Best Threat Intelligence Platforms

A Threat Intelligence Platform (TIP) aims to block repeat attackers and identify common intrusion vectors. This emerging technology is an advance on traditional anti-virus (AV) and firewall systems. A TIP will protect your IT equipment by applying AI-based learning strategies.

A number of replacement technologies have emerged in recent years to improve on the business protection afforded by traditional malware systems.

Anti-malware programs compare the code of new programs running on a computer to a database of previously detected malware signatures.

Here is our list of the eight best threat intelligence platforms:

  1. SolarWinds Security Event Manager EDITOR’s CHOICE Uses a log file analysis threat detection strategy combined with an externally-sourced live feed of threat alerts.
  2. ManageEngine Log360 (FREE TRIAL) Looks for threats in log file data from Windows Server or Linux and adds in threat intelligence from three sources.
  3. CrowdStrike Falcon X (FREE TRIAL) A range of threat intelligence protection levels with automated processes and higher options that include human research and intervention.
  4. Atera A system monitor made for MSPs that includes software auditing and log analysis.
  5. FireEye Helix Security Platform Combines a cloud-based SIEM threat detection console, AI learning methods, and a threat intelligence feed.
  6. N-able Threat Monitor A cloud-based service marketed to MSPs. This is a SIEM tool that enables MSPs to add security monitoring to their list of services.
  7. AlienVault Unified Security Management Includes threat detection, incidence response, and threat intelligence sharing.
  8. LogRhythm NextGen SIEMs Includes the live monitoring of traffic data and the analysis of log file records.

Threat Intelligence platforms Vs traditional Anti-virus software

In the traditional anti-malware model, a central research lab investigates new threats to derive patterns that identify them. These malware detection characteristics are then distributed to all of the installed AV programs that the company has sold to clients. The local anti-malware system maintains a threat database that contains this list of attack signatures derived by the central lab.

The AV threat database model is no longer effective at protecting computers. This is because professional teams of hackers now engage in malware production lines with new threats appearing daily. As it takes time for research labs to notice a new virus and then identify its characteristics, the lead time for typical AV solutions is now too long to offer effective business protection.

Spotting a threat

A threat intelligence platform still includes a threat database. However, rather than relying on users reporting strange behavior to the headquarters of the AV producer, new cybersecurity systems aim to contain all of the research and threat remediations on each customer’s equipment. In effect, each TIP installation becomes a composite detection, analysis, and resolution bundle. It is no longer necessary to update the threat database from a central lab because each machine performs the researcher team’s work.

This distributed model of AV data gathering is much more efficient at combatting “zero-day” attacks. The “zero-day ” term refers to new viruses that have not yet been identified by the major AV labs in the world and against which, as yet, there is no effective defense. Each machine does not work alone, however. Information on discovered new threats is shared among the users of a specific brand of TIP.

The TIP uses detection procedures locally while still relying on a threat database, which is contributed by local analysis as well as frequent downloads from the software provider’s labs. Those downloads are derived from the discoveries made by the same TIP that is installed on other sites by other customers.

The Best Threat Intelligence Platforms, Tools & Software Vendors

Although each TIP uses a similar set of strategies to detect malicious events, not all TIPs are equally effective. Some security vendors focus on one specific type of device and one specific operating system. They might also provide protection systems for other types of devices and operating systems, but without the same level of success that they achieved with their core product.

It isn’t easy to spot a good TIP and the claims, boasts, and obscure industry jargon used on the promotional websites of their producers makes searching for the right TIP a very tiring exercise.

What should you look for in a threat intelligence platform? 

We reviewed the market for threat intelligence detection systems and analyzed tools based on the following criteria:

  • Machine Learning for a baseline of normal activity
  • Anomalous activity detection
  • Threat intelligence feeds that adapt detection routines
  • Alerts for suspicious activity to attract technicians
  • Experience sharing and summaries of industry-wide threat notifications
  • A demo or a free trial for a risk-free assessment opportunity
  • Good value for money from a comprehensive threat intelligence feed at a fair price

Fortunately, we have done the legwork for you. With these selection criteria in mind, we identified network security services with threat intelligence feeds that we are happy to recommend.

