A number of replacement technologies have emerged in recent years to improve on the protection afforded by traditional malware systems. Anti-malware programs compare the code of new programs running on a computer to a database of previously detected malware signatures.
There is a lot more info on each of the tools below, but in case you only have time for a quick glance, here is our list of the five best threat intelligence platforms:
- SolarWinds Security Event Manager (FREE TRIAL) Uses a log file analysis threat detection strategy combined with an externally-sourced live feed of threat alerts.
- ManageEngine Log360 (FREE TRIAL) Looks for threats in log file data from Windows Server or Linux and adds in threat intelligence from three sources.
- FireEye Helix Security Platform Combines a cloud-based SIEM threat detection console, AI learning methods, and a threat intelligence feed.
- AlienVault Unified Security Management Includes threat detection, incidence response, and threat intelligence sharing.
- LogRhythm NextGen SIEMs Includes the live monitoring of traffic data and the analysis of log file records.
In the traditional anti-malware model, a central research lab investigates new threats to derive patterns that identify them. These malware characteristics are then distributed to all of the installed AV programs that the company has sold to clients. The local anti-malware system maintains a threat database that contains this list of signatures derived by the central lab.
The AV threat database model is no longer effective at protecting computers. This is because professional teams of hackers now engage in malware production lines with new threats appearing daily. As it takes time for research labs to notice a new virus and then identify its characteristics, the lead time for typical AV solutions is now too long to offer effective protection.
The threat intelligence platform is the AV industry’s answer to the rapid pace of malware production.
Spotting a threat
A threat intelligence platform still includes a threat database. However, rather than relying on users reporting strange behavior to the headquarters of the AV producer, new cybersecurity systems aim to contain all of the research and threat remediations on each customer’s equipment. In effect, each TIP installation becomes a composite detection, analysis, and resolution bundle. It is no longer necessary to update the threat database from a central lab because each machine performs the researcher team’s work.
This distributed model of AV data gathering is much more efficient at combatting “zero-day” attacks. The “zero-day ” term refers to new viruses that have not yet been identified by the major AV labs in the world and against which, as yet, there is no effective defense. Each machine does not work alone, however. Information on discovered new threats is shared among the users of a specific brand of TIP.
The TIP uses detection procedures locally while still relying on a threat database, which is contributed by local analysis as well as frequent downloads from the software provider’s labs. Those downloads are derived from the discoveries made by the same TIP that is installed on other sites by other customers.
Selecting a TIP
Although each TIP uses a similar set of strategies to detect malicious events, not all TIPs are equally effective. Some producers focus on one specific type of device and one specific operating system. They might also provide protection systems for other types of devices and operating systems, but without the same level of success that they achieved with their core product.
It isn’t easy to spot a good TIP and the claims, boasts, and obscure industry jargon used on the promotional websites of their producers makes searching for the right TIP a very tiring exercise. Fortunately, we have done the legwork for you.
The Best Threat Intelligence Platforms
Here are more detailed descriptions of each of our top five recommended TIPs.
Security Event Manager (SEM) from SolarWinds combines event tracking on your network with a threat intelligence feed supplied from an external source. This tool will not only detect threats, but it will automatically trigger responses to protect your system.
At the heart of this security solution, you will find a log analysis tool. This monitors network activity, looking for unusual events and it also tracks changes to essential files. The second element of this TIP from SolarWinds is a cyber threat intelligence framework.
Security Event Manager works from a database of known suspicious events and sniffs the network on the lookout for any such occurrences. Some suspicious activities can only be spotted by combining data from separate sources on your system. This analysis can only be performed through event log analysis, and so is not a real-time task.
Although SEM begins with an off-the-shelf threat signature database, the tool will adjust and expand that store of threat profiles while it is in service. This learning process cuts down on the annoying occurrence of “false positives,” which can cause some threat protection services to shut down legitimate activity.
The log analyzer in SEM continuously gathers log records from incompatible sources and reformats them into a neural common layout. This enables the analyzer to look for patterns of activity across your entire system regardless of configuration, equipment type, or operating system.
Security Event Manager installs on Windows Server and SolarWinds offers the system on a 30-day free trial. This trial period will give you time to try out the manual rule-setting screens that enable you to enhance the threat intelligence database to more accurately reflect your site’s typical activities. You will also be able to give the compliance reporting module a full run-through to ensure that the SEM fulfills all of your reporting needs.
ManageEngine Log360 is a very comprehensive TIP that investigates all possible sources of log data to tighten up system security.
ManageEngine already offers a range of log management and analysis tools. However, the company decided to bundle them into a combined module that covers all possible file-based sources of system information. IT also integrates external sources of information such as STIX/TAXII-based feeds on blacklisted IP addresses.
