What Is A Security Intelligence Platform?

The war to protect your enterprise’s digital infrastructure is a battle on many fronts. It’s also a battle without end. Even in “peacetime,” where cybersecurity threats have not been identified, enterprises of all shapes and sizes must reinforce their security provisions as new technological advances bring with them new vulnerabilities… which could bring even large and accomplished businesses to their knees.

The technological landscape is in a constant state of flux, always growing and evolving. This means there is always opportunity for malicious cybercriminals to exploit the inherent vulnerabilities which occur whenever a new platform, tool or patch is introduced to your business operations.

For CIOs, CTOs, and CISOs, the challenge is to identify new threats as they emerge, and employ countermeasures effectively to prevent them from threatening the safety of the enterprise’s IT infrastructure.

Security Intelligence Platforms, (SIPs) also known as Threat Intelligence Platforms, (TIPs) are an integral tool in this never-ending battle. Here, we’ll take a close look at what they are, how they work, and why your enterprise might need one as well as comparing some of the most popular solutions on the market today:

What is a Security Intelligence Platform?

In order to understand what a SIP does, it’s important to consider the cybersecurity needs and vulnerabilities of most enterprises.

Many CIOs find that their businesses are beset on all sides by increasingly sophisticated cyber attacks. Even if you have the systems in place to monitor all of the events happening on your system, these can yield massive volumes of reporting data… and too much data can be nearly impossible to parse without the right analytical tools or human analysts.

This is a significant drain on time and resources, and can also leave potential vulnerabilities wide open to exploitation.

An SIP is intended to better mitigate this risk by;

  • Aggregating intelligence from a wide range of sources
  • Integrating seamlessly with an enterprise’s existing security systems
  • Curating, normalizing, and enriching data to facilitate risk-scoring
  • Analyzing and sharing threat intelligence

The data gleaned from this SIP is then used to inform further security planning and monitoring.

How does it work?

Step 1: Finding the threat- A SIP’s first course of action is to identify potentially malicious actions within the IT environment. These might include instances of;

  • Phishing
  • Botnets
  • Malware and Ransomware
  • APTs (Advanced Persistent Threats)

In most cases, key personnel will be alerted to the presence of this threat.

Step 2: Gathering Intelligence- What differentiates a SIP from a Security Information and Event Management (SIEM) Software platform is its ability to gather and collate data from a wide range of sources including email, CSV, STIX, XML, JSON, IODEK, OpenIOC or any number of other feeds.

Data is collated, then enriched with contextual data from your company’s technology fingerprint to convert it into something understandable and actionable. Duplicate information is also removed for faster and more efficient reporting, and irrelevant data is weeded out to make the intelligence clearer.

Plainly speaking, it lets an organization know about the who, where, why and (perhaps most importantly) how of an attack.

It is important that this is automated, as the sheer volume of data would be nearly impossible for a human analyst to make sense of in a short enough time frame for decisive action to be taken.

Step 3: Integration- As we can see, what makes an SIP so effective is its ability to integrate with an enterprise’s existing cybersecurity infrastructure like its SIEM, Firewall and endpoint security.

If it cannot integrate with these successfully, it creates blind spots which can become extremely vulnerable.

Why would you need an SIP?

Quite simply, SIPs help CIOs and cybersecurity personnel to identify threats, gather actionable intelligence on those threats, and deploy those actions accordingly.

When properly deployed, the intelligence recovered from an SIP is like antibodies within your cybersecurity provision; finding threats and gathering the intelligence needed to implement appropriate responses and future safeguards.

Given that they are designed to integrate seamlessly with an enterprise’s existing infrastructure, it’s easy to see why they are a valuable addition to any enterprise. The key, however, is finding the right one for you.

Comparing some of the most popular SIPs

As with any business purchase, the key to choosing the right platform lies in knowing your needs:

  • Are you looking for something that will offer the best integration, spotting threats wherever they occur?
  • Will you need something that provides more detailed reporting?
  • Will you need something with an intuitive User Interface, or are you happy to endure a steep learning curve if it allows for better intelligence gathering?

Let’s look at some of the most popular SIPs on the market and analyze their pros and cons in order to help you to find the best one for you and your organization:

Platform Name Platform Pros Platform Cons
RSA Netwitness Suite
  • Allows users to analyze, prioritise and investigate threats in line with your enterprise’s needs.
  • Easy to use and understand.
  • No scalability limits.
  • Full packet capture and reconstruction.
  • Threat analysis which provides indicators of compromise.
  • Opaque User Interface.
  • No health checks or roadmap presentation.
  • Some users report that updates require support intervention.
Anomali Threatstream
  • Aggregates literally millions of threat indicators to identify new attacks quickly.
  • Extracts key data from suspected phishing emails for immediate blocking.
  • Facilitates easy collaboration between analysts.
  • Offers some free threat intelligence tools for cash-strapped enterprises.
  • Easy to understand UI
  • May be surplus to requirements to some smaller businesses.
FireEye iSight Threat Intelligence
  • Adds contextual data and allows for prioritization before, after and during attack.
  • Access to over 1,000 experts responding to incidents and researching clients’ attacks.
  • Spam filtering
  • Advanced Persistent Threat prevention.
  • Fast and efficient deployment.
  • Starting price of $100,000 per year may be prohibitive for some enterprises.
  • Can be hard to configure.
IBM X-Force Exchange
  • Unlimited scalability and queries.
  • Offers intelligence on web applications, spam, malware vulnerabilities and IP / URL reputation.
  • Free for up to 5,000 records a month.
  • Managing the PE system can be difficult for complex workflows.

Regardless of the SIP platform you choose, you will see the greatest benefit from it when integrated with your entire security environment. If you’re looking to ensure your IT infrastructure is as secure as it can possibly be, we would love to have a short conversation about your environment, and how we can help!`

About the Author

Jason Miller

Jason Miller

Jason is a Chief Executive Officer of BitLyft Cyber Security. He has spent the last 19 years of his career focusing on network, system administration, and cloud technologies. He is passionate about helping businesses embrace the next generation of technology including cloud adoption and high performance scaling software.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top