1. SolarWinds Security Event Manager (FREE TRIAL)

SolarWinds Security Event Manager

Security Event Manager (SEM) from SolarWinds combines event tracking on your network with a threat intelligence feed supplied from an external source. This tool will not only detect threats, but it will automatically trigger responses to protect your system.

Key Features

  • A SIEM
  • Automated remediation actions
  • Creates on-premises store of threat intelligence
  • Runs on Windows Server
  • Compliance reporting

At the heart of this security solution, you will find a log analysis tool. This monitors network activity, looking for unusual events and it also tracks changes to essential files. The second element of this TIP from SolarWinds is a cyber threat intelligence framework.

Security Event Manager works from a database of known suspicious events and sniffs the network on the lookout for any such occurrences. Some suspicious activities can only be spotted by combining data from separate sources on your system. This analysis can only be performed through event log analysis, and so is not a real-time task.

Although SEM begins with an off-the-shelf threat signature database, the tool will adjust and expand that store of threat profiles while it is in service. This learning process cuts down on the annoying occurrence of “false positives,” which can cause some threat protection services to shut down legitimate activity.

The log analyzer in SEM continuously gathers log records from incompatible sources and reformats them into a neural common layout. This enables the analyzer to look for patterns of activity across your entire system regardless of configuration, equipment type, or operating system.

Pros:

  • Enterprise focused SIEM with a wide range of integrations
  • Simple log filtering, no need to learn a custom query language
  • Dozens of templates allow administrators to start using SEM with little setup or customization
  • Historical analysis tool helps find anomalous behavior and outliers on the network

Cons:

  • SEM Is an advanced SIEM product built for professionals, requires time to fully learn the platform

Security Event Manager installs on Windows Server and SolarWinds offers the system on a 30-day free trial. This trial period will give you time to try out the manual rule-setting screens that enable you to enhance the actionable threat intelligence database to more accurately reflect your site’s typical activities. You will also be able to give the compliance reporting module a full run-through to ensure that the SEM fulfills all of your reporting needs.

EDITOR'S CHOICE

SolarWinds Security Event Manager is our top choice. Perfect for threat detection and triggering automated responses to those threats. Reporting is top notch and the dashboard is easy to navigate.

Start 30-day Free Trial: solarwinds.com/security-event-manager

OS: Windows 10 and later, Windows Server 2012 and later, Cloud-based: Hypervisor, AWS and MS Azure

2. ManageEngine Log360 (FREE TRIAL)

ManageEngine Log360 dashboard view

ManageEngine Log360 is a very comprehensive TIP that investigates all possible sources of log data to tighten up system security.

ManageEngine already offers a range of log management and analysis tools. However, the company decided to bundle them into a combined module that covers all possible file-based sources of system information. IT also integrates external sources of information such as STIX/TAXII-based feeds on blacklisted IP addresses.

Key Features

  • Log management and analysis
  • Receptive to STIX/TAXII threat intelligence feeds
  • Protects Active Directory
  • Runs on Windows Server

As well as controlling Event Logs, the tool integrates the information resident in Active Directory. This helps the detection engine of this tool to check on who has the rights to access the resources used in the activities that log messages record. The tool monitors changes in Active Directory to ensure that intruders aren’t able to grant themselves access rights.

The reach of this security tool extends out to the web because it also gathers audit reports from AWS, Azure, and Exchange Online.

You know that Exchange, Azure, Event Logs, and Active Directory are all Microsoft products. However, Log360 isn’t limited to monitoring Windows-based systems. It also gathers log messages raised on Linux and Unix systems, such as Syslog messages. The tool will examine all IIS and Apache Web Server messages and it covers messages generated by Oracle databases.

Your network hardware and perimeter security systems also have important information to share and so Log360 listens for log messages arising at firewalls, routers, and switches. If you have any other intrusion detection and protection systems installed, Log360 will integrate their findings in its threat intelligence summaries.

Log360 doesn’t create logs about logs, which you might end up overlooking. The system creates real-time threat intelligence alerts, so your team gets notified as soon as suspicious activity is detected. In addition to monitoring, the Log360 package regularly audits, summarizes, and reports on the security of your entire IT system.