As well of controlling Event Logs, the tool integrates the information resident in Active Directory. This helps the detection engine of this tool to check on who has the rights to success the resources used in the activities that log messages record. The tool monitors changes in Active Directory to ensure that intruders aren’t able to grant themselves access rights.
The reach of this security tool extends out to the web because it also gathers audit reports from AWS, Azure, and Exchange Online.
You know that Exchange, Azure, Event Logs, and Active Directory are all Microsoft products. However, Log360 isn’t limited to monitoring Windows-based systems. It also gathers log messages raised on Linux and Unix system, such as Syslog messages. The tool will examine all IIS and Apache Web Server messages and it covers messages generated by Oracle databases.
Your network hardware and perimeter security systems also have important information to share and so Log360 listens for log messages arising at firewalls, routers, and switches. If you have any other intrusion detection and protection systems installed, Log360 will integrate their findings in its threat intelligence summaries.
Log360 doesn’t create logs about logs, which you might end up overlooking. The system creates real-time alerts, so your team gets notified as soon as suspicious activity is detected. In addition to monitoring, the Log360 package regularly audits, summarizes, and reports on the security of your entire IT system.
You can install Log360 software on Windows and Windows Server. ManageEngine offers a 30-day free trial of the Professional Edition There is a Free Edition that is limited to collecting log data from just five sources. If you have different requirements you can discuss pricing for a package that suits your needs.
FireEye Helix Security Platform is a cloud-based blended protection system for networks and endpoints. The tool includes a SIEM approach that monitors network activity and also manages and searches log files. The threat intelligence feeds provided by FireEyes completes this multi-faceted solution by providing an updated threat database for your monitoring system.
FireEyes is a prominent cybersecurity firm and it uses its expertise to provide threat intelligence on a subscription basis. The format and depth of that intelligence depend on the plan selected by the customer. FireEyes offers industry-wide warnings over new threat vectors, which enable infrastructure managers to plan for defense. It also offers a threat intelligence feed, which translates directly into threat detection and resolution rules in Helix Security Platform.
The Helix package also includes “playbooks,” which are automated workflows that enact threat remediation once a problem has been detected. These solutions sometimes include advising on secure practices and housekeeping actions, as well as automated responses.
AlienVault Unified Security Management (USM) is a product of AT&T Cybersecurity, which acquired the AlienVault brand in 2018. AlienVault USM evolved from an open-source project called OSSIM, which stands for “open source security information management.” OSSIM is still available for free with AlienVault USM running alongside as a commercial product.
OSSIM is actually a misnomer because the system is a full SIEM, including both log message analysis monitoring with real-time network traffic examination. AlienVault USM also includes both of these elements. AlienVault has a number of extra features that are not available in OSSIM, such as log consolidation, log file storage management and archiving. AlienVault USM is a cloud-based subscription service that comes with full telephone and email support, while OSSIM is available for download and relies on community forums for support.
A key benefit that is available to the users of both the free and paid security products is access to the Open Threat Exchange (OTX). This is the world’s largest crowd-provided threat intelligence platform in the world. Information made available on the OTX can be downloaded automatically into AlienVault USM to supply an up-to-date threat database. This provides the detection rules and resolution workflows needed by the SIEM. Access to OTX is free for all.
LogRhythm terms its NextGen SIEM as a threat lifecycle management (TLM) framework. The platform serves two LogRhythm products, which are the Enterprise and XM ranges. Both of these products are available either as an appliance or as software. LogRhythm Enterprise is aimed at very large organizations, which LogRhythm XM serves small and middle-sized businesses.
SIEM stands for Security Event Information Management. This dense strategy combines two activities, Security Information Management (SIM), and Security Event Management (SEM). SEM monitors traffic in real-time, looking for attack patterns that are stored in a threat database. SIM also refers to the threat database but compares events recorded in log files to the patterns laid out in the threat detection rules.
The software for the NextGen SIEM can be installed on Windows, Linux, or Unix. It is also possible to keep your threat management system completely independent of your hardware by buying the system as an appliance that connects to your network.
Choosing a TIP
The cybersecurity sector is very vibrant at the moment. The growth in intrusion threats adding to the ever-present risk of malware has forced the industry to completely rethink its approach to system protection. This situation has resulted in major AV producers investing large amounts of money in innovative AI techniques and new strategies to combat hackers and cyberterrorists.
New players in the market add extra pressure to the reputations of established cybersecurity providers and keep pushing the limits of cybersecurity technology. Threat intelligence platforms play an important role in the fight for cybersecurity alongside SIEMs and intrusion prevention systems.
Although new TIPs appear all of the time, we are confident that the recommended threat intelligence platforms on our list will stay at the head of the pack. This is because the companies that provide them have long standing experience in the field and they have shown that they are prepared to innovate to keep ahead of threats.