A number of replacement technologies have emerged in recent years to improve on the protection afforded by traditional malware systems. Anti-malware programs compare the code of new programs running on a computer to a database of previously detected malware signatures.
In the traditional anti-malware model, a central research lab investigates new threats to derive patterns that identify them. These malware characteristics are then distributed to all of the installed AV programs that the company has sold to clients. The local anti-malware system maintains a threat database that contains this list of signatures derived by the central lab.
There is a lot more info on each of the tools below, but in case you only have time for a quick glance, here is our list of the five best threat intelligence platforms:
- SolarWinds Security Event Manager (FREE TRIAL) Uses a log file analysis threat detection strategy combined with an externally-sourced live feed of threat alerts.
- ManageEngine EventLog Analyzer Looks for threats in log file data from Windows Server or Linux and adds in threat intelligence from three sources.
- FireEye Helix Security Platform Combines a cloud-based SIEM threat detection console, AI learning methods, and a threat intelligence feed.
- AlienVault Unified Security Management Includes threat detection, incidence response, and threat intelligence sharing.
- LogRhythm NextGen SIEMs Includes the live monitoring of traffic data and the analysis of log file records.
The AV threat database model is no longer effective at protecting computers. This is because professional teams of hackers now engage in malware production lines with new threats appearing daily. As it takes time for research labs to notice a new virus and then identify its characteristics, the lead time for typical AV solutions is now too long to offer effective protection.
The threat intelligence platform is the AV industry’s answer to the rapid pace of malware production.
Spotting a threat
A threat intelligence platform still includes a threat database. However, rather than relying on users reporting strange behavior to the headquarters of the AV producer, new cybersecurity systems aim to contain all of the research and threat remediations on each customer’s equipment. In effect, each TIP installation becomes a composite detection, analysis, and resolution bundle. It is no longer necessary to update the threat database from a central lab because each machine performs the researcher team’s work.
This distributed model of AV data gathering is much more efficient at combatting “zero-day” attacks. The “zero-day ” term refers to new viruses that have not yet been identified by the major AV labs in the world and against which, as yet, there is no effective defense. Each machine does not work alone, however. Information on discovered new threats is shared among the users of a specific brand of TIP.
The TIP uses detection procedures locally while still relying on a threat database, which is contributed by local analysis as well as frequent downloads from the software provider’s labs. Those downloads are derived from the discoveries made by the same TIP that is installed on other sites by other customers.
Selecting a TIP
Although each TIP uses a similar set of strategies to detect malicious events, not all TIPs are equally effective. Some producers focus on one specific type of device and one specific operating system. They might also provide protection systems for other types of devices and operating systems, but without the same level of success that they achieved with their core product.
It isn’t easy to spot a good TIP and the claims, boasts, and obscure industry jargon used on the promotional websites of their producers makes searching for the right TIP a very tiring exercise. Fortunately, we have done the legwork for you.
Here are more detailed descriptions of each of our top five recommended TIPs.
Security Event Manager (SEM) from SolarWinds combines event tracking on your network with a threat intelligence feed supplied from an external source. This tool will not only detect threats, but it will automatically trigger responses to protect your system.
At the heart of this security solution, you will find a log analysis tool. This monitors network activity, looking for unusual events and it also tracks changes to essential files. The second element of this TIP from SolarWinds is a cyber threat intelligence framework.
Security Event Manager works from a database of known suspicious events and sniffs the network on the lookout for any such occurrences. Some suspicious activities can only be spotted by combining data from separate sources on your system. This analysis can only be performed through event log analysis, and so is not a real-time task.
Although SEM begins with an off-the-shelf threat signature database, the tool will adjust and expand that store of threat profiles while it is in service. This learning process cuts down on the annoying occurrence of “false positives,” which can cause some threat protection services to shut down legitimate activity.
The log analyzer in SEM continuously gathers log records from incompatible sources and reformats them into a neural common layout. This enables the analyzer to look for patterns of activity across your entire system regardless of configuration, equipment type, or operating system.
Security Event Manager installs on Windows Server and SolarWinds offers the system on a 30-day free trial. This trial period will give you time to try out the manual rule-setting screens that enable you to enhance the threat intelligence database to more accurately reflect your site’s typical activities. You will also be able to give the compliance reporting module a full run-through to ensure that the SEM fulfills all of your reporting needs.
ManageEngine EventLog Analyzer can be enhanced by threat intelligence sources to make a truly comprehensive TIP.
The analysis engine refers to a threat database, which is compiled from three sources. The initial install of the software brings with it a standard threat database. This is enhanced through onsite learning and can also be adapted by the user through the addition of custom rules. The main source of new rules for the tool comes from live feeds.
