What is a Threat Intelligence Platform?


What is a Threat Intelligence Platform?


Threat Intelligence has become a common resource for commercial and government organizations to use as part of their cybersecurity posture. Many organizations are now using Threat Intelligence as part of their security suite in order to understand the kinds of adversaries that they’re facing and how to better combat them.

As the Threat Landscape evolves, sharing Threat Intelligence has become more critical than ever. While attackers and adversaries are collaborating themselves, it is important to share the information we learn about them to improve the effectiveness of our defense teams.

Damian Skeeles, Principal Solution Engineer at Anomali takes the floor at InfoSecurity Europe to discuss staying ahead of the Threat Landscape with Cyber Threat Intelligence & Information Sharing.

Check out What is a Threat Intelligence Platform (TIP)? for more information.

Learn more about threat intelligence platforms.

My name is Damian Skeelz.

I'm a principal solution architect at Anomali.

Anomali was founded in 2013 to address the growing challenge of threat intelligence.

Threat intelligence was in its nascent stages there and is now growing exponentially almost to where we are today.

So companies tend to require a threat intelligence management solution in order to import, manage, and orchestrate the threat intelligence they're receiving.

Threat intelligence has been used for a long time in terms of cyber threat intelligence.

But it started out more in military circles.

It's now come to the point where it is a common resource for commercial organizations, government organizations to use as part of their cybersecurity posture.

So many organizations are now using threat intelligence as part of their security suite in order to understand the kinds of adversaries that they're facing and how to better combat them.

We provide a threat intelligence management platform, threat intelligence platform, as it were.

And what we're doing with that is we're providing customers with the ability to consume and use the threat intelligence they receive from various sources-- whether it be commercial feeds, open source intelligence, and also emails and in analysis of phishing emails and all the sources they would normally use in their day-to-day life-- and allow them to automatically preprocess that, present that to them for analysis.

And then once they have analyzed that threat intelligence, disseminate it to all the various parties and groups who they work with, who they provide that to, and also to all the various systems.

And there's a growing number of systems, especially now year on year, many more systems are consuming and using threat intelligence to operate more effectively.

We integrate with a huge number of products.

Most predominantly the various threat intelligence providers-- the companies that provide threat intelligence-- will provide it in various forms, whether it be through APIs or standards.

And we use those APIs and use those standards, such as STIX TAXII, to bring that intelligence into our platform.

We then can orchestrate that to various SIEMs.

So all the popular SIEMs, we integrate very, very granularly with.

So we can work with those.

And then we also work with various partners such as, for example, Microsoft with their Intelligence Security Graph, and others who are using threat intelligence and building that into their solutions and be able to orchestrate that to different systems.

Well, our customers are anyone who need to use threat intelligence in their everyday security operations, but also customers who want to be able to collaborate on threat intelligence.

So a very important feature of our product and over into our suites is the ability to share threat intelligence between parties.

And the entire concept of being able to collaborate with your peer groups, with those in your same vertical or your same region, is really one which we've been emphasizing in the industry for a long time.

And we're providing the technology to allow different organizations to work in that way and to be able to collaborate more effectively and seamlessly with each other.

We have a number of services around simply the platform itself.

So many companies who are looking for a platform like ours may have an evolved threat intelligence program already.

But those who don't and are seeking to build a threat intelligence program, we'll then help them.

We have professional services that can help them build those out.

We also help with the integrations.

We can provide them with on-demand request for information services where we can actually analyze threats for them and provide them packaged information about that, which they can then take straight back into the platform and push out to all their security systems to alleviate that threat.

Another capability we have, which makes us unique amongst our peers, is that we not only are able to provide management and analysis of threat intelligence and provide you a platform to analyze that, but also to action that threat intelligence against your network and security data.

So many companies have a SIEM where they're collecting all their event information.

But those SIEMs are often too overloaded to be able to perform the kind of searching and historical analysis of the threats all the way back to the patient zero, the first infiltration into the network.

So we provide a second solution called Anomali Enterprise.

We can store up to a year's worth of logs and network data, which allows the customer to immediately and automatically know whether a threat they're currently investigating has ever appeared in any form or through any associated integrator all the way through the history of their network operations.

We're passionate believers in the idea that we have to share threat intelligence and threat information within our community.

There are ISACs and information sharing groups springing up all over the place within different verticals, different industries.

Some are longstanding.

Many are new.

And we believe that providing these groups the ability to share data that they develop amongst their peers, being able to collaborate in real time-- within their own organizations, within their peer groups, within their wider communities-- is a fundamental strength to their capability.

The attackers and the adversaries are collaborating themselves.

They're sharing information on the Dark Web and in forums, and we need to have the same ability ourselves to share the information we're learning about them and improve the effectiveness of our defense teams.

It feels great to be working in this field because I was working in SOC and SIEM for 10 years before this.

And I could see where this capability would be important to existing SOCs and existing SIEM users in being able to evolve as the threat landscape is evolving.

So that's exactly where we're going.

The usage of this kind of capability and of threat intelligence in general is growing exponentially.

And we're right in the center of it.