Pros:

  • Great dashboard visualizations, ideal for NOCs and MSPs
  • Can integrate multiple threat data steams into the platform
  • Offers robust searching of logs for live and historical event analysis
  • Provides monitoring cross-platform for Windows, Linux, and Unix systems
  • Can monitor configuration changes, preventing privilege escalation

Cons:

  • ManageEngine offers a suite of advanced services and features can time to explore and test out

You can install Log360 software on Windows and Windows Server. ManageEngine offers a 30-day free trial of the Professional Edition There is a Free Edition that is limited to collecting log data from just five sources. If you have different requirements you can discuss pricing for a package that suits your needs.

ManageEngine Log360 Download 30-day FREE Trial

3. CrowdStrike Falcon X (FREE TRIAL)

CrowdStrike Falcon X - Indicator Graph view

CrowdStrike created a cybersecurity platform called Falcon. This focuses on endpoint protection. One of the products that the company built on its Falcon platform is Falcon X. This is a threat intelligence service that bases most of the processing requirements on the CrowdStrike server in the cloud.

Key Features

  • Threat intelligence plans
  • Available as a report or as a feed
  • Included in a bundle with other security tools

The innovative architecture of the Falcon platform requires a small agent program to be installed on each protected device. The majority of the work is performed in the cloud, so your threat protection won’t slow down your protected endpoints.

The base plan of CrowdStrike Falcon X includes automated processes. The next plan up is called Falcon X Premium and that includes a daily actionable intelligence report and tailored internet sweeps that specifically look for your company’s name, brand, or mentions of employees on social media or paste sites. For example, any stolen passwords up for sale of publicly leaked would be picked up in this search.

The highest plan is called Falcon X Elite. Each customer of this plan is assigned an intel analyst. This service is great for those businesses that want to outsource everything and get a managed threat intelligence solution rather than just automated tools for protection.

All CrowdStrike Falcon X plans include the Indicators of Compromise (IOCs) report. This puts the threats identified on your system into a global context. The IOC shows where the malware or attacks you experience originated and whether the same hacker groups are known to use other methods to attack corporate systems. This relationship between known vectors alerts the subscribing company to potential threats to come.

The agents operating on each endpoint scan all activity on the device and upload suspicious files to the CrowdStrike server for analysis. There is no need for human intervention in this process. However, the system manager will receive feedback on detected threats and the actions implemented to close them down.

Pros:

  • Doesn’t rely on only log files to threat detection, uses process scanning to find threats right away
  • Acts as a HIDS and endpoint protection tool all in one
  • Can track and alert anomalous behavior over time, improves the longer it monitors the network
  • Can install either on-premise or directly into a cloud-based architecture
  • Lightweight agents won’t slow down servers or end-user devices

Cons:

  • Would benefit from a longer trial period

CrowdStrike offers a 15-day free trial of Falcon X.

CrowdStrike Falcon X Start 15-day FREE Trial

4. Atera

Atera dashboard view

Atera is a support platform built for managed service providers (MSPs). It is delivered from the cloud, so the MSP does not need to install any software on its premises and even does not need to run any major IT infrastructure. All it needs is a computer with an internet connection and a web browser. The monitored system does need special software installed on it, however. This is an agent program that gathers data and communicates with the Atera servers.

Key Features

  • Designed for MSPs
  • Combines RMM and PSA
  • Monitor remote systems

Being a remote service, Atera is able to monitor any client facility, including cloud-based AWS and Azure servers. The service includes an autodiscovery process, which logs all of the equipment connected to the network. For endpoints and servers, the monitoring system will scan all software, creating an inventory. This is an essential source of information for software license management and it is also an important threat protection service. Once the software inventory has been compiled, the operator can check what unauthorized software is installed on each device and then delete it.

The server monitor checks on processes as part of its regular tasks and this will highlight malicious software running. The operator is able to access the server remotely and kill unwanted processes.

Atera monitors access rights controllers on the client’s site, including Active Directory. The Live Manager tool in the Atera package gives access to Windows Event logs and provides a searchable source of possible security breaches.

