What kind of threat intelligence are you selling me?

Forrester Research evaluated the current threat intelligence vendor landscape. Here's what it found out.
Written by Josh Zelonis, Contributor

3 things you need to know about cybersecurity in an IoT and mobile world

The threat intelligence market has not been well defined. This is a problem that frequently arises when marketing departments start playing buzzword bingo in a "me too" attempt to latch onto the latest trend.  This year it's happening with machine learning.

Unfortunately, the market response to this type of message pollution is to "lose faith" in the trend or technology, leaving nothing but the echoes of a melancholy Michael Stipe song. One of the challenges I faced when researching the threat intelligence space was making sense of a market where vendors frequently denigrate each other, referring to each other as "fake news" or "fake intelligence" or whatever. I'm exaggerating, but not by much. I'm sure we've all heard the "that's not real intelligence" talk.

The important thing to understand is that there are a lot of "things" that can be considered threat intelligence, and there's not really a requirement for any particular offering to exist for something to be considered threat intelligence. This leads to an interesting situation where multiple vendors are telling customers they are selling the same thing (they aren't), causing customers to figure out how to justify a budget for the latest offerings, because in security -- if you're not keeping up with the trends, you're falling behind best practices.

Forrester's latest evaluation of the external threat intelligence landscape indicates an attempt to analyze vendors in a particular segment of the threat intel market that offer externally sourced threat intelligence feeds as a service. Vendors will attempt to sell threat intelligence in various ways, including:

  • Threat Intelligence provided as a value proposition for goods or services. This type of value proposition dates to antivirus vendors who, before transitioning to the cloud, found they had more malware signatures than they could push down to an endpoint -- so they would leverage intelligence to provide a set of indicators customers were most likely to encounter (although it's rarely discussed in these terms). In practice, we are now seeing this type of threat intelligence being implemented as sharing networks for technologies such as Palo Alto Networks' WildFire, which automatically manages and disseminates threat data on unknown and previously unanalyzed threats in real-time to other customers.
  • Internal intelligence generated from within your organization. Products and services that provide insight into your networks serve as a critical source of intelligence. A lot of the time, security professionals experience this with services companies that also sell products such as endpoint detection and response (EDR) technologies that provide visibility into infrastructure. In fact, many digital forensics companies will leverage this type of endpoint technology through the course of an investigation to identify threats. While many vendors will not market this as being threat intelligence directly, it's important to understand that these sources are available.
  • Subscriptions to externally sourced information that may be intelligence. External threat intelligence is the work product of data collected outside organizations. While only the most advanced intelligence capabilities are going to have their own operatives and collection infrastructure (a level of sophistication usually reserved for nation-state level tradecraft), external threat intelligence vendors provide this type of intelligence as a subscription service. One challenge of engaging a vendor that services a number of verticals is the need to assess the relevance of what's being provided. While hospitality companies may have a lot in common with retail in terms of online booking and card-present, point-of-sale (POS) transactions, they will likely experience risk quite differently than a manufacturing company.
  • Threat information exchanges are focused on information sharing. While closely related to the above types of vendors, information exchanges are differentiated in that they don't generate the intelligence they are distributing. This offering is instead providing a framework or consortium for members to share threat intelligence. An example of this type of delivery includes the National Retail Federation (NRF), an Information Sharing and Analysis Organization (ISAO) that allows member retailers the ability to share threat information to protect the pack. An advantage to this type of network is that the intelligence being obtained is at least as relevant as the other organizations in the information exchange.

I speak to a lot of companies that are trying to figure out how to get started with a threat intelligence capability, how to develop an effective collection strategy, and what to do with this collected intelligence. Vendors are also trying to figure out how to differentiate their offerings, and these few points serve as a guide for differentiating between the offerings of external threat intelligence providers.

These were 2017's biggest hacks, leaks, and data breaches

Editorial standards