Threat Intelligence for the 99 Percent - Part 6: Building Your Own - Tools

Welcome to the latest edition of our ongoing blog series, Threat Intelligence for the 99%. Last time, we examined the types of cyber threat intelligence (CTI) feeds you need to consider when putting together a program for threat intelligence.

This time, we’ll look at the kinds of threat intelligence tools that should be on your radar as you build out CTI capabilities. Similar to the categories of feeds to consider, there are free tools and paid tools out there and we’ll provide you the information you need here to make an informed decision on the best course for your organization.

Data Enrichment tools: Get ready to code

Data Enrichment tools—both paid and open source ones—are critical for turning cyber threat intelligence data into action. But to use these tools, you will need to know how to code. This can be a tough thing for many security organizations who find their genesis through network engineering or risk and not coding.

Understanding database concepts is also a key skill needed to use enrichment tools, because you’ll need to design data structures that are meaningful enough to drive action on the threat intelligence you receive.

Back in Part 3 of this series we likened how ready your organization may be for implementing a CTI program to being “tall enough to ride the ride.” If you don’t have those previously stated skills, you will struggle with taking the data, putting it in the correct formats, enriching it in the factory and then actually being able to push it off into action. Those foundations are critical.

Requirements for open source CTI tools

With open source tools for CTI, you’ll need to be prepared to code more than you would with paid tools, because it tends to lean towards engineering as a discipline. Part of the value for paid tooling is they do some of the heavy lift for their customers. There would be some coding required, but not as much as in open source.

A data store is also imperative for using open source cyber threat intelligence tools. This is because it’s essential to have a place to store the information you’re gathering for enrichment, plus you need the ability to manipulate it. There’s a methodology needed to understand how to move data through its phases and some basic disciplines of data management and information governance.

Without these necessities in place, you will be challenged to repeat the processes around a CTI program over time. Part of why you implement tooling is to create a repeatable process that can be demonstrated over time.

Paid Cyber Threat Intelligence Tools: What you need to know

With paid CTI tools, there is a big lift on price. In the last edition, we discussed paid feeds that include platforms and those platforms have the tools you can use for CTI. These platforms include an  infrastructure with work flows, enrichment plugs and APIs. And, you want to make sure you ask about professional services to help you with implementation for these paid tools. You aren’t going to get that with open source.

Caution with paid tools: the more open the ecosystem for the tools, the better off you will be. Getting hooked into a closed ecosystem isn’t the best approach. You want something with APIs that can accept multitudes of feeds from different vendors in different formats.

With some of the paid cyber threat intelligence tools, it’s required to do data manipulation ahead of time to use the feed. The less you have to do of that, the better the paid platform. It should be turn-key, that's what you're paying for.

Another word of caution: the paid cyber threat intelligence tools market had a flurry of activity about five years ago, and now it’s a consolidating market. You’ll need to practice good vendor management as you consider options for this. What’s the viability of the vendor? What round of funding are they on? What’s their exit strategy? The last thing you want is to be left holding the bag right after an implementation.

Lastly, you must consider where these threat intelligence tools are going to live. Are you putting them in your own environment? Are you going to put them up on Amazon? If you look at cloud delivery for tools, be mindful that this tends to be very data-intensive, so be careful about cloud workloads in these spaces because it could cost you a lot of money.

In the next edition of our series, we’ll look at how you stich together the different pieces you’ve acquired to build a real CTI program.

Want to learn more about how to boost your threat intelligence program? Come see us at RSA Conference at the Moscone Center in San Francisco at Booth 935 from March 4-8.