but it's critical to have it. Not only does tech support address questions about how to incorporate data feeds into security equipment and what indicators mean, but it should also be available for incident response, malicious website takedowns and the like.
When comparing threat intelligence providers, research answers to the following questions:
- Does the company provide 24/7 year-round telephone access to their support engineers?
- How quickly does the company state it will respond to a call? Within 30 minutes? Longer?
- How much does escalated support cost, which may include faster response times or anytime access to a tier-3 engineer?
- If the customer needs incident response assistance, what are the costs and terms of that service?
- How many employees may contact tech support for assistance? Some vendors offer support plans in which multiple employees are approved contacts.
- Is training available? Is it included in the subscription fee, or is there a separate charge?
Tips for researching threat intelligence providers
LinkedIn, as well as other high-tech and social media companies, hosts threat intelligence groups or forums for sharing intelligence about zero-day and other advanced attacks. These discussion threads are often sprinkled with brief reviews and opinions of specific service providers, and such unsolicited, here's my experience reviews often contain insightful tips for picking the right service.
Many of the threat intelligence providers, such as FireEye, provide current, top-notch information on their sites. Another good source is the Gartner Blog Network, where writers weigh in on threat intelligence, as well as general security topics. Also, keep an eye on the Cyber Threat Intelligence Integration Center, which provides integrated, all-source intelligence analysis.
Because a threat intelligence platform is a major expense, organizations need to research these services thoroughly by browsing data sheets from each provider's website and talking to sales staff (who are, almost without fail, highly knowledgeable on their products and the industry in general).
Once a short list of candidates is created, ask to speak with a security engineer or analyst at each company. By doing so, IT decision-makers will be able to gauge each threat intelligence vendors' helpfulness and concern, which will serve as another criterion for picking the best threat intelligence provider for the organization.
