11:24 PM
Dark Reading
Dark Reading
Quick Hits
Connect Directly

Evaluating And Choosing Threat Intelligence Tools

So you want to collect and analyze your own threat data. What tools do you need? Here are some tips for finding the right ones

[Excerpted from "Evaluating and Choosing Threat Intelligence Tools," a new report published this week on Dark Reading's Threat Intelligence Tech Center.]

An Internet search for "threat intelligence tools and services" shows that there are plenty of possible options out there. According to research from IDC, the security services threat intelligence market will be close to $1 billion by 2014, as organizations try to improve their security by becoming more proactive and getting advanced warnings of potential attacks to reduce downtime and remediation costs.

For a long time, enterprise security teams had to rely on mailing lists and advisories from organizations such as CERT, SANS, NTBugtraq, and various antivirus firms for news about attacks and problems other organizations were experiencing. As the number and global spread of attacks grew, so, too, did the need to aggregate this information.

Threat tracking reports, such as Trend Micro’s Current Threat Activity, Spamhaus Botnet Command and Control, and SpyEye tracker, can be loaded into routers and used to block packets originating from IPs involved in certain types of malicious activity. However, security teams need even greater coverage of malicious activity from multiple sources to have a better understanding of what’s going on globally -- as opposed to just the network under their control. They are turning to external systems that provide worldwide data correlation and analysis.

Most enterprises don’t have the staff or resources to do their own external threat intelligence gathering, so it makes sense to subscribe to a service that provides prepackaged threat intelligence data. This can be used in conjunction with managed security devices or fed into in-house-based sensors to better understand developing threats.

Today’s security threat intelligence technologies go by various names: predictive security, real-time threat management, situational risk awareness, or advanced SIEM (security information and event management). The key feature is that they produce predictive threat warnings and mitigation advice by monitoring security events from a wide and diverse variety of sources.

Using heuristics and correlation techniques to analyze millions of global events, these tools look to uncover malicious activities. Instead of using traditional signature-based analysis at the network perimeter, they tend to use IP, URL, and file reputation services; contextual analysis; and behavioral rule sets to uncover and block access to malicious content, with some even adjusting or changing their security strategies in real time.

The big advantage is that they consolidate threat, vulnerability, risk, fraud, spam, phishing, attacker, and network intelligence information, overcoming the problem of information being fragmented and disparate.

To find out more about how threat intelligence tools work -- and for a list of questions that may help you identify the right tools and vendors for your organization -- download the free report on evaluating threat intelligence tools.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.