EventLog Analyzer can use three sources for its threat intelligence. These are the STIX, TAXII, and AlienVault OTX feeds. The information derived from these sources is usually community-derived – AlienVault OTX is one of the most respected sources of threat intelligence available today. As well as intrusion signatures, the protection system relies on a blacklist of IP addresses that other data centers around the world have tagged for suspicious activity.
As a log file monitor, the EventLog Manager is able to get a much higher overview of all activity on a network than can be derived from sniffing passing packets. However, one downside of the log analysis approach is that it only examines events after the fact. The inclusion of threat intelligence feeds and the blacklist of malicious addresses helps to block incoming harmful traffic before it can damage the integrity of your data and resources. This two-pronged approach has proved to be a very effective intrusion prevention system.
The EventLog Analyzer operates with both Windows Event logs and Syslog reporting standards. It is able to consolidate, manage, and archive log files to ensure that your business is compliant with current data protection standards. ManageEngine offers a 30-day free trial of the Premium edition of EventLog Analyzer and there is also a permanently free version. The Premium edition can handle an unlimited number of log message sources while the Free edition is limited to just five sources. The software installs on Windows Server or Linux.
FireEye Helix Security Platform is a cloud-based blended protection system for networks and endpoints. The tool includes a SIEM approach that monitors network activity and also manages and searches log files. The threat intelligence feeds provided by FireEyes completes this multi-faceted solution by providing an updated threat database for your monitoring system.
FireEyes is a prominent cybersecurity firm and it uses its expertise to provide threat intelligence on a subscription basis. The format and depth of that intelligence depend on the plan selected by the customer. FireEyes offers industry-wide warnings over new threat vectors, which enable infrastructure managers to plan for defense. It also offers a threat intelligence feed, which translates directly into threat detection and resolution rules in Helix Security Platform.
The Helix package also includes “playbooks,” which are automated workflows that enact threat remediation once a problem has been detected. These solutions sometimes include advising on secure practices and housekeeping actions, as well as automated responses.
AlienVault Unified Security Management (USM) is a product of AT&T Cybersecurity, which acquired the AlienVault brand in 2018. AlienVault USM evolved from an open-source project called OSSIM, which stands for “open source security information management.” OSSIM is still available for free with AlienVault USM running alongside as a commercial product.
OSSIM is actually a misnomer because the system is a full SIEM, including both log message analysis monitoring with real-time network traffic examination. AlienVault USM also includes both of these elements. AlienVault has a number of extra features that are not available in OSSIM, such as log consolidation, log file storage management and archiving. AlienVault USM is a cloud-based subscription service that comes with full telephone and email support, while OSSIM is available for download and relies on community forums for support.
A key benefit that is available to the users of both the free and paid security products is access to the Open Threat Exchange (OTX). This is the world’s largest crowd-provided threat intelligence platform in the world. Information made available on the OTX can be downloaded automatically into AlienVault USM to supply an up-to-date threat database. This provides the detection rules and resolution workflows needed by the SIEM. Access to OTX is free for all.
LogRhythm terms its NextGen SIEM as a threat lifecycle management (TLM) framework. The platform serves two LogRhythm products, which are the Enterprise and XM ranges. Both of these products are available either as an appliance or as software. LogRhythm Enterprise is aimed at very large organizations, which LogRhythm XM serves small and middle-sized businesses.
SIEM stands for Security Event Information Management. This dense strategy combines two activities, Security Information Management (SIM), and Security Event Management (SEM). SEM monitors traffic in real-time, looking for attack patterns that are stored in a threat database. SIM also refers to the threat database but compares events recorded in log files to the patterns laid out in the threat detection rules.
The software for the NextGen SIEM can be installed on Windows, Linux, or Unix. It is also possible to keep your threat management system completely independent of your hardware by buying the system as an appliance that connects to your network.
Choosing a TIP
The cybersecurity sector is very vibrant at the moment. The growth in intrusion threats adding to the ever-present risk of malware has forced the industry to completely rethink its approach to system protection. This situation has resulted in major AV producers investing large amounts of money in innovative AI techniques and new strategies to combat hackers and cyberterrorists.
New players in the market add extra pressure to the reputations of established cybersecurity providers and keep pushing the limits of cybersecurity technology. Threat intelligence platforms play an important role in the fight for cybersecurity alongside SIEMs and intrusion prevention systems.
Although new TIPs appear all of the time, we are confident that the recommended threat intelligence platforms on our list will stay at the head of the pack. This is because the companies that provide them have long standing experience in the field and they have shown that they are prepared to innovate to keep ahead of threats.