One more threat protection service contained in the Atera package is its patch manager. This automatically updates operating systems and key application software when they become available. This important service ensures that any exploit remedies produced by software providers get installed as quickly as possible.

Pros:

  • 30-day free trial
  • Continuous network scanning makes inventorying easy and accurate
  • Built-in ticketing system, great for MSPs who want to handle threats on-premise
  • Pricing is based on the number of technicians, not supported users

Cons:

  • Could benefit from more integrations with other remote access tools and Azure AD

Atera is charged for by subscription with the charge rate set per technician. Buyers can choose between a monthly payment plan or a yearly rate. The annual payment period works out cheaper. You can access a free trial to put Atera through its paces.

5. FireEye Helix Security Platform

FireEye Helix Security Platform

FireEye Helix Security Platform is a cloud-based blended protection system for networks and endpoints. The tool includes a SIEM approach that monitors network activity and also manages and searches log files. The threat intelligence feeds provided by FireEyes completes this multi-faceted solution by providing an updated threat database for your monitoring system.

Key Features

  • SaaS package
  • Constantly update threat database
  • Remediation workflows

FireEyes is a prominent cybersecurity firm and it uses its expertise to provide threat intelligence services on a subscription basis. The format and depth of that intelligence depend on the plan selected by the customer. FireEyes offers industry-wide warnings over new threat vectors, which enable infrastructure managers to plan for defense. It also offers a threat intelligence feed, which translates directly into threat detection and resolution rules in Helix Security Platform.

The Helix package also includes “playbooks,” which are automated workflows that enact threat remediation once a problem has been detected. These solutions sometimes include advising on secure practices and housekeeping actions, as well as automated responses.

Pros:

  • Great interface, the dark theme is great for long term monitoring in NOCs
  • Subscription-model keeps your database updated with the most recent threats and bad-actors
  • Provides insights for remediation and preventive actions based on recent events
  • Playbooks offer remediation workflows to automatically fix issues

Cons:

  • Configuration can be challenging
  • Reporting can be cumbersome and difficult to customize

6. N-able Threat Monitor

N-able Threat Monitor

The Threat Monitor is a product of N-able that provides software and services to support managed service providers. MSPs regularly offer network and IT infrastructure management services and so the addition of security monitoring is a natural extension of the regular activities of such MSPs.

Key Features

  • A SIEM built for MSPs
  • Cloud-based
  • Log management

This is a security information and event management (SIEM) system. A SIEM looks both at live activity on the monitored system and it also searches through system logs to detect traces of malicious activities. The service is able to monitor the on-site systems of the MSP’s clients and also any Azure or AWS server that the client uses.

The advantages of the N-able Threat Intelligence monitor lie in its ability to collect information from every point of the network and the devices connected to it. This gives a more comprehensive view of attacks than a single collection point. Threats are identified by patterns of behavior and also by reference to the central SolarWinds Threat Intelligence database, which is constantly updated. The threat intelligence database is compiled from records of events occurring all over the world. So it is able to spot immediately when hackers launch global attacks or try the same tricks against many different victims.

The alarm levels of the service can be adjusted by the MSP operator. The dashboard for the system includes visualizations for events, such as dials and charts, as well as live lists of checks and events. The service is delivered from the cloud and so is accessed through any web browser. N-able Threat Intelligence is a subscription service, so it is completely scalable and suitable for use by MSPs of all sizes.

Pros:

  • Designed with MSPs and resellers in mind
  • Can scan and pull logs from the cloud and hybrid cloud environments
  • Different alarm levels can be configured, great for large help desks
  • Accessible from any browser

Cons:

  • Functionality for Mac isn’t as robust as Windows
  • Would like a more streamlined process for onboarding new clients

7. AlienVault Unified Security Management

AlienVault USM

AlienVault Unified Security Management (USM) is a product of AT&T Cybersecurity, which acquired the AlienVault brand in 2018. AlienVault USM evolved from an open-source project called OSSIM, which stands for “open source security information management.” OSSIM is still available for free with AlienVault USM running alongside as a commercial product.

