What kind of threat intelligence are you selling me?
3 things you need to know about cybersecurity in an IoT and mobile world
Security
Forrester's latest evaluation of the external threat intelligence landscape indicates an attempt to analyze vendors in a particular segment of the threat intel market that offer externally sourced threat intelligence feeds as a service. Vendors will attempt to sell threat intelligence in various ways, including:
- Threat Intelligence provided as a value proposition for goods or services. This type of value proposition dates to antivirus vendors who, before transitioning to the cloud, found they had more malware signatures than they could push down to an endpoint -- so they would leverage intelligence to provide a set of indicators customers were most likely to encounter (although it's rarely discussed in these terms). In practice, we are now seeing this type of threat intelligence being implemented as sharing networks for technologies such as Palo Alto Networks' WildFire, which automatically manages and disseminates threat data on unknown and previously unanalyzed threats in real-time to other customers.
- Internal intelligence generated from within your organization. Products and services that provide insight into your networks serve as a critical source of intelligence. A lot of the time, security professionals experience this with services companies that also sell products such as endpoint detection and response (EDR) technologies that provide visibility into infrastructure. In fact, many digital forensics companies will leverage this type of endpoint technology through the course of an investigation to identify threats. While many vendors will not market this as being threat intelligence directly, it's important to understand that these sources are available.
- Subscriptions to externally sourced information that may be intelligence. External threat intelligence is the work product of data collected outside organizations. While only the most advanced intelligence capabilities are going to have their own operatives and collection infrastructure (a level of sophistication usually reserved for nation-state level tradecraft), external threat intelligence vendors provide this type of intelligence as a subscription service. One challenge of engaging a vendor that services a number of verticals is the need to assess the relevance of what's being provided. While hospitality companies may have a lot in common with retail in terms of online booking and card-present, point-of-sale (POS) transactions, they will likely experience risk quite differently than a manufacturing company.
- Threat information exchanges are focused on information sharing. While closely related to the above types of vendors, information exchanges are differentiated in that they don't generate the intelligence they are distributing. This offering is instead providing a framework or consortium for members to share threat intelligence. An example of this type of delivery includes the National Retail Federation (NRF), an Information Sharing and Analysis Organization (ISAO) that allows member retailers the ability to share threat information to protect the pack. An advantage to this type of network is that the intelligence being obtained is at least as relevant as the other organizations in the information exchange.
I speak to a lot of companies that are trying to figure out how to get started with a threat intelligence capability, how to develop an effective collection strategy, and what to do with this collected intelligence. Vendors are also trying to figure out how to differentiate their offerings, and these few points serve as a guide for differentiating between the offerings of external threat intelligence providers.