View More guides on Cyber Threat Intelligence
What is a Connected Threat Intelligence Platform (TIP)?
- Cyber Threat Intelligence
Posted on: July 07, 2022
A Threat Intelligence Platform (TIP) streamlines cyber threat intelligence management by aggregating threat data from multiple sources, and normalizing, enriching, correlating, and analyzing this data to produce actionable intelligence. This relevant, enriched data can then be disseminated and used to drive security operations and strategy.
While Threat Intelligence Platforms (TIP) provide value to security teams by optimizing the intelligence lifecycle, traditional platforms focus primarily on intel aggregation and enrichment and operate as point solutions, which is no longer enough given the complexity of the current threat landscape and the way security operations have evolved to meet new challenges.
Organizations across industry sectors are switching to new computing and data sharing models, and the network perimeter is either blurring or disappearing altogether. This has opened up new opportunities for cybercriminals and introduced more blind spots and gaps into security programs. To stay ahead of attackers, security teams need 24/7 visibility into an extended attack surface and must process vast volumes of threat data to find anomalous patterns and spot threats early.
There has also been a proliferation of tools in modern security operations centers, with a point solution for each distinct security function. All these tools may be excellent at what they do individually, but they also introduce greater complexity into the cyber defense program as a whole if they do not interoperate. Multiple siloed tools lead to convoluted processes and costly delays in threat detection and response.
Connected Threat Intelligence Platforms
Connected Threat Intelligence Platforms (TIPs) are designed to not just aggregate, analyze and disseminate threat intelligence as legacy TIPs do, but also integrate bidirectionally with other tools in an organization’s security ecosystem to drive better security outcomes and significantly improve security teams’ predictive capabilities. By automatically correlating and analyzing millions of threat indicators at speed and interfacing with a large number of security tools, threat intel sources and intel consumers, connected TIPs solve the most pressing problems in threat intel operationalization today - the vast volume and variety of data that needs processing, and the proliferation of SecOps solutions that don’t interoperate.
How Connected TIPs solve the challenges in threat intelligence operationalization
Data overload and the need for automation
In a hyperconnected world where information travels at machine speed, threats do too. Cyber threats can emerge anywhere on the planet and impact organizations and entities at a global scale. Security teams need to analyze data from a wide range of internal and external sources to stay on top of emerging threats. These include open source and commercial intelligence feeds, security news and advisories, websites, blogs and social media, underground criminal forums, and the dark web, and internal telemetry sources like IDS, IPS, firewalls, SOAR, SIEM, EDR/XDR, and more. This adds up to millions of indicators and data points every day - all of which need to be parsed and analyzed for effective security.
It isn’t possible for security analysts to extract relevant, actionable threat intelligence from all the threat data generated every day without automating a significant part of the process. This is where connected TIPs can help. A connected TIP uses automation to streamline and speed up the threat intelligence lifecycle, which includes collecting threat data at scale, processing and analyzing the data, and disseminating the data.
Security tool proliferation and the need for orchestration
For threat intelligence to be used effectively, threat intelligence platforms need to ingest data from, and push analyzed intel into multiple detection and monitoring tools in real time. Large enterprises today use more than 75 tools in their security operations centers, most of which don’t interoperate. This increases complexity and leads to significant delays in detection and response with analysts having to pivot from console to console to piece together the trajectory of a threat.
Connected threat intelligence platforms integrate with other tools in an organization’s security toolstack to enable detection, investigation and response at machine speed. This significantly reduces security teams’ mean time to detect (MTTD) and mean time to respond (MTTR) while reducing analyst workloads by automating a good part of data analysis and operationalization.
A connected Threat Intelligence Platform (TIP) usually does the following:
- Aggregates and ingests threat data from multiple internal and external sources and formats
- Normalizes this data into a structured format and deduplicates it
- Automatically analyzes and correlates new threat intel with historical information, security logs, and data generated from internal monitoring and detection tools
- Enriches the data with additional context drawn from other tools
- Assigns risk and confidence scores to threat indicators
- Shares relevant analyzed data with different security teams (SOC, Digital Forensics, Incident Response, research and intel, Threat Hunting, Vulnerability Management, etc.) and other stakeholders
- Integrates with and continually feeds relevant data to other tools in the organization’s security and IT toolstack (EDR, Firewalls, IDS/IPS, SIEM, SOAR) for monitoring, detection and response
- Enables bidirectional threat intelligence sharing across organizations and facilitates community building (ISACs and ISAOs) for security collaboration.
Hub-and-spoke model for bidirectional intelligence exchange
Different threat intelligence platforms follow different models for sharing data and interoperating with other tools in an organization’s technology stack. Bidirectional sharing - where the platform can both ingest data from other tools as well as push finished intel into detection and response tools - is ideal for maximum effectiveness and return on investment. This kind of interoperability, where the TIP can interact with each piece of the larger security architecture with minimal human intervention, enables faster threat detection, investigation and response, and helps streamline the overall security operations in the organization.
Intelligence sharing with humans, both in internal teams and external organizations, should also be bidirectional, with data flowing in both directions. This helps organizations build situational awareness and learn from the knowledge and experiences of a whole extended network of trusted third parties, bolstering all parties’ security posture.
Connected TIPs typically implement the hub-and-spoke model for information sharing, where a central hub controls the platform and bidirectionally shares intelligence with all connected entities or members (the “spokes” in the hub-and-spoke model). For example, a large organization may act as a “hub” when using a TIP and disseminate relevant intelligence to all its connected business units while also ingesting information from each unit. The same model would apply to industry-specific intelligence sharing communities like ISACs and ISAOs where the ISAC can be the central hub, and member organizations the spokes.
