A Threat Intelligence Platform (TIP) aims to block repeat attackers and identify common intrusion vectors. This emerging technology is an advance on traditional anti-virus (AV) and firewall systems. A TIP will protect your IT equipment by applying AI-based learning strategies.
A number of replacement technologies have emerged in recent years to improve on the protection afforded by traditional malware systems.
Anti-malware programs compare the code of new programs running on a computer to a database of previously detected malware signatures.
Here is our list of the seven best threat intelligence platforms:
- SolarWinds Security Event Manager EDITOR’s CHOICE Uses a log file analysis threat detection strategy combined with an externally-sourced live feed of threat alerts.
- ManageEngine Log360 (FREE TRIAL) Looks for threats in log file data from Windows Server or Linux and adds in threat intelligence from three sources.
- CrowdStrike Falcon X (FREE TRIAL) A range of threat intelligence protection levels with automated processes and higher options that include human research and intervention.
- Atera A system monitor made for MSPs that includes software auditing and log analysis.
- FireEye Helix Security Platform Combines a cloud-based SIEM threat detection console, AI learning methods, and a threat intelligence feed.
- Threat Monitor A cloud-based service marketed to MSPs. This is a SIEM tool that enables MSPs to add security monitoring to their list of services.
- AlienVault Unified Security Management Includes threat detection, incidence response, and threat intelligence sharing.
- LogRhythm NextGen SIEMs Includes the live monitoring of traffic data and the analysis of log file records.
Threat Intelligence platforms Vs traditional Anti-virus software
In the traditional anti-malware model, a central research lab investigates new threats to derive patterns that identify them. These malware characteristics are then distributed to all of the installed AV programs that the company has sold to clients. The local anti-malware system maintains a threat database that contains this list of signatures derived by the central lab.
The AV threat database model is no longer effective at protecting computers. This is because professional teams of hackers now engage in malware production lines with new threats appearing daily. As it takes time for research labs to notice a new virus and then identify its characteristics, the lead time for typical AV solutions is now too long to offer effective protection.
Spotting a threat
A threat intelligence platform still includes a threat database. However, rather than relying on users reporting strange behavior to the headquarters of the AV producer, new cybersecurity systems aim to contain all of the research and threat remediations on each customer’s equipment. In effect, each TIP installation becomes a composite detection, analysis, and resolution bundle. It is no longer necessary to update the threat database from a central lab because each machine performs the researcher team’s work.
This distributed model of AV data gathering is much more efficient at combatting “zero-day” attacks. The “zero-day ” term refers to new viruses that have not yet been identified by the major AV labs in the world and against which, as yet, there is no effective defense. Each machine does not work alone, however. Information on discovered new threats is shared among the users of a specific brand of TIP.
The TIP uses detection procedures locally while still relying on a threat database, which is contributed by local analysis as well as frequent downloads from the software provider’s labs. Those downloads are derived from the discoveries made by the same TIP that is installed on other sites by other customers.
The Best Threat Intelligence Platforms, Tools & Software Vendors
Although each TIP uses a similar set of strategies to detect malicious events, not all TIPs are equally effective. Some producers focus on one specific type of device and one specific operating system. They might also provide protection systems for other types of devices and operating systems, but without the same level of success that they achieved with their core product.
It isn’t easy to spot a good TIP and the claims, boasts, and obscure industry jargon used on the promotional websites of their producers makes searching for the right TIP a very tiring exercise. Fortunately, we have done the legwork for you.
Security Event Manager (SEM) from SolarWinds combines event tracking on your network with a threat intelligence feed supplied from an external source. This tool will not only detect threats, but it will automatically trigger responses to protect your system.
At the heart of this security solution, you will find a log analysis tool. This monitors network activity, looking for unusual events and it also tracks changes to essential files. The second element of this TIP from SolarWinds is a cyber threat intelligence framework.
