What to Look For in a Threat Intelligence Solution

Threat intelligence or cyber threat intelligence is the result of gathering, processing and analyzing data on threats and threat actors. This intelligence can be used to identify and investigate threats to your organization with the aim toward a more resilient organization.

The field of threat intelligence (TI) providers and solutions is large and diverse with new vendors appearing regularly. Offerings include threat intelligence feeds, threat intelligence services and threat intelligence platforms. Add in open-source (OSINT) vs. paid solutions, industry-focused solutions vs. broad solutions, and tactical vs. strategic content and it can quickly get overwhelming when trying to choose what will work best for your organization.

Per our view, Gartner has recognized this difficulty in their 2020 Market Guide for Security Threat Intelligence Products and Services, stating, “The number and diversity of TI services, as well as expertise, has created an environment in which purchasers often struggle to compare services, and there’s still no single provider to address all of them.” Once you’ve decided you’d like to consider adding some threat intelligence, what are best practices for evaluating and choosing vendors and solutions?

The best place to start is by considering your use cases. Solutions should fit your use cases versus the other way around. Some of the most popular use cases include:

• Phishing Detection: Phishing is ubiquitous, annoying and potentially highly damaging. TI is critical for identifying malicious IPs and other elements of phishing attacks to speed up your detection and response.
• Threat Hunting: By the time an active threat is detected, quarantined and remediated, it’s often too late. Security teams must be proactive in identifying and hunting for new risks. Regularly updated TI can be applied to your threat detection systems to secure your environment. You can also use your TI solution to look for new tactics and trends.
• Vulnerability Prioritization: “TI integrations are enabling insight on which vulnerabilities are being leveraged by threat actors and is arguably one of the best use cases in modern enterprises for threat intelligence. This quantifiable knowledge provides key insight in the understanding of what an organization’s threat landscape actually looks like, “ Gartner writes in the Market Guide.

Once you define your use cases, look for TI solutions that can address those areas. Be sure to consider that some of your existing security technologies, such as SIEM, firewalls and endpoint detection and response (EDR) may offer add-on subscriptions for TI content. Be aware that there may be some overlap in intelligence between vendors, as some vendors OEM their intelligence while others share content. This is normal and expected, but you will want to make sure your TI solutions are diversified, not redundant.

As with any new tool, make sure you have the resources to manage it. Getting value from these solutions is dependent on your team’s ability and capacity to act upon the intelligence you receive from your providers. It’s necessary to do some planning on who and what tools or processes in your organization will consume the intelligence and know how they will use it.

Speaking of budget, pricing of TI is typically geared more inline with large enterprise, although mid-market is growing as TI consumers. According to Gartner, pricing is in the lower tens of thousands of dollars for a basic service while more advanced, strategic, or bespoke content can run several hundred of thousands of dollars or more.

Our inference from the Gartner report is that, end users must do several things concurrently to benefit from TI. These can be grouped as:

• Acquire. There are many vendors in the market, but they usually specialize in certain areas such as malware IOCs, internet domain information or dark web monitoring. It is rare to find one that excels across all domains. Thus the key is to get the right blend of TI for your organization. Depending on your use cases and budget, you may find that publicly available sources of threat information, like open-source intelligence (OSINT) will adequately serve your needs. Be sure when acquiring TI solutions you also consider their breadth of coverage, the depth and accuracy of the information and the extensibility, if you intend to use it in multiple tools and processes.
• Aggregate. Once you have your TI in its multiple formats and types, aggregation is the next step. This is where solutions like security orchestration, automation and response (SOAR) come in. SOAR will gather large volumes of TI then deduplicate it, enrich it with other data, make it searchable and use it in downstream automation use cases. SOAR can also be used to compare your TI sources – surfacing where you have overlap and potential redundancy of threat content.
• Action. Having intelligence does nothing for you if you don’t use it. You also need to make it actionable: have a process for what decisions you expect to make on the basis of the content provided, as well as knowing who and how those decisions will be made.

Choosing threat intelligence solutions and getting value from them is complex. To get more guidance on the market and further details on selecting solutions, download the Gartner 2020 Market Guide for Security Threat Intelligence Products and Services.

Gartner, Market Guide for Security Threat Intelligence Products and Services, Craig Lawson, Brad LaPorte, Mitchell Schneider, John Collins, Ruggero Contu, 20 May 2020

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.