Full Lifecycle Threat Intelligence and Response

Threat intelligence has become as essential to enterprise security programs as network monitoring, endpoint protection, controlled use of admin privileges, and a host of other “must do” activities. If the goal of the security program is to mitigate risk from cyber attacks and security incidents, then it must take into account vulnerabilities and threats. In fact, a common formula for determining cyber risk is: Risk = threat X vulnerability X impact. It is therefore no surprise that the last several years have seen an expansion of the number and types of threat resources available for enterprise use. From open source threat feeds to community group sharing to media reports and vendor offerings, companies have no dearth of ways to learn about current threats and vulnerabilities.

Yet, 62% of threat intelligence users are unsatisfied with their existing solution.[1] Historically, threat intelligence, though vastly improved over the last 8-10 years, relies on manual processes and human analysis. This is due to the incompatibility of disparate sources from which threat intelligence is derived (including internal tools such as the organization's SIEM) and the need to standardize, correlate, de-duplicate, contextualize, and analyze all sources to gain a holistic, company-specific threat picture. And intelligence, as challenging as it is, is just the first step; useful intelligence is the backbone of prevention and remediation efforts.

In 2015, Guy Nizan (CEO), Alon Arvatz (CPO), and Gal Ben David (CTO), three cyber security practitioners in Israel, decided to jump into the threat intelligence game and founded IntSights. With several threat intelligence companies already prevalent in the commercial market, the co-founders didn’t want to compete on quantity of sources collected or even perceived quality of gathered external data alone. Their vision was to build a platform that organizations could use to understand the totality of their risk exposure. This meant looking beyond threat feeds—anyone with an internet connection and surface understanding of the deep and dark web could theoretically generate a “threat feed”—and incorporating individual information about each customer. This included deployed assets, digital footprint, and unique exposures, such as the public profiles of company executives.

But contextualization was only the starting point. The IntSights founders knew that to truly differentiate, the company would need to offer a product suite that went beyond data collection, correlation, enrichment, and analysis. Speaking to InSights’ CSO, Etay Maor, and Sr. Director, Product & Solutions Marketing, Phil Marshall, they explained to Ed and me that the company’s philosophy is to look at threats in a holistic way. That is, they offer four products (with more in the pipeline) plus services that take customers through the threat lifecycle, starting with identifying indicators of compromise (IoCs) and finishing with response and remediation.

More than threat intel

“What’s so different about IntSights,” said Maor, “is the holistic strategy. When the team first approached me about joining the company, my reaction was, ‘There are already many threat intelligence platforms on the market and plenty of ways to collect threat data.’ But then I looked at the platform, strategy and roadmap and realized they were doing something beyond traditional threat intelligence.”

Marshall then walked us through the offerings: Threat Command, which is asset-based intelligence (including digital footprint and human assets); a Threat Intelligence Platform (TIP), which includes IoC enrichment and prioritization, visualizations, and blocking capabilities; and Threat Orchestration, which allows customers to automatically build policies that can be pushed to deployed security tools. Included in all these modules is alerting and the ability for one-click remediation. Response capabilities cover credential lockdown, phishing blocking and password reset, blacklisting, and requesting takedowns of hijacked or malicious domains that impersonate the customer’s brand.

IntSights also offers Vulnerability Risk Analyzer, a CVEs/CVSS score enrichment tool which combines external threat data with internal asset information to determine a unique risk score. Patching prioritization is then constructed so customers can manage/mitigate vulnerabilities and satisfy compliance requirements. Threat hunting and research services, including threat actor engagement, are also offered.

Comparing IntSights to other companies in the threat intelligence space doesn’t seem to do IntSights justice, given that their capabilities extend to security orchestration and automated response (SOAR). However, SOAR comparisons aren’t exactly fair, either, given IntSights’ TIP and dedicated threat takedown team. “Our analyst team works directly with customers and they’re available 24/7,” said Maor. “We have an 'Ask an Analyst’ option in the platform so customers can have immediate access to CTI analysts to ask questions or help with operational needs. Our security services program doesn’t just train on our products; we help customers improve their own threat analysis. Automation is a key component of our solutions—a big differentiator—but risk management will always require humans so we want to help people get better.”

The competitive advantage

Thus, the real competitive advantage for IntSights is that they are a hybrid of threat intelligence and incident response. The dexterity to fluidly move from fully automated response for active threat identification, blocking, and takedown requests to working with an in-house team of experts for training and analysis enrichment is a customer-forward feature. The degree to which IntSights integrates with third-party monitoring and response tools (20+ integrations) also means customers gain broad coverage without necessarily changing established processes.

While the barrier to entering the threat intel business may not be high (depending on how you define “intelligence”), the barrier for usefulness is. Research shows[2] that consumers find traditional threat intelligence to be time consuming due to lack of automation and not specific enough to their organization and brand. What’s more, the same research indicates that blocking threats, managing identified threats, and responding to incidents are top use cases for threat intelligence. IntSights is well positioned to satisfy the need for effortless, contextualized intelligence and response capabilities.