Security Event Manager works from a database of known suspicious events and sniffs the network on the lookout for any such occurrences. Some suspicious activities can only be spotted by combining data from separate sources on your system. This analysis can only be performed through event log analysis, and so is not a real-time task.
Although SEM begins with an off-the-shelf threat signature database, the tool will adjust and expand that store of threat profiles while it is in service. This learning process cuts down on the annoying occurrence of “false positives,” which can cause some threat protection services to shut down legitimate activity.
The log analyzer in SEM continuously gathers log records from incompatible sources and reformats them into a neural common layout. This enables the analyzer to look for patterns of activity across your entire system regardless of configuration, equipment type, or operating system.
Security Event Manager installs on Windows Server and SolarWinds offers the system on a 30-day free trial. This trial period will give you time to try out the manual rule-setting screens that enable you to enhance the threat intelligence database to more accurately reflect your site’s typical activities. You will also be able to give the compliance reporting module a full run-through to ensure that the SEM fulfills all of your reporting needs.
SolarWinds Security Event Manager is our top choice. Perfect for threat detection and triggering automated responces to those threats. Reporting is top notch and the dashboard is easy to navigate.
Start 30-day Free Trial: solarwinds.com/security-event-manager
OS: Windows 10 and later, Windows Server 2012 and later, Cloud-based: Hypervisor, AWS and MS Azure
ManageEngine Log360 is a very comprehensive TIP that investigates all possible sources of log data to tighten up system security.
ManageEngine already offers a range of log management and analysis tools. However, the company decided to bundle them into a combined module that covers all possible file-based sources of system information. IT also integrates external sources of information such as STIX/TAXII-based feeds on blacklisted IP addresses.
As well of controlling Event Logs, the tool integrates the information resident in Active Directory. This helps the detection engine of this tool to check on who has the rights to success the resources used in the activities that log messages record. The tool monitors changes in Active Directory to ensure that intruders aren’t able to grant themselves access rights.
The reach of this security tool extends out to the web because it also gathers audit reports from AWS, Azure, and Exchange Online.
You know that Exchange, Azure, Event Logs, and Active Directory are all Microsoft products. However, Log360 isn’t limited to monitoring Windows-based systems. It also gathers log messages raised on Linux and Unix system, such as Syslog messages. The tool will examine all IIS and Apache Web Server messages and it covers messages generated by Oracle databases.
Your network hardware and perimeter security systems also have important information to share and so Log360 listens for log messages arising at firewalls, routers, and switches. If you have any other intrusion detection and protection systems installed, Log360 will integrate their findings in its threat intelligence summaries.
Log360 doesn’t create logs about logs, which you might end up overlooking. The system creates real-time alerts, so your team gets notified as soon as suspicious activity is detected. In addition to monitoring, the Log360 package regularly audits, summarizes, and reports on the security of your entire IT system.
You can install Log360 software on Windows and Windows Server. ManageEngine offers a 30-day free trial of the Professional Edition There is a Free Edition that is limited to collecting log data from just five sources. If you have different requirements you can discuss pricing for a package that suits your needs.
CrowdStrike created a cybersecurity platform called Falcon. This focuses on endpoint protection. One of the products that the company built on its Falcon platform is Falcon X. this is a threat intelligence service that bases most of the processing requirements on the CrowdStrike server in the cloud.
The innovative architecture of the Falcon platform requires a small agent program to be installed on each protected device. The majority of the work is performed in the cloud, so your threat protection won’t slow down your protected endpoints.
The base plan of CrowdStrike Falcon X includes automated processes. The next plan up is called Falcon X Premium and that includes a daily intelligence report and tailored internet sweeps that specifically look for your company’s name, brand, or mentions of employees on social media or paste sites. For example, any stolen passwords up for sale of publicly leaked would be picked up in this search.
The highest plan is called Falcon X Elite. Each customer of this plan is assigned and intel analyst. This service is great for those businesses that want to outsource everything and get a managed threat intelligence solution rather than just automated tools for protection.
