Threat Intelligence

How to Evaluate Threat Intelligence Platform Features, Capabilities

A Threat Intelligence Platform (TIP) is a fantastic way to manage intelligence and its process amongst individual teams and communities, including clients. With so many options to choose from, selecting the best TIP can be a daunting task. If you’re new to cyber threat intelligence, you likely don’t know what a TIP can do, and thus what strengths to focus on in your selection. As mentioned in previous blogs, it is essential to have a strategic road map in place to best approach your intelligence integration and operational needs before acquiring a TIP.

Author: Optiv Security’s Ken Dunham
Author: Optiv Security's Ken Dunham

Attributes of the Threat Intelligence Platform Company

Because TIPs are an emergent solution space, some of the earlier developers have more mature, integrated, and stable solutions. Consider things like how long the company has been in business, how they are funded, how many clients they have, their financial stability, do they have compliance certifications in their product and/or services to lower third-party risk, who are the leaders of the company and are they known or accomplished in the field, etc.

A startup is commonly associated with higher risk and less stability but with increased agility as well as the ability to customize to meet your needs as one of a few clients as opposed to hundreds. More mature solutions offer additional options, but this often results in higher costs and the vendor may not be as agile or responsive in meeting specific needs.

Attributes of the Threat Intelligence Platform

Individual attributes or functionality of a TIP must be prioritized to ensure it best meets a company’s unique needs. The following list is not comprehensive but is is detailed enough to illustrate how one may consider evaluating various categories of features and capabilities for a TIP when comparing vendors:

1. COLLECTIONS
Multiple SIEM Ingestions
Industry protocols for ingestion (JSON, XML, etc)

2. REPUTATION/ENRICHMENT/BEHAVIORAL
Automated IOC Enrichment
Vulnerability Prioritization
Threat Correlation
Named Threat Attribution
Anonymized/Sanitized Threat Sharing/Community

3. WORKFLOW MANAGEMENT
Custom Dashboards
Case Management (IR/SOC/*) Framework
Task Management (actions, escalations, etc.)
Visual Threat Correlation
Custom Objects & Meta-Data Editing

4. ORCHESTRATION & AUTOMATION (O&A)
Custom Risk Rating & Alerting
Custom Objects/Tagging/Meta-data
Predictive Analytics
Playbook/Templates & Integration APIs

5. DISSEMINATION
Weekly Threat Landscape Reports by Vendor
STIX 1.x/TAXII/MISP, etc Framework Support
STIX 1.x/TAXII/MISP, etc Framework Support
ServiceNow Records & Updates Integration
Private/Public Communities
Splunk Integration & App
Cloud/remote client login/portal support

6. MONITORING
Brand monitoring (OSINT/Deep/DarkWeb)
YARA/Retro Hunts

7. SUPPORT
Technical Support 5/9 Coverage
Assigned Engineer/Account Manager & Advisory Consultation
Intel Analyst Q&A
Universal Shared Accounts Supported
Flexible Pricing and Support
Free Playbook Configuration/Integration Use Case Development
Cloud Solution
On-Premise (remember costs associated)

8. PRICING
Total users
API usage rate
GB Data Transfer rate
Product/Flat Rate
Discounts/Working with us
Friends & Family / Referral Discounts

Consider Staff, Pricing and Create an Organized Review of Options

Big picture: Some TIPs vendors sometimes offer a free consultation or even free onboarding while others sell you more of a product or service and then you’re on your own. Depending upon your staff capabilities and your security program maturity, this may be an essential thing to consider in terms of what the vendor is providing and how your experience fits with that. How much can you internally deploy and support?

Cost is always the bottom line, pun intended, so be sure to apply the pricing model to your known environment. For example, if pricing is determined via total GB of data transferred into or out of a TIP, knowing how much data is currently being utilized or is likely to be transferred in a TIP is critical to ensure its affordability in production. This type of pricing model can be reduced by being creative, such as only sending to the TIP a sub-set of actionable data that is of the greatest interest, while remaining data can exist in a data lake. Be sure to consider all disseminations and integration of intel required for the TIP to ensure you can affordably orchestrate with the TIP in production as is necessary when working various groups towards actionability (e.g. sending reports to the Incident Response (IR) team, Indicators of Compromise (IOC) to network and email IT, etc.).

Threat Intelligence Platform Vendor Choice Must Be Carefully Thought Out

Performing an organized, detailed review of all potential TIPs, with clear strategic priorities for the intelligence program, is an effective approach. It helps to clarify priorities and apply them directly to the TIP being considered. It also shows comparisons and return on investment for each TIP strength and weakness as applied to an organization’s requirements. It can also be used to help leverage a strategic road map and alignment towards a future state, such as purchasing scalable options or a different TIP over time, to best meet the changing needs of an environment.


Ken Dunham is senior director, technical cyber threat intelligence at Optiv Security. Read more Optiv blogs here.

You can skip this ad in 5 seconds