Imagine yourself looking for a bookshelf. You visit a nearby furniture store only to find out they are giving several pieces of furniture, including bookshelves for free. But after examining the details, you only see bookshelves either too large or small to fit in your living room. Will you buy the free bookshelf, knowing about its undesirable measurements? Or will you purchase a bookshelf of your choice?
Freebies are good, but only if they are suitable. The same can be said for open source threat intelligence platforms
(TIPs). While the freebies might attract you hard, it is important to invest some time and resources in choosing what’s best for you. In order to check all the boxes for the best threat intelligence software
—open-source or commercial, you need to first understand the job of a threat intelligence platform
What’s the Purpose of a Threat Intelligence Platform?
Threat Intelligence Platforms enable security teams to gather, organize, and manage threat data and intelligence. Modern-day threat intelligence platforms offer the capability to receive and share intelligence from TI providers, peers, information sharing communities (ISACs/ISAOs), and OSINT sources among others. The main job of a threat intelligence platform is to automate the threat intelligence ingestion, normalization, correlation, enrichment, and analysis. Having the best threat intelligence software in place allows security teams to quickly detect, manage, and act on threats.
What is an Open Source Threat Intelligence Platform?
An open source threat intelligence platform is publicly accessible just like any other open-source software that anyone can examine and modify. A case in point is Malware Information Sharing Platform (MISP). An open-source software solution, MISP collects, stores, distributes, and shares IOCs of threat incidents. Designed for security professionals, incident analysts, and malware analysts, MISP helps them ingest and analyze threat data pertaining to detected malware attacks. This automatically connects the dots between malware and its attributes, and stores data in a structured format. In addition, MISP also helps to make the rules for network intrusion detection systems (NIDS) and enables the sharing of malware information with third parties. In simpler words, MISP aims to create a platform of trust by locally storing threat information and enhancing malware detection to encourage information exchange among organizations.
What is a Commercial Threat Intelligence Platform?
Any commercial offering is a proprietary solution that is updated on a regular basis with capabilities that boost customer value and revenue. Similar is a commercial cyber threat intelligence software offered by a vendor. By leveraging a commercial threat intelligence platform, security teams can automate the collection, normalization, correlation, enrichment, analysis, dissemination, and actioning of threat intelligence. Commercial threat intelligence platforms let you gather tactical as well as technical intel from multiple external sources such as commercial threat feed and threat intel providers, ISAC/ISAO hubs, dark web, peer, and subsidiary organizations. Besides external sources, a commercial threat intelligence platform ingests threat intel from in-house tools such as SIEMs, IDS/IPS, antivirus, and a firewall. The intel collection from both sources can be monitored in one place. This enables enterprises to collaboratively collect, manage, and share threat intel with partners, vendors, clients, regulatory bodies, ISACs/ISAOs, and others. A commercial threat intelligence platform (TIP) has the capability to normalize the collected threat intel and convert it into STIX format for automated analysis and actions.
Furthermore, using a commercial cyber threat intelligence software, you can correlate and enrich IOCs from different internal and external intel sources. The best threat intelligence software is the one that allows security teams to calculate the final risk score of the IOCs so that actioning on relevant intel can be prioritized. Based on a confidence score, a commercial threat intelligence platform sieves out threat intel, blocks IOCs, and adds them to the watchlist of a SIEM solution.
Last but not the least, commercial threat intelligence platforms automate intel dissemination by equipping internal security operations center (SOC), threat hunting, incident response, and red teams with enriched intelligence for quick analysis and actioning. By cross-sharing enriched intel, commercial threat intelligence platforms empower organizations to build a collaborative and cyber-secure environment between their internal teams and external entities.
The Choice is Yours: Open Source vs. Commercial
A maturing security team needs to evaluate threat intelligence platforms on the basis of several technical and economical aspects such as service level agreements and integration with legacy and existing systems. Most importantly, a security team needs to determine which solution is right for them. An open source threat intelligence platform acts as a centralized hub for threat intelligence. However, there’s a paucity of several aspects of a true commercial threat intelligence platform in it. For instance, integration with legacy systems is a perennial challenge for any new technology. When it comes to threat intelligence platforms, managing legacy feeds and different formats is one of the major focuses. While an open source threat intelligence platform requires substantial modification and maintenance costs to ingest the legacy threat feeds, a commercial threat intelligence platform provides integration capabilities that can ingest threat data presented in various formats. A commercial threat intelligence platform can collect both tactical and technical intelligence from different external and internal sources, and can automatically normalize this intelligence from various formats such as STIX, JSON, XML, CybOX, and MAEC amongst others. Unlike an open source threat intelligence platform, a commercial one supports confidence scoring of IOCs that can be leveraged to conduct actions, such as automated alerting. An advanced commercial threat intelligence platform lets you visualize the MITRE ATT&CK framework, provides you with information on attacker TTPs, helps you identify trends across the cyber kill chain, and coordinate them to report intel.
There are several reasons why you might want to opt for a commercial threat intelligence platform
. One of them is its ability to automatically enrich threat data from multiple trusted sources and perform correlation, deduplication, analysis, and indicator deprecation in real-time. Moreover, it has features to automatically share threat information to disparate security tools for real-time actioning.
In today’s open-source marketplace, one can find scripting potential—that requires more coding resources—but not steadfast automation capabilities. On the other hand, a commercial threat intelligence platform offering security, orchestration, automation, and response (SOAR
) capabilities can let your security team automate tasks resulting in faster and more actionable insights.
Another major aspect that should be in your checklist of criteria when you approach the threat intelligence platform selection is customization. As your threat intelligence
maturity model evolves, you want your threat intelligence platform to progress too. Besides threat detection and incident response capabilities, you may want to add other strategic capabilities to prove the efficacy of your threat intelligence platforms. Customization plays a significant role here and this is where open source and commercial solutions drastically differ. With their inherent capability to be freely distributed and modified, open-source threat intelligence platforms can appear to be the perfect fit for customization. However, the question is not about which solution is more customizable, but whether your security teams have the resources and skills to handle customization in a timely fashion. You may customize an open source threat intelligence solution by putting in tremendous coding efforts but you might end up building a costly platform. On the contrary, commercial solutions diverge significantly in their level of customization. They are designed to be easily customized and tailored to fit your needs, giving you the ability to modify your threat intelligence platforms and attune the kind of data you want to include in your platform for reporting purposes.
Lastly, when choosing a cyber threat intelligence software, the cost of commercial threat intelligence platforms can be seen as a big barrier. It’s true that open source threat intelligence platforms have a lower cost of entry, but the support costs over time can add up and revoke the initial investment benefits. The expense of keeping an open-source threat intelligence platform up-to-date with all the technologies integrated into it drives up its cost, which is not the case in a commercial threat intelligence platform. Furthermore, leading security vendors are now offering commercial threat intelligence platforms
that are tailored to fit the budgets of mid-market enterprises having small or no security teams.
Albeit the lower cost of entry makes open-source threat intelligence platforms an attractive option, the long-term investment in customization and integration may make you think twice. Eventually, it’s a question of what you need and what are your requirements. First, you need to understand the job of a threat intelligence platform
and what is right for your team—is it an open-source or commercial threat intelligence platform?
Looking for the best threat intelligence software, book a free demo