Is there a common threat intelligence tool that aggregates multiple threat intelligence sources?
I'm looking for a threat intelligence tool that can aggregate multiple threat intelligence sources. Is this type of tool available? If so, how much do these services cost?
There are several tools available - we use AlienVault from AT&T.
It provides a full view from the Desktop to the Network Firewall to the Cloud and Application threats across multiple locations via WAN as well as multiple servers within your LAN.
Search for a product comparison in Threat Intelligence Platforms
Director of Community at PeerSpot (formerly IT Central Station)
Community Manager
Aug 7, 2021
@Joe Tinaglia please avoid posting any marketing/sales content. This sort of content isn't allowed according to IT Cental Station Guidelines (see section "Help Others").
The discussions should be relevant to the topic and professional only.
There are two approaches to answer your needs. You can either select:
1. SIEM / SOC Platform that could ingest more than 1 TI feed service
2. Threat Intelligence Platform
If you are looking to simply integrate the TI sources into one single centralized system, for instance: SIEM, you would choose option 1 because it will be investment effective.
Logrythm, Qradar, Stellar Cyber, Splunk and Alienvault are amongst the tools to go.
If you are looking to integrate to more than 1 target system inside your organization, go for a centralized Threat Intelligence Platform. The best one in the market is no doubt the Anomali Threat Intelligence Platform, while ThreatQuotient and EccleticIQ still have to catch up alot. The benefit of using Anomali Threat Intelligence Platform in example, is that you can actually manage multiple integrations to target system such as: SIEM, SOC Platform, NGFW, IPS, and others. This platform will provide you with great simplicity, for an organization which is reasonably large with multiple cybersecurity solutions.
Be wary, Threat Intelligence Platform is not investment friendly, as their cost could be unjustified if you can't consider all the benefits it provides. With TIP, you are expected to manage Threat Intelligence actively inside your organization, selecting and making the most out of the all TI feed services out there (community, freemium and premium service). You would need a team dedicated CTI Analyst to benefit from the use of Threat Intelligence Platform - otherwise it will be a waste of time and investment.
At the end of the day, you could also opt for open source STIX / TAXII client to a more cost effective alternative solution, depends on your requirement complexity and budgets.
Yes, Azure Sentinel is a SIEM on the Cloud. Multiple data sources can be uploaded and analyzed with Azure Sentinel and its Threat Hunting functionality with AI available as templates or customized by each customer. The cost of the tool is based on the amount of data to be imported, Microsoft 365 and Azure are free, and for the time of data retention. Example: Azure Sentinel Pricing | Microsoft Azure
National Sales Director at WaveRider Security Inc.
Reseller
2021-08-04T15:16:02Z
Aug 4, 2021
Yes.
"Advanced persistent threats (APT) penetrate networks and stay hidden through any number of targeted and difficult-to-detect means including spear phishing, credential theft or web app vulnerabilities.
Once inside, they use native operating system functions, credential dumping and human error to opportunistically seek higher-value targets and data. These types of attacks can be extremely damaging, difficult to remediate and much longer-lived – often 200+ days of dwell time. EDR telemetry becomes too limited in scope and volume to help, usually maxing out at 30 days.
Organizations can cost-effectively store one year of rich endpoint telemetry with deep integration between Tanium and Chronicle. Incident response teams and analysts will have drastically improved ability to hunt, investigate and fully scope advanced threats with sub-second search latency across endpoint and other data sources such as DNS, proxy and firewall logs."
○ Pricing: One year of stored endpoint telemetry at a per endpoint price ( Fixed Cost) - MSP pricing includes Tanium Client Agent for Modules of Threat Response, Compliance, and Remediation. There are CORE modules that allow us to deploy the agent and generate discovery and asset reports with Zero Infrastructure and VPN requirements to brings 300 endpoints to 5 million under complete visibility and management within hours depending on the size of the customer.
○ Infinite Elasticity: with a backend built on core Google infrastructure
○ Instant Search: across a full year of security telemetry to uncover latent threats
○ Cloud-native: solution built to auto-scale and eliminate data management overhead
Intelligent Data Fusion
Modern Threat Detection
Continuous IoC Matching
Hunt at Google Speed
Self-Managed ( per scope of work)
Disruptive Economics
A Threat Intelligence Platform (TIP) is a solution that collects, analyzes, and distributes threat intelligence data. TIPs can help organizations to identify and mitigate cyber threats by providing them with insights into known and emerging threats.