Key Features

  • Open Threat Exchange
  • Cloud-based SIEM
  • Threat hunting with AI processes

OSSIM is actually a misnomer because the system is a full SIEM, including both log message analysis monitoring with real-time network traffic examination. AlienVault USM also includes both of these elements. AlienVault has a number of extra features that are not available in OSSIM, such as log consolidation, log file storage management and archiving. AlienVault USM is a cloud-based subscription service that comes with full telephone and email support, while OSSIM is available for download and relies on community forums for support.

A key benefit that is available to the users of both the free and paid security products is access to the Open Threat Exchange (OTX). This is the world’s largest crowd-provided threat intelligence platform service in the world. Information made available on the OTX can be downloaded automatically into AlienVault USM to supply an up-to-date threat database. This provides the detection rules and resolution workflows needed by the SIEM. Access to OTX is free for all.

Pros:

  • Available for Mac and Windows
  • Can scan log files as well as provide vulnerability assessment reports based on device and applications scanned on the network
  • User powered portal allows customers to share their threat data to improve the system
  • Uses artificial intelligence to aid administrators in hunting down threats

Cons:

  • Logs can be hard to search and parse through
  • Would like to see more integration options into other security systems

8. LogRhythm NextGen SIEM

LogRhythm

LogRhythm terms its NextGen SIEM as a threat lifecycle management (TLM) framework. The platform serves two LogRhythm products, which are the Enterprise and XM ranges. Both of these products are available either as an appliance or as software. LogRhythm Enterprise is aimed at very large organizations, which LogRhythm XM serves small and middle-sized businesses.

Key Features

  • SIEM
  • Log management
  • Compliance reporting

SIEM stands for Security Event Information Management. This dense strategy combines two activities, Security Information Management (SIM), and Security Event Management (SEM). SEM monitors traffic in real-time, looking for attack patterns that are stored in a threat database. SIM also refers to the threat database but compares events recorded in log files to the patterns laid out in the threat detection rules.

The software for the NextGen SIEM can be installed on Windows, Linux, or Unix. It is also possible to keep your threat management system completely independent of your hardware by buying the system as an appliance that connects to your network.

Pros:

  • Uses simple wizards to setup log collection and other security tasks, making it a more beginner-friendly tool
  • Sleek interface, highly customizable, and visually appealing
  • Leverages artificial intelligence and machine learning for behavior analysis

Cons:

  • Would like to see a trial option
  • Cross-platform support would be a welcomed feature

Choosing a Threat Intelligence Platform vendor

The cybersecurity sector is very vibrant at the moment. The growth in intrusion threats adding to the ever-present risk of malware has forced the industry to completely rethink its approach to system protection. This situation has resulted in major AV producers investing large amounts of money in innovative AI techniques and new strategies to combat hackers and cyberterrorists.

New players in the market add extra pressure to the reputations of established cybersecurity providers and keep pushing the limits of cybersecurity technology. Threat intelligence platforms play an important role in the fight for cybersecurity alongside SIEMs and intrusion prevention systems.

Although new TIPs appear all of the time, we are confident that the recommended threat intelligence platforms on our list will stay at the head of the pack. This is because the companies that provide them have long standing experience in the field and they have shown that they are prepared to innovate to keep ahead of threats.

Threat Intelligence Platforms FAQ

What is the difference between threat intelligence and threat hunting?

Threat hunting is the process of looking for indicators of compromise (IOCs). Threat intelligence is a list of IOCs to look out for. Some threat intelligence is built into most threat hunting modules – these are the fundamental events to look out for like excessive and rapid failed login attempts that indicate a brute force attack. Other threat intelligence is new information that identifies a new attack strategy that hackers have only just started to use. A threat intelligence feed passes on the news of a zero-day attack onto other subscribers, so that as soon as one user in the pool discovers that attack, all other customers know about it and their threat hunting module can look for it.

How do you describe the differences between threat intelligence and SIEM?

SIEM systems search through log messages for indicators of compromise (IOCs). Threat intelligence provides a list of IOCs to look out for. NextGen SIEMs include access to a live threat intelligence feed that provides up-to-the-minute IOCs.

Can threat Intelligence platforms stop malicious domains?

A threat intelligence platform includes a formatted list of potential attacks. This will include IP addresses and domains that are known to be used by malicious actors.