Quick Hits

Evaluating And Choosing Threat Intelligence Tools

So you want to collect and analyze your own threat data. What tools do you need? Here are some tips for finding the right ones
[Excerpted from "Evaluating and Choosing Threat Intelligence Tools," a new report published this week on Dark Reading's Threat Intelligence Tech Center.]

An Internet search for "threat intelligence tools and services" shows that there are plenty of possible options out there. According to research from IDC, the security services threat intelligence market will be close to $1 billion by 2014, as organizations try to improve their security by becoming more proactive and getting advanced warnings of potential attacks to reduce downtime and remediation costs.

For a long time, enterprise security teams had to rely on mailing lists and advisories from organizations such as CERT, SANS, NTBugtraq, and various antivirus firms for news about attacks and problems other organizations were experiencing. As the number and global spread of attacks grew, so, too, did the need to aggregate this information.

Threat tracking reports, such as Trend Micro’s Current Threat Activity, Spamhaus Botnet Command and Control, and SpyEye tracker, can be loaded into routers and used to block packets originating from IPs involved in certain types of malicious activity. However, security teams need even greater coverage of malicious activity from multiple sources to have a better understanding of what’s going on globally -- as opposed to just the network under their control. They are turning to external systems that provide worldwide data correlation and analysis.

Most enterprises don’t have the staff or resources to do their own external threat intelligence gathering, so it makes sense to subscribe to a service that provides prepackaged threat intelligence data. This can be used in conjunction with managed security devices or fed into in-house-based sensors to better understand developing threats.

Today’s security threat intelligence technologies go by various names: predictive security, real-time threat management, situational risk awareness, or advanced SIEM (security information and event management). The key feature is that they produce predictive threat warnings and mitigation advice by monitoring security events from a wide and diverse variety of sources.

Using heuristics and correlation techniques to analyze millions of global events, these tools look to uncover malicious activities. Instead of using traditional signature-based analysis at the network perimeter, they tend to use IP, URL, and file reputation services; contextual analysis; and behavioral rule sets to uncover and block access to malicious content, with some even adjusting or changing their security strategies in real time.

The big advantage is that they consolidate threat, vulnerability, risk, fraud, spam, phishing, attacker, and network intelligence information, overcoming the problem of information being fragmented and disparate.

To find out more about how threat intelligence tools work -- and for a list of questions that may help you identify the right tools and vendors for your organization -- download the free report on evaluating threat intelligence tools.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.