Connected Threat Intelligence Platform (TIP) integrations for data ingestion, analysis, and dissemination
A connected TIP connects with hundreds and sometimes thousands of data sources, security and IT tools, and intelligence consumers to first ingest threat data, then enrich and analyze it, and finally disseminate it to both machines and humans for actioning and consumption. All of these connections and integrations serve the larger purpose of using high-fidelity intelligence to drive security decisions at technical, tactical, operational and strategic levels.
Data ingestion and analytics
With big-data technologies enabling the storage and analysis of massive amounts of unstructured, heterogeneous data, modern threat intelligence platforms can collect and perform analytics on data flowing in from hundreds of external feeds as well as internal telemetry generated by network and endpoint monitoring tools. A connected TIP leverages big data analytics to convert data streams in multiple formats and from multiple sources into a structured, deduplicated dataset, analyze and correlate this data, and extract relevant intelligence from it.
- Data ingestion: A connected TIP ingests data from multiple external and internal sources. External sources may include commercial and open-source intel feeds, intelligence-sharing communities and government entities (ISACs, CERTs, etc), websites, blogs, news and RSS feeds, and the dark web and cybercriminal forums. Internal sources may include monitoring and detection tools, log aggregators, and other tools in an organization’s technology stack (EDR/XDR, EPP, UEBA, firewalls, NDR, SIEMs, IDS/IPS)
- Data enrichment: Individual threat indicators may not provide enough context to security analysts to fit them into a bigger incident/threat lifecycle, or understand their severity. Connected TIPs can automatically enrich threat indicators and artifacts by adding context from open source/third-party intel repositories like Shodan, Whois, and VirusTotal, and internal tools. By automating the enrichment step, a modern TIP significantly reduces investigation time for analysts, freeing them up to work on deeper analysis.
- Data correlation: In addition to enriching data with additional context from OSINT tools, connected TIPs can also integrate with internal telemetry sources to correlate new intelligence with historical data and network and endpoint activity to draw out the full picture of a threat and where it sits in the larger IT environment. This requires tight integration with network and endpoint monitoring, user behavior analysis, and log management tools.
Threat intelligence delivery to connected tools
For analyzed, enriched threat intelligence to be really useful, it needs to be fed to monitoring, detection, and response tools in real-time so both known and unknown threats can either be blocked at the perimeter or detected and neutralized at machine speed if they make it into the network.
- Prevention and detection: TIP integrations with monitoring and detection tools and sensors allow the automatic updating of block lists and allow-lists on Firewalls, IDS/IPS, Endpoint Protection tools, and more. Connected TIPs do this in near real-time, speeding up the detection of critical threats which can then be neutralized, blocked, sandboxed, or escalated for further investigation.
- Response and case management: A connected TIP can also seamlessly deliver threat intel to threat response and case management tools, often a Security Orchestration, Automation and Response (SOAR) platform, to trigger response actions in real-time. The orchestration element in SOAR adds further extensibility to a TIP, enables easy playbook creation, and automates repeatable response steps, optimizing the whole threat response cycle and bringing down response time to seconds.
- Vulnerability management: Vulnerability management is an important use case for TIPs. By integrating with a vulnerability management tool (sometimes integrated with threat response platforms), a connected TIP enables the operationalization of updated, enriched, analyzed and prioritized vulnerability data. A vulnerability management system can use this data during scans and to prioritize patching and remediation.
Threat intelligence sharing with internal teams
In addition to continually feeding data to other IT and security tools for operationalization, TIPs must also deliver enriched intelligence to internal teams like SOC, incident response, forensics, threat hunting, and upper management, based on the specific roles they perform. Many modern TIPs feature easy-to-use, customizable dashboards for easy cyber threat intelligence organization, tagging, filtering, and consumption by analysts and other teams. Some also provide different views for different teams/roles based on the specific kinds of threat information that will be useful for them.
Threat intelligence exchange with trusted external entities
The ability to share analyzed intelligence with a trusted network of external entities, such as ISACs and ISAOs, government agencies, business subsidiaries, vendors and supply chain partners, should be a key capability of a connected TIP. Given the complexity of threats in a digitized, closely connected and increasingly interdependent world, cybersecurity efforts on any level can only be successful if intelligence is drawn from a wide pool of resources drawn from both public and private organizations - each contributing its own experience, expertise, and knowledge to fight common threats. Connected TIPs make this possible by enabling secure threat intelligence dissemination to third parties and providing a platform for building trusted communities.
Cyware Threat Intelligence eXchange (CTIX)
Cyware Threat Intelligence eXchange (CTIX) is a next-generation connected threat intelligence platform that automates the ingestion, enrichment, analysis, and dissemination of threat data to internal security tools, teams and stakeholders, and a trusted external network.
It ingests data in all formats (PDF, CSV, JSON, STIX/TAXII) from a multitude of internal and external sources; normalizes, deduplicates, analyzes, correlates, and enriches this data; continually pushes finished TI into other security and IT technologies in the organization; and shares relevant intel with security teams and other stakeholders based on their specific roles and needs. CTIX also enables the exchange of relevant threat information with trusted third-parties (both public and private).
CTIX follows the hub-and-spoke model for bidirectional threat data exchange, with a central server or a central organization or team disseminating relevant intel to all connected tools or entities while also ingesting data from these systems. By integrating with security tools across an organization’s internal network, the platform enables threat intelligence delivery to detection sensors in real time, significantly improving the speed of detection and response.
Learn more about CTIX features here: Cyware Threat Intelligence eXchange features