There are several tools available - we use AlienVault from AT&T.
It provides a full view from the Desktop to the Network Firewall to the Cloud and Application threats across multiple locations via WAN as well as multiple servers within your LAN.
You can look at Anomaly, which is a Threat Intel Platform (TIP).
@Joe Tinaglia please avoid posting any marketing/sales content. This sort of content isn't allowed according to IT Cental Station Guidelines (see section "Help Others").
The discussions should be relevant to the topic and professional only.
Thanks for respecting our policy.
There are two approaches to answer your needs. You can either select:
1. SIEM / SOC Platform that could ingest more than 1 TI feed service
2. Threat Intelligence Platform
If you are looking to simply integrate the TI sources into one single centralized system, for instance: SIEM, you would choose option 1 because it will be investment effective.
Logrythm, Qradar, Stellar Cyber, Splunk and Alienvault are amongst the tools to go.
If you are looking to integrate to more than 1 target system inside your organization, go for a centralized Threat Intelligence Platform. The best one in the market is no doubt the Anomali Threat Intelligence Platform, while ThreatQuotient and EccleticIQ still have to catch up alot. The benefit of using Anomali Threat Intelligence Platform in example, is that you can actually manage multiple integrations to target system such as: SIEM, SOC Platform, NGFW, IPS, and others. This platform will provide you with great simplicity, for an organization which is reasonably large with multiple cybersecurity solutions.
Be wary, Threat Intelligence Platform is not investment friendly, as their cost could be unjustified if you can't consider all the benefits it provides. With TIP, you are expected to manage Threat Intelligence actively inside your organization, selecting and making the most out of the all TI feed services out there (community, freemium and premium service). You would need a team dedicated CTI Analyst to benefit from the use of Threat Intelligence Platform - otherwise it will be a waste of time and investment.
At the end of the day, you could also opt for open source STIX / TAXII client to a more cost effective alternative solution, depends on your requirement complexity and budgets.
Yes, Azure Sentinel is a SIEM on the Cloud. Multiple data sources can be uploaded and analyzed with Azure Sentinel and its Threat Hunting functionality with AI available as templates or customized by each customer. The cost of the tool is based on the amount of data to be imported, Microsoft 365 and Azure are free, and for the time of data retention. Example: Azure Sentinel Pricing | Microsoft Azure
thanks
Hi, I have left the job, so don't know the exact count. but Yes, SlashNext is providing a very good service. regarding to the threat intelligence.
Yes.
"Advanced persistent threats (APT) penetrate networks and stay hidden through any number of targeted and difficult-to-detect means including spear phishing, credential theft or web app vulnerabilities.
Once inside, they use native operating system functions, credential dumping and human error to opportunistically seek higher-value targets and data. These types of attacks can be extremely damaging, difficult to remediate and much longer-lived – often 200+ days of dwell time. EDR telemetry becomes too limited in scope and volume to help, usually maxing out at 30 days.
Organizations can cost-effectively store one year of rich endpoint telemetry with deep integration between Tanium and Chronicle. Incident response teams and analysts will have drastically improved ability to hunt, investigate and fully scope advanced threats with sub-second search latency across endpoint and other data sources such as DNS, proxy and firewall logs."
Check this out: https://www.tanium.com/resources/data-drive-threat-hunting-tanium-chronicle
@Evgeny Belenky Yes -
Chronicle Benefits:
○ Pricing: One year of stored endpoint telemetry at a per endpoint price ( Fixed Cost) - MSP pricing includes Tanium Client Agent for Modules of Threat Response, Compliance, and Remediation. There are CORE modules that allow us to deploy the agent and generate discovery and asset reports with Zero Infrastructure and VPN requirements to brings 300 endpoints to 5 million under complete visibility and management within hours depending on the size of the customer.
○ Infinite Elasticity: with a backend built on core Google infrastructure
○ Instant Search: across a full year of security telemetry to uncover latent threats
○ Cloud-native: solution built to auto-scale and eliminate data management overhead
Intelligent Data Fusion
Modern Threat Detection
Continuous IoC Matching
Hunt at Google Speed
Self-Managed ( per scope of work)
Disruptive Economics
IntSights, Recorded Future, Cybersixgill, and so on.
Maybe Greymatter from Reliaquest could help?
Azure Sentinel SIEM and I think Arcsight SIEM too.