Features of a Threat Intelligence Platform Home Insights Blog Features of a Threat Intelligence Platform February 14, 2019 Features of a Threat Intelligence Platform A Threat Intelligence Platform (TIP) is a fantastic way to manage intelligence and its process amongst individual teams and communities, including clients. With so many options to choose from, selecting the best TIP can be a daunting task. If you’re new to cyber threat intelligence, you likely don’t know what a TIP can do, and thus what strengths to focus on in your selection. As mentioned in previous blogs, it is essential to have a strategic road map in place to best approach your intelligence integration and operational needs before acquiring a TIP. Attributes of the TIP Company Because TIPs are an emergent solution space, some of the earlier developers have more mature, integrated, and stable solutions. Consider things like how long the company has been in business, how they are funded, how many clients they have, their financial stability, do they have compliance certifications in their product and/or services to lower third-party risk, who are the leaders of the company and are they known or accomplished in the field, etc. A startup is commonly associated with higher risk and less stability but with increased agility as well as the ability to customize to meet your needs as one of a few clients as opposed to hundreds. More mature solutions offer additional options, but this often results in higher costs and the vendor may not be as agile or responsive in meeting specific needs. Attributes of a TIP Individual attributes or functionality of a TIP must be prioritized to ensure it best meets a company’s unique needs. The following list is not comprehensive but is is detailed enough to illustrate how one may consider evaluating various categories of features and capabilities for a TIP when comparing vendors: COLLECTIONS Multiple SIEM Ingestions Industry protocols for ingestion (JSON, XML, etc) REPUTATION/ENRICHMENT/BEHAVIORAL Automated IOC Enrichment Vulnerability Prioritization Threat Correlation Named Threat Attribution Anonymized/Sanitized Threat Sharing/Community WORKFLOW MANAGEMENT Custom Dashboards Case Management (IR/SOC/*) Framework Task Management (actions, escalations, etc.) Visual Threat Correlation Custom Objects & Meta-Data Editing ORCHESTRATION & AUTOMATION (O&A) Custom Risk Rating & Alerting Custom Objects/Tagging/Meta-data Predictive Analytics Playbook/Templates & Integration APIs DISSEMINATION Weekly Threat Landscape Reports by Vendor STIX 1.x/TAXII/MISP, etc Framework Support STIX 1.x/TAXII/MISP, etc Framework Support ServiceNow Records & Updates Integration Private/Public Communities Splunk Integration & App Cloud/remote client login/portal support MONITORING Brand monitoring (OSINT/Deep/DarkWeb) YARA/Retro Hunts SUPPORT Technical Support 5/9 Coverage Assigned Engineer/Account Manager & Advisory Consultation Intel Analyst Q&A Universal Shared Accounts Supported Flexible Pricing and Support Free Playbook Configuration/Integration Use Case Development Cloud Solution On-Premise (remember costs associated) PRICING Total users API usage rate GB Data Transfer rate Product/Flat Rate Discounts/Working with us Friends & Family / Referral Discounts Consider Staff, Pricing and Create an Organized Review of Options Big picture: Some TIPs vendors sometimes offer a free consultation or even free onboarding while others sell you more of a product or service and then you’re on your own. Depending upon your staff capabilities and your security program maturity, this may be an essential thing to consider in terms of what the vendor is providing and how your experience fits with that. How much can you internally deploy and support? Cost is always the bottom line, pun intended, so be sure to apply the pricing model to your known environment. For example, if pricing is determined via total GB of data transferred into or out of a TIP, knowing how much data is currently being utilized or is likely to be transferred in a TIP is critical to ensure its affordability in production. This type of pricing model can be reduced by being creative, such as only sending to the TIP a sub-set of actionable data that is of the greatest interest, while remaining data can exist in a data lake. Be sure to consider all disseminations and integration of intel required for the TIP to ensure you can affordably orchestrate with the TIP in production as is necessary when working various groups towards actionability (e.g. sending reports to the Incident Response (IR) team, Indicators of Compromise (IOC) to network and email IT, etc.) . TIP Vendor Choice Must Be Carefully Thought Out Performing an organized, detailed review of all potential TIPs, with clear strategic priorities for the intelligence program, is an effective approach. It helps to clarify priorities and apply them directly to the TIP being considered. It also shows comparisons and return on investment for each TIP strength and weakness as applied to an organization’s requirements. It can also be used to help leverage a strategic road map and alignment towards a future state, such as purchasing scalable options or a different TIP over time, to best meet the changing needs of an environment. By: Ken Dunham Senior Director, Technical Cyber Threat Intelligence Ken Dunham has spent 30 years in cybersecurity, consulting in adversarial counterintelligence, forensics, Darknet Special Ops, phishing and hacking schemes, AI/BI, machine learning and threat identification. Share: Threat Threat Intelligence How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.