Laptop Displaying the GigaOm Research Portal

Get your Free GigaOm account today.

Access complimentary GigaOm content by signing up for a FREE GigaOm account today — or upgrade to premium for full access to the GigaOm research catalog. Join now and uncover what you’ve been missing!

Key Criteria for Evaluating Threat Intelligence Solutionsv1.0

An Evaluation Guide for Technology Decision Makers

Table of Contents

  1. Summary
  2. Threat Intelligence Solutions Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Brenton Bowen

1. Summary

Effective risk-based cyber-defense strategies and infrastructures rely on validated and actionable threat intelligence (TI). Comprehensive solutions collect or procure threat intelligence data from disparate sources, then subject it to a variety of procedures to render it intelligible, accessible, and able to develop and prioritize security strategies based on previously unknown threats. The objective is to accelerate workflows for analysts and stakeholders making decisions about risk management across all domains in an enterprise.

There are two main groups of threat intelligence solutions, but they share the same objective: to help organizations protect their environments, endpoints, and assets from cyber threats.

  • Threat intelligence platforms (TIPs) work by correlating events, logs, and telemetry data against the database of threat data intelligence.
  • Threat intelligence providers take a more focused approach by scoping the collection and correlation of intelligence through queries or client-specific programs.

Whether to implement a TIP or a provider depends on the organization’s specific requirements and use case. Security operations and vulnerability management will see a boost from the broader collection and correlation of a TIP, and threat hunters will see immediate value from the preciseness of Tl providers. In some scenarios, an enterprise would need to use both to achieve its security objectives. Several of the TIPs in the corresponding Radar report have partnerships with TI providers and source some of their threat intelligence from those databases through their APIs.

An intelligence-based approach to security operations has steadily grown as the threat landscape, and the amount of data required to implement an intelligence-led cybersecurity framework, increased exponentially year over year. Modern threat intelligence is a big data problem. Moreover, there has been a shift away from vendor-created detection rules. Detection engineers need contextual threat intelligence to build effective detection controls. Threat intelligence solutions provide the information to accelerate the development of contextual detection controls based on real-world data. This approach is logical; enterprise detections will almost always be more effective if written by the enterprise’s internal engineering team, based on threat intelligence contextualized for their own systems, endpoints, and infrastructure.

Threat intelligence solutions are designed to be the single source of truth driving the priorities for risk management strategies. Many security organizations are not equipped to handle the volume of threat data they are currently receiving. Threat intelligence is still an evolving space, and security teams are often overwhelmed by threat data when using a poor threat intelligence solution, wasting time working through the noise as they search for actionable threat intelligence.

Threat intelligence has moved from “nice-to-have” to a requirement across every cybersecurity domain. Attentive vendors have taken notice and are actively developing more advanced solutions based on the changing needs of diverse enterprise threat landscapes. Every element of cybersecurity today—security policies, security frameworks, physical security decisions, alert triage processes, incident response processes, vulnerability management programs, patch prioritization strategies, threat hunting priorities, and network architectures—need reliable, timely threat intelligence.

The GigaOm Key Criteria and Radar reports provide an overview of the threat intelligence market, identify capabilities (table stakes, key criteria, and emerging technology) and evaluation metrics for selecting a threat intelligence platform, and detail vendors and products that excel. These reports give prospective buyers an overview of the top vendors in this sector and help decision makers evaluate solutions and decide where to invest.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.