All CrowdStrike Falcon X plans include the Indicators of Compromise (IOCs) report. This puts the threats identified on your system into a global context. The IOC shows where the malware or attacks you experience originated and whether the same hacker groups are known to use other methods to attack corporate systems. This relationship between known vectors alerts the subscribing company to potential threats to come.
The agents operating on each endpoint scan all activity on the device and upload suspicious files to the CrowdStrike server for analysis. There is no need for human intervention in this process. However, the system manager will receive feedback on detected threats and the actions implemented to close them down.
CrowdStrike offers a 15-day free trial of Falcon X.
Atera is a support platform built for managed service providers (MSPs). It is delivered from the cloud, so the MSP does not need to install any software on its premises and even does not need to run any major IT infrastructure. All it needs is a computer with an internet connection and a web browser. The monitored system does need special software installed on it, however. This is an agent program that gathers data and communicates with the Atera servers.
Being a remote service, Atera is able to monitor any client facility, including cloud-based AWS and Azure servers. The service includes an autodiscovery process, which logs all of the equipment connected to the network. For endpoints and servers, the monitoring system will scan all software, creating an inventory. This is an essential source of information for software license management and it is also an important threat protection n service. Once the software inventory has been compiled, the operator can check what unauthorized software is installed on each device and then delete it.
The server monitor checks on processes as part of its regular tasks and this will highlight malicious software running. The operator is able to access the server remotely and kill unwanted processes.
Atera monitors access rights controllers on the client’s site, including Active Directory. The Live Manager tool in the Atera package gives access to Windows Event logs and provides a searchable source of possible security breaches.
One more threat protection service contained in the Atera package is its patch manager. This automatically updates operating systems and key application software when they become available. This important service ensures that any exploit remedies produced by software providers get installed as quickly as possible.
Atera is charged for by subscription with the charge rate set per technician. Buyers can choose between a monthly payment plan or a yearly rate. The annual payment period works out cheaper. You can access a free trial to put Atera through its paces.
FireEye Helix Security Platform is a cloud-based blended protection system for networks and endpoints. The tool includes a SIEM approach that monitors network activity and also manages and searches log files. The threat intelligence feeds provided by FireEyes completes this multi-faceted solution by providing an updated threat database for your monitoring system.
FireEyes is a prominent cybersecurity firm and it uses its expertise to provide threat intelligence on a subscription basis. The format and depth of that intelligence depend on the plan selected by the customer. FireEyes offers industry-wide warnings over new threat vectors, which enable infrastructure managers to plan for defense. It also offers a threat intelligence feed, which translates directly into threat detection and resolution rules in Helix Security Platform.
The Helix package also includes “playbooks,” which are automated workflows that enact threat remediation once a problem has been detected. These solutions sometimes include advising on secure practices and housekeeping actions, as well as automated responses.
The Threat Monitor is a product of SolarWinds MSP that provides software and services to support managed service providers. MSPs regularly offer network and IT infrastructure management services and so the addition of security monitoring is a natural extension of the regular activities of such MSPs.
This is a security information and event management (SIEM) system. A SIEM looks both at live activity on the monitored system and it also searches through system logs to detect traces of malicious activities. The service is able to monitor the on-site systems of the MSP’s clients and also any Azure or AWS server that the client uses.
The advantages of the SolarWinds Threat Intelligence monitor lie in its ability to collect information from every point of the network and the devices connected to it. This gives a more comprehensive view of attacks than a single collection point. Threats are identified by patterns of behavior and also by reference to the central SolarWinds Threat Intelligence database, which is constantly updated. The threat intelligence database is compiled from records of events occurring all over the world. So it is able to spot immediately when hackers launch global attacks or try the same tricks against many different victims.
