Making the most of threat intelligence with threat intelligence gateways

Even though many security professionals are still dissatisfied with threat intelligence accuracy and quality, its use as a resource for network defense is growing. According to the 2019 SANS Cyber Threat Intelligence (CTI) Survey, the percentage of organizations that either produce or consume CTI has risen from 60 to 72 percent.

As it gets more broadly adopted and as more organizations seek to operationalize their TI more effectively and efficiently, they are slowly starting to implement threat intelligence gateways (TIGs).

What are threat intelligence gateways?

There was a time when threat intelligence was synonymous with indicators of compromise (IoCs), but is now generally considered to also include tactics, techniques and procedures (TTPs), threat behaviors, attack surface awareness and strategic assessments. This security data and information is then used to create a picture of an organization’s digital risk and to manage it.

Threat intelligence gateways are an emerging cybersecurity category. Fundamentally, the solution sits on the network, in line, typically in front of a firewall, and filters inbound and outbound traffic based on a wide array of TI from multiple sources/feeds (commercial, open source, industry, and government).

TIGs can also make allow or deny decisions based on the source of the traffic.

“Gartner defines TIGs as ‘a network security solution that filters traffic based on large volumes of threat intelligence (TI) indicators’,” Todd Weller, Chief Strategy Officer at Bandura Cyber, explained to Help Net Security. “We define TIG a bit more broadly, because our TIG goes beyond just filtering: we provide access to TI, aggregation, automation, and the critical ‘taking action’ element.”

TIGs are not an alternative to traditional threat intelligence services – they complement them, he noted. They provide security teams with the ability to detect and block traffic based on threat intelligence at a scale that their next-generation firewalls (NGFWs) don’t allow.

“NGFWs work well with threat intelligence from the NGFW vendor but often don’t play nice with third-party TI indicators (IPs and domains). Also, for performance reasons, many NGFWs significantly limit the volume of third-party indicators you can ingest and take action with. For most NGFWs, the volume is limited to a few hundred thousand indicators, whereas the number of indicators on many threat feeds can be in the millions and tens of millions,” Weller explained.

“Additionally, managing third party TI in NGFWs is cumbersome and time consuming. Organizations that aren’t using a Threat Intelligence Platform (TIP) from companies like Anomali, Threat Connect, ThreatQuotient, and others, also find value in our ability to aggregate multiple threat feeds in one place and have them automatically updated. This reduces a lot of manual effort.”

What’s in it for the organizations

Weller says that they have seen a significant increase in customer interest in TIGs over the last twelve months, and expect this trend to continue.

While large enterprises – as threat intelligence power users – welcome the ability to filter traffic against over 100 million unique IPs and domains with virtually no latency and to easily integrate with TI sources and their existing security systems like SIEMs, small and mid-sized organizations are looking at TIGs as another layer of defense.

“These companies don’t have significant resources or operate with a big security operations center or armies of analysts but they have the same cybersecurity problems. TIGs enable these customers to gain access to enterprise-grade TI capabilities in an easy, automated, and affordable way,” he notes.

“For them it’s really about ease of use and manageability and the plug-n-play nature of the TIG. They love the fact that they can quickly deploy and gain value from a turnkey solution that is automated and has low management overhead.”

He also noted an increased interest from managed security services providers (MSSPs) that are looking to offer value-added threat intelligence services to their customer base, and expects threat intelligence vendors to start offering TIGs in the near future.

“Many TI vendors have historically focused on large enterprises that had the resources to buy and consume third-party threat intelligence. I can tell you first-hand many of these TI vendors are looking at ways to broaden their market and revenue opportunity. In the near term, I’d look for more strategic partnerships along these lines. Longer term, I see the potential for consolidation,” he opined.