Get started Bring yourself up to speed with our introductory content.

The top threat intelligence services for enterprises

Threat intelligence takes data from multiple sources and turns it into actionable, contextual information. Expert Ed Tittel takes a look at the top threat intelligence services.

Threat intelligence services help organizations better understand the threats and risks against them -- such as zero-day and advanced persistent threats -- by analyzing and filtering data to produce useable information in the form of management reports and data feeds for automated security control systems.

Simply certifying that an organization's firewall, antimalware and similar protective measures are functioning well and are up to date isn't always enough to protect it from today's malicious threats. Threat intelligence services help to even the playing field against such exploits by helping an organization stay current on threats to its IT infrastructure, thereby giving security professionals a better chance at proactively blocking security holes and taking action to prevent data loss or system failures.

Not every organization is a candidate for a threat intelligence service, largely because a comprehensive intelligence subscription can be very costly. Those that have made the determination that threat intelligence is a good fit and investment, and have started the process of investigating the procurement of a threat intelligence service, will find there are a lot of different services to choose from.

To help get readers started, here is a list of the top threat intelligence products on the market today.

Cyveillance Inc.

A business-to-business provider of cyber intelligence, Cyveillance offers the cloud-based Cyveillance Cyber Threat Center platform for security and threat analysts. This platform gathers information on digital and physical threat data from millions of online sources. It provides data feeds -- available in XML via secure FTP or a HTTPS Web service -- for phishing URLs and in-the-wild malicious URLs, which cover high-risk hosts, domain names, websites, malicious payloads and IP addresses. A Cyveillance customer is typically a midsize or enterprise-size organization with its own security operations center or threat intelligence center, with at least one full-time security analyst on staff. To learn more about Cyveillance, read the full overview.

Dell SecureWorks Inc.

Certifying that an organization's firewall, antimalware and similar protective measures are functioning well and are up to date isn't always enough

Dell SecureWorks offers both targeted and global threat intelligence, as well as advanced or add-on services for customers of all sizes. Dell Global Threat Intelligence offers three types of data feeds on a subscription basis -- Vulnerability, Threat and Advisory -- and is a generalized or non-targeted threat intelligence service that is based on threat data collected across thousands of SecureWorks global customers. Dell Targeted Threat Intelligence, on the other hand, can be tailored to an organizations specific environment, brand and executives to identify potential threats and threat actors that represent a probable risk. SecureWorks add-on services include an attacker database, CTU support, malware analysis and borderless threat monitoring. To learn more about the threat intelligence services from Dell SecureWorks, read the full overview.

FireEye Threat Intelligence

Part of an appliance-based platform for automating defenses against zero-day and other advanced cyberattacks, FireEye Threat Intelligence is available on a subscription basis for customer-owned FireEye appliances that small, midsize and enterprise customers can own. The service provides organizations with access to and context for volumes of data regarding global threats. It is designed to help FireEye Inc. customers identify threat actors and indicators of network and system breaches. The service offers three levels of data feed -- Dynamic, Advanced and Advanced Plus -- which build progressively upon one another. To learn more about FireEye Threat Intelligence, read the full overview.

Internet Identify (IID) ActiveTrust

As a threat intelligence service, Internet Identify (IID) ActiveTrust draws data from a number of different vetted sources that include law enforcement, Internet infrastructure providers, open source providers and security companies. ActiveTrust validates, analyzes, filters and categorizes the information to deliver customers -- which tend to be larger organizations with well-developed security programs -- with data that's been structured, standardized and contextualized. IID customers' access data feeds by downloading it in standard format files, such as CSV, or by using an API through a secure tunnel in non-routable IP space. The data is fed into a customer's security information and event manager (SIEM), firewall, intrusion detection system/intrusion prevention system, or an application. To learn more about IID ActiveTrust, read the overview.

LogRhythm Security Intelligence

LogRhythm Security Intelligence is a hardware-based log management and SIEM product with integrated software that's designed for setup and use out of the box. Organizations choose from a handful of appliances based on the size of their infrastructure and log volume. It collects and analyzes logs, applications, vulnerabilities, events, workflow and other machine data within an organization, then uses its Artificial Intelligence Engine to identify previously undetected and emerging threats. The platform, which incorporates threat intelligence directly into the LogRhythm Inc.'s platform (not as a separate feed), also provides tools for host forensics, case management, whitelisting and file integrity monitoring. To learn more about LogRhythm Security Intelligence, read the full overview.

RSA Live and RSA Security Analytics

RSA Security Analytics is a monitoring platform that provides network forensic and analytics tools for investigating incidents, analyzing data packets and working with endpoint data and logs. It enables customers to quickly detect and take action on emerging and advanced threats that other security defenses may miss. RSA Live is the Web-based threat intelligence delivery system used by RSA Security Analytics customers. Available in two tiers, basic and enhanced, RSA Live includes threat reports and alerts, open source community intelligence, common protocols and command-and-control reports, exploit kit identification, zero-days and compromise indicators, and prioritized risk levels. The enhanced tier also includes a number of advanced RSA FirstWatch features. To learn more about RSA Live and RSA Security Analytics, read the full overview.

Symantec DeepSight Security Intelligence

Symantec DeepSight Security Intelligence is a threat intelligence service that draws information from the Symantec Global Intelligence Network (GIN), which is a huge repository of threat data populated by feedback from Symantec security products running on millions of customer computers and devices, in addition to hundreds of thousands of sensors in over 200 countries. The GIN databases are, collectively, one of the largest sources of threat intelligence in the world. Symantec provides customers with DeepSight Intelligence data feeds for reputation, security risks and vulnerabilities. Reputation data is delivered through a SOAP Web service connection in XML, CSV and CEF (Common Event Format) formats; the security risk and vulnerability data feeds are available in XML only. Symantec tends to deliver this threat information to larger midsize organizations and enterprises with in-house security staff. To learn more about Symantec DeepSight Security Intelligence, read the full overview.

VeriSign iDefense

VeriSign iDefense Security Intelligence Services complement an organization's existing security defenses and staff by analyzing and providing actionable intelligence regarding zero-day threats, malware and similar vulnerabilities, as well as threats against critical infrastructures from a variety of political and social actors. In addition to delivering real-time threat data feeds, the services detail nationwide and regional emerging events and customizes reports for specific industries and organizations. Customers create profiles on VeriSign Inc.'s iDefense Web portal, where they can search threat information and sign up to receive automated daily intelligence alerts and periodic summary and trend reports that focus on known and emerging threats and more. They can also correspond with threat intelligence subject matter experts. Data for VeriSign iDefense feeds is collected from over 30,000 monitored systems and applications from over 400 vendors. To learn more about VeriSign iDefense, read the full overview.


There a large number of threat intelligence services out there, and they all deliver and collect data about emerging threats in different ways. Some are better at providing detailed global threat reports, while others are capable of drilling down and delivering reports to customers that are highly industry- or (even) company-specific. In addition, there are some services that better serve an organization with existing defense equipment, while others provide threat intelligence that's easily integrated into an organization's existing security controls -- no matter the equipment in place.

Budget will play a major factor in an organization's choice of a threat intelligence service. Organizations should check out the full individual write-ups for each of the threat intelligence service products outlined in this article, as well as our feature that compares these top threat intelligence services directly to one another, before deciding which one is right for them.

Next Steps

Read up on how threat intelligence can benefit enterprise security.

Discover how threat intelligence feeds help to prioritize signals from internal systems against unknown threats.

This was last published in July 2015

Dig Deeper on Disk and file encryption tools