We believe the Gartner Market Guide for Security Threat Intelligence Products and Services is an admirable attempt to bring some sense to this disparate market, but its comprehensiveness also highlights the fact that Threat Intelligence means very different things to different people.
Gartner defines TI as “knowledge and information about security threats and other security-related
issues.” And notes that “intelligence-led initiatives provide information about the identities, motivations, characteristics and methods of threat actors and then importantly give you options to operationalize this in your cybersecurity programs.”
We think Gartner, to its credit, urges its clients to use TI products and services in whatever use case makes sense. The market guide notes that there is no one “right” choice in how or where these products and services are used. Viable and defensible use cases range from tactical to strategic (i.e., speed of analysis required) and from technical to business (i.e. security operations versus risk management).
A Great Place to Start
We believe a key insight in this new Market Guide is that organizations tend to underrate their abilityto capture and leverage the TI they create internally today. Leveraging this intelligence is often a great place to start to build a competent internal TI capability. As Gartner notes, “A good starting point in any program is to improve the things you already have.” This can mean, for example, gaining better understanding of the data coming out of SIEM, firewall, IDPS, SWG, and other deployed security controls.
From fairly humble beginnings, organizations can begin to build sophisticated internal capabilities. For example, by gaining an understanding of attackers’ tactics, techniques, and procedures, organizations can become more strategic in their tactical responses and their strategic investments. Or it might be that the most important immediate benefit of a better understanding of threat actors is an insight into which vulnerabilities are being targeted in your organization today. In the short term, the information can be pushed to security devices, while in the medium term it can be used to determine patch management priorities, and more strategically it can be used to inform overall risk profile calculations and systems upgrade requirements.
The Best Foundation
We strongly believe that the best foundation for building a robust TI capability that will support multiple use cases is a platform of threat analyst investigative tools. As Gartner notes, “These tools are used extensively by intelligence analysts, security operations, threat hunters, incident response and forensic professionals.” A solid workbench allows all of these groups to work independently or collaboratively as needed and can help build consistency across investigations.
King and Union’s Avalon workbench supports a rich set of visualization tools that can make sense of a broad set of threat data. By leveraging a broad set of enrichment tools, analysts can quickly bring an accurate picture of a threat into focus. This intelligence can then be distributed through robust reporting tools and then preserved within Avalon for collation to future threats.
Building confidence with early wins is important for any functional team and demonstrating value as part of a broader risk management strategy is specifically important with regard to threat intelligence investments. The proper workbench can provide analysts with the flexibility to tackle multiple use cases with a common set of tools, procedures, and deliverables thereby simplifying the learning curve.
TI is currently a crowded and ill-defined market space. While we recognize that there are many ways to derive value from IT tools, we also believe that the best long term value will be achieved by organizations that find ways to leverage a core set of TI capabilities and internal data sources and to strategically invest in additional feeds to augment and enrich their traditional threat streams.
The TI marketplace will likely consolidate even as the discovery of new use cases drives the entrance of new vendors into the space. The fact that point solutions can provide value is actually a strong endorsement of the utility of these solutions, but organizations would be well served to make TI investments decisions at a more strategic level, with the goal of better understanding how to leverage TI capabilities across use cases and across the organization.
Download the Gartner 2020 Market Guide for Security Threat Intelligence Products and Services today!