What Threat Intelligence Platform/TIP do you use & Why?

That Random Guy

This post is really a way for me to better gauge where, who, and why any organization is using such a thing like TIP.

As with most things in the industry, things can become buzz words and only provide superficial value that isn't very valuable (in the state its delivered) at later glance.

For the past decade, I feel like one of those things has been threat intelligence. I would like to point out, however, that I am not an expert in the field, nor one to cyber nor the specific subject matter in question either. This is merely my particular observation of things as they have popped up over time within the closer circles that I participate in.

That being said, I feel like while perhaps the solutions we see now being branded as TIP are pretty much the natural evolution for that specific piece in the cyber security governance of an organization, it is a tool with very similar properties and features of already existing technologies.

I did a Google search on what's around and PaloAlto comes up among others but what I have yet to fully understand is how this differs from a SIEM.

Truthfully, it seems almost complimentary but if so, then it likely incurs its own cost. I don't see this as something that is being used by smaller orgs that can't afford it.

My questions are then:

What TIP are you using/have used in your organization now (if you use[d] one) and can you share why you needed this kind of tool in use? How did it differ from simply using a SIEM or other kind of toolset? Where did this come in place for your security governance and did you link it to some other related IT function/process such as incident response or vulnerability management? How so?

I am trying to understand better how and why such a product has risen and why SIEMs aren't getting the job done instead.

JDMurray

That Random Guy said:

I am trying to understand better how and why such a product has risen and why SIEMs aren't getting the job done instead.

A SIEM platform and a Threat Intelligence service are two different things; you have an apples-n-oranges misunderstand about them.

A SIEM product ingests time-based event information found in event logs, Netflows, raw packet data, etc. That ingested/indexed/correlated data is then fed into SIEM rules which produce security events that a human security analyst investigates.

A Threat Intelligence (TI) service researches global threats to produce intelligence about specific threat to an organization or industry sector. TI research requires human analysts to do and cannot be fully automated. A SIEM or SOAR platform can ingest threat intelligence from internal or external sources to enrich its security event information. Using the TI, IOA and TTP can be quickly identified by the SIEM rules that point to a specific attacker. This saves time that would have been spent by the analyst to manually triage the security event prior to performing analysis of the (potential) incident.

Most large organizations have multiple TI feeds which may be used from the TI vendor's dashboard (for humans), ingested into a SIEM via an API (automation), or both.