Blog
Support

What is a Threat Intelligence Platform (TIP)?

A threat intelligence platform, or TIP, is used to collect, manage, and share threat intelligence.

Purpose of a Threat Intelligence Platform

Today’s cybersecurity landscape is marked by a few common issues – massive volumes of data, lack of analysts, and increasingly complex adversarial attacks. Current security infrastructures offer many tools to manage this information but little integration between them. This translates to a frustrating amount of engineering effort to manage systems and an inevitable waste of already limited resources and time. To combat these issues, many companies are choosing to implement a Threat Intelligence Platform (TIP).

Threat Intelligence Platform (TIP) Definition:


Threat Intelligence Platforms can be deployed as a SaaS or on-premise solution to facilitate the management of cyber threat intelligence and associated entities such as actors, campaigns, incidents, signatures, bulletins, and TTPs. It is defined by its capability to perform four key functions:

  • Aggregation of intelligence from multiple sources
  • Curation, normalization, enrichment, and risk scoring of data
  • Integrations with existing security systems
78%
Say threat intelligence critical for achieving strong security posture
70%
Organizations say they’re swamped by cyberthreat data

Breaking Down "TIP"

Threat

The potential for any other party to access or interfere with the normal planned operations of an information network. Common threats today include:

APT
Botnets
DDOS
Ransomware

Intelligence

Knowledge of a threat gained by human analysts or identified by events within the system. Intelligence is a broad term, but a TIP presents analysts with specific kinds of intelligence that can be automated, including:

Technical knowledge of attacks, including indicators
Finished intelligence – the output of human beings looking at the available information and reaching conclusions about situational awareness, predicting potential outcomes or future attacks, or estimating adversary capabilities
Human intelligence – any intelligence gathered by humans, such as lurking within forums to check for suspicious activity

Platform

A packaged product that integrates with existing tools and products, presenting a threat intelligence management system that automates and simplifies much of the work analysts have traditionally done themselves.

Who Uses a TIP?

A Threat Intelligence Platform is useful to many parties within an organization.

Security Operations Center (SOC) teams

ThreatStream customers can easily trial and purchase threat intelligence from APP Store partners. Find the right intelligence for your organization, industry, geography, threat type, and more.

Threat intelligence teams

ThreatStream customers can trial and purchase data enrichment services, sandboxes, and other analytic tools directly from Anomali APP Store partners. Identify the right enrichment data and analysis tools to add context to your indicators.

Management and executive teams

ThreatStream provides the industry’s most complete set of proven, turnkey integrations into leading enterprise SIEM, EDR, firewall, SOAR, and other security controls, delivering fast time to value.

Data Aggregation

A Threat Intelligence Platform automatically collects and reconciles data from various sources and formats. Ingesting information from a variety of sources is a critical component to having a strong security infrastructure. Supported sources and formats include:

Sources:

Open source
Third party paid
Government
Trusted Sharing Communities (ISACs)
Internal

Formats:

STIX/TAXII
JSON and XML
Email
CSV, TXT, PDF, Microsoft Word document

Normalization and Enrichment of Data

Collecting data across a wide variety of threat intelligence feeds results in millions of indicators to sort through per day, making it vital to process data efficiently. Processing includes several steps but is comprised of three main elements- normalization, de-duplication, and enrichment of data.

These are expensive to address in regards to computational exertion, analyst time, and money. A Threat Intelligence Platform automates these processes, freeing analysts to analyze rather than manage collected data.

Normalization – Consolidating data across different sources formats
De-Duplication – Removal of duplicate information
Enrichment – Removal of false positives, scoring of indicators, and the addition of context

TIP Integrations

Data that has been normalized, vetted, and enriched must then be delivered to systems that can use it for automated enforcement and monitoring. The purpose of this is to provide these technologies with what is essentially a “cyber no-fly list”, much like the kind of no-fly list you might encounter at an airport. Based on background knowledge, certain IPs, domains, and more should not be accessed or allowed within the network.

A Threat Intelligence Platform works with SIEM and log management system vendors behind the scenes, pulling down indicators to push across to security solutions within the customer network infrastructure. The burden of establishing and maintaining these integrations is therefore lifted from the analysts and instead shifted over to the SIEM and TIP vendors.

