A Threat Intelligence Service provides up-to-date information on the threat situation of IT security due to cyber attacks and other threats. For this purpose, the service collects data from various sources and makes it available in processed form.
What is a Threat Intelligence Service?
A threat intelligence service addresses the problem that although a great deal of data exists on existing and new threats to the security of IT systems, it is not available in consolidated form. Companies have to invest a lot of effort and time to sift through the data, filter it and make it useful for them.
A threat intelligence service is able to collect data from different sources, filter it, analyze it, and provide it in a usable form. Possible formats can include data feeds or reports for management and IT managers. Some systems are also able to provide technical IT security control bodies with data for automatically generated actions.
The service provides information on security threats such as cyber-attacks, currently detected vulnerabilities in software such as zero-day threats or security holes in hardware systems. The aim is to help companies quickly identify threats and protect their own IT. Those responsible are put in a position to understand the risks, close vulnerabilities, and prevent hacker attacks.
The Threat Intelligence Service prepares the collected data in such a way that only relevant information that affects the IT in use is included. Companies that use a Threat Intelligence Service can close security vulnerabilities and proactively take measures to prevent data loss or IT system failures.
Realization options of a Threat Intelligence Service
How a threat intelligence service is implemented can vary widely. Simple systems collect data feeds from various sources and cleanse them with positive or negative lists to create a customized data feed for the organization. Other systems are additionally capable of actively informing when threat situations relevant to the company are identified in the data feeds. They generate individual messages as information, warnings or alerts.
Particularly powerful threat intelligence services process the threats detected by aggregation and correlation in such a way that they can be passed directly to security applications such as firewalls. A firewall can automatically set a filter from such information or block certain traffic on its own. A threat intelligence service is available either as a cloud-based service or as an on-premise solution. Often, the services are billed as time-based subscriptions with a defined scope of functions.
Important functions of a Threat Intelligence Service
Despite the widely differing systems, similar basic functions can be found in all threat intelligence services. Data feeds play a central role. They are provided in many different forms and contain a wide variety of information. This ranges from IP addresses detected as a threat to dangerous domains or phishing URLs to malware currently in circulation. Information from various sources flows into the data feeds. They are enriched with data from their own databases or self-generated information.
Reports and alerts are another basic functionality of the Threat Intelligence Service. They can be generated from the data feeds in real-time or provided at regular intervals (daily, weekly, monthly…). The reports not only contain information on emerging or existing threat situations but often provide background on motives and originators. The reports or alerts are received by security analysts, IT managers, IT staff, or management. Some solutions have the ability to forward the condensed and relevant data directly to security devices such as firewalls or intrusion detection services. This functionality is usually not included in the basic scope of functions.