The alarm levels of the service can be adjusted by the MSP operator. The dashboard for the system includes visualizations for events, such as dials and charts, as well as live lists of checks and events. The service is delivered from the cloud and so is accessed through any web browser. SolarWinds Threat Intelligence is a subscription service, so it is completely scaleable and suitable for use by MSPs of all sizes.
AlienVault Unified Security Management (USM) is a product of AT&T Cybersecurity, which acquired the AlienVault brand in 2018. AlienVault USM evolved from an open-source project called OSSIM, which stands for “open source security information management.” OSSIM is still available for free with AlienVault USM running alongside as a commercial product.
OSSIM is actually a misnomer because the system is a full SIEM, including both log message analysis monitoring with real-time network traffic examination. AlienVault USM also includes both of these elements. AlienVault has a number of extra features that are not available in OSSIM, such as log consolidation, log file storage management and archiving. AlienVault USM is a cloud-based subscription service that comes with full telephone and email support, while OSSIM is available for download and relies on community forums for support.
A key benefit that is available to the users of both the free and paid security products is access to the Open Threat Exchange (OTX). This is the world’s largest crowd-provided threat intelligence platform in the world. Information made available on the OTX can be downloaded automatically into AlienVault USM to supply an up-to-date threat database. This provides the detection rules and resolution workflows needed by the SIEM. Access to OTX is free for all.
LogRhythm terms its NextGen SIEM as a threat lifecycle management (TLM) framework. The platform serves two LogRhythm products, which are the Enterprise and XM ranges. Both of these products are available either as an appliance or as software. LogRhythm Enterprise is aimed at very large organizations, which LogRhythm XM serves small and middle-sized businesses.
SIEM stands for Security Event Information Management. This dense strategy combines two activities, Security Information Management (SIM), and Security Event Management (SEM). SEM monitors traffic in real-time, looking for attack patterns that are stored in a threat database. SIM also refers to the threat database but compares events recorded in log files to the patterns laid out in the threat detection rules.
The software for the NextGen SIEM can be installed on Windows, Linux, or Unix. It is also possible to keep your threat management system completely independent of your hardware by buying the system as an appliance that connects to your network.
Choosing a Threat Intelligence Platform vendor
The cybersecurity sector is very vibrant at the moment. The growth in intrusion threats adding to the ever-present risk of malware has forced the industry to completely rethink its approach to system protection. This situation has resulted in major AV producers investing large amounts of money in innovative AI techniques and new strategies to combat hackers and cyberterrorists.
New players in the market add extra pressure to the reputations of established cybersecurity providers and keep pushing the limits of cybersecurity technology. Threat intelligence platforms play an important role in the fight for cybersecurity alongside SIEMs and intrusion prevention systems.
Although new TIPs appear all of the time, we are confident that the recommended threat intelligence platforms on our list will stay at the head of the pack. This is because the companies that provide them have long standing experience in the field and they have shown that they are prepared to innovate to keep ahead of threats.
Threat Intelligence Platforms FAQ
What is the difference between threat intelligence and threat hunting?
Threat hunting is the process of looking for indicators of compromise (IOCs). Threat intelligence is a list of IOCs to look out for. Some threat intelligence is built into most threat hunting modules – these are the fundamental events to look out for like excessive and rapid failed login attempts that indicate a brute force attack. Other threat intelligence is new information that identifies a new attack strategy that hackers have only just started to use. A threat intelligence feed passes on the news of a zero-day attack onto other subscribers, so that as soon as one user in the pool discovers that attack, all other customers know about it and their threat hunting module can look for it.
How do you describe the differences between threat intelligence and SIEM?
SIEM systems search through log messages for indicators of compromise (IOCs). Threat intelligence provides a list of IOCs to look out for. NextGen SIEMs include access to a live threat intelligence feed that provides up-to-the-minute IOCs.
Can threat Intelligence platforms stop malicious domains?
A threat intelligence platform includes a formatted list of potential attacks. This will include IP addresses and domains that are known to be used by malicious actors.