Possible security product integrations include:

SIEM
Endpoint
Firewall
IPS
API

Threat Analysis and Response

A Threat Intelligence Platform provides features that aid with analysis of potential threats and corresponding mitigation. More specifically, these features help analysts to:

Explore threats
Provide investigation workflows
Understand the broader context and implications of threats
Share information

A TIP will take all the possible data, enrichments, and other context available and display this information in ways that provide value, such as in dashboards, rulers, alerts, and notes.

A Threat Intelligence Platform also aids analysts by automating the research and collection processes, significantly reducing response time. Some specific functionalities of the analysis part of a Threat Intelligence Platform include:

Support for indicator expansion and research
Incident escalation and response processes
Analyst workflow processes
Producing intelligence products and sharing them with stakeholders

Learn More About Threat Intelligence Platforms

White Paper

Five Challenges to Operationalizing Threat Intelligence and How to Overcome Them

Read the whitepaper

White Paper

2022 Frost & Sullivan Market Leadership Award for Global Threat Intelligence

Read the whitepaper

White Paper

GigaOm Radar for Threat Intelligence Solutions

Read the whitepaper

White Paper

ROI Study: ESG Economic Validation-Analyzing the ROI of The Anomali Platform

Read the whitepaper

Datasheet

Anomali AirGap Datasheet

Read the datasheet

Datasheet

Anomali Sandbox Datasheet

Read the datasheet

Datasheet

Anomali Solution Product Brochure

Read the datasheet

Case Study

Blackhawk Network Customer Case Study

read the casestudy

eBook

Artificial Intelligence in Insider Threat Detection

Read the ebook

eBook

Cybersecurity Insights 2022 - A Vertical Look

Read the ebook

Infographic

The Need to Focus on the Adversary

view infographic

Video

Anomali ThreatStream Explainer Video

Watch video

Video

TahawulTech.com Interview with Anomali: Cyber Threats Facing the Middle East

Watch video

Video

TechStrong TV Interviews Anomali

Watch video

Podcast

CISO Series Defense in Depth: The Iran Cybersecurity Threat

Watch video
No items found.

BLOG

5 Crucial Use Cases for Threat Intelligence Platforms

Read the blog

BLOG

How to Create a Threat Model: Step-by-Step Guide and Best Practices

Read the blog

BLOG

How AI is Driving the Evolution of Threat Intelligence

Read the blog

BLOG

Leveraging Data Enrichment in Cyber Threat Intelligence (CTI)

Read the blog

BLOG

A Deep Dive into Different Types of Threat Intelligence

Read the blog

BLOG

Using Threat Intelligence to Enhance Phishing Defense Strategies

Read the blog

BLOG

Dealing with Security Threats at Scale

Read the blog

BLOG

Threat Intelligence is a Core Component of a Zero Trust Architecture (ZTA)

Read the blog

BLOG

Anomali Earns Frost and Sullivan Market Leadership Award for Threat Intelligence Management Platforms

Read the blog

BLOG

Increased Microsoft Sentinel benefits Using Anomali ThreatStream

Read the blog

BLOG

The Need to Share

Read the blog

BLOG

Why are Organizations Suffering from a Lack of Threat Intelligence Information?

Read the blog

BLOG

Is XDR Right for Your Enterprise? To Answer the Question, You Need to Know What XDR Is

Read the blog

BLOG

Anomali November Quarterly Product Release

Read the blog

BLOG

Climbing the Threat Intelligence Maturity Curve

Read the blog

BLOG

Anomali ThreatStream Sunburst Backdoor Custom Dashboard Provides Machine Readable IOCs Related To SolarWinds Supply Chain Attack

Read the blog

BLOG

Anomali December Release: The Need for Speed

Read the blog

BLOG

Threat Intelligence Platforms, Tracking More than Just Threats

Read the blog

BLOG

How To Choose The Right Threat Intelligence Platform For You

Read the blog

BLOG

Making Sense of a 'Threat Intelligence Platform'

Read the blog

BLOG

Verizon Launches Threat Intelligence Platform Service in Partnership with Anomali

Read the blog

BLOG

Anomali Announces New Threat Platform and SDKs at Detect '18

Read the blog

BLOG

Tracking Your Adversary with a Threat Intelligence Platform

Read the blog
Sort By Date (Desc)
Browse all resources