Vendor Landscape External Threat Intelligence - Forrester

For Security & Risk Professionals
Vendor Landscape: External Threat Intelligence,

2017
Tools And Technology: The Security Architecture And Operations Playbook
by Josh Zelonis
June 26, 2017 | Updated: July 14, 2017
Why Read This Report Key Takeaways

The threat intelligence market is muddled by Threat Intelligence Marketing Is Not Intelligent
confusing messaging that has hurt security and Threat intelligence refers to a wide range of
risk (S&R) pros ability to succeed with their products and services, which makes it difficult
intelligence capabilities. This report provides to compare offerings. This report brings clarity
a course correction for the industry by clearly to three key differentiators: tactical indicators,
delineating the offerings of 30 vendors that raw intelligence, and finished intelligence. We
provide externally sourced intelligence. It also give examples of each of these offerings and the
offers a guide for using this data to build a vendors that provide them.
successful threat intelligence capability.
Develop Your Security Strategy With Threat
Intel
S&R pros must build their intelligence capability
on a foundation of strategic intelligence to
understand the threat landscape. Develop a
risk register and implement targeted process
improvements, using risk prioritization to justify
your security spend.
Dont Get Hung Up On Trailing Indicators

Tactical indicators are called trailing because
they require observation, analysis, and sharing
before they can be used. Understanding the
fundamental nature of these historical indicators
is essential to identifying their appropriate use
cases.
forrester.com
For Security & Risk Professionals
Vendor Landscape: External Threat Intelligence, 2017

by Josh Zelonis
with Stephanie Balaouras, Bill Barringham, and Peggy Dostie
June 26, 2017 | Updated: July 14, 2017
Table Of Contents Related Research Documents

2 Use External Intelligence To Understand And Achieve Early Success In Threat Intelligence With
Prevent Threats The Right Collection Strategy
External Threat Intelligence Allows You To The Risk Managers Handbook: How To Identify
Detect And Even Prevent Attacks And Describe Risks
Vendors Market Varying Levels Of Processing Top Cybersecurity Threats In 2017

And Analysis As Threat Intelligence
6 Select Vendors According To Your Firms

Maturity, Vertical, And Size
Follow Three Simple Steps When Building A

Threat Intelligence Capability
As Your Intelligence Capabilities Mature,

Target Your Research
Advanced Organizations Can Respond

Aggressively To Threats
Recommendations
12 Develop A Holistic Threat Intelligence
Capability
14 Supplemental Material
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
2017 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester,
Technographics, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research,
Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing
is a violation of copyright law. Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Use External Intelligence To Understand And Prevent Threats

In The Seven Basic Plots: Why We Tell Stories, Christopher Booker demonstrates that all storytelling,
from Greek drama through Hollywood blockbusters, leverages the same basic plot mechanisms.1
Similarly, there are only so many motivations and techniques for stealing information. The hardest
patterns for attackers to change are their tactics, techniques, and procedures TTPs how they do
things (see Figure 1).2 S&R pros can use external threat intelligence to understand trends and plotlines
of attacks against other organizations, which you can use to better prepare for when those threat
actors inevitably turn their attention toward you.
FIGURE 1 Tactics, Techniques, And Procedures Are The Hardest Patterns For Cyberattackers To Change
Tough!
TTPs
Tools Challenging
Network/
Annoying
host artifacts
Domain names Simple
IP addresses Easy
Hash values Trivial
Source: David Bianco, The Pyramid of Pain, Enterprise Detection & Response, January 17, 2014
External Threat Intelligence Allows You To Detect And Even Prevent Attacks
A cyberattack does not start with exploitation and end with exfiltration. Criminals plan carefully how
they will develop the infrastructure they need to make an attack and then monetize the effort.3 That
means S&R pros must also plan carefully to detect and prevent such attacks. How can external threat
intelligence help? It lets you:
Preempt attempts to defraud customers with impersonating domain registrations. Todays

organizations are aware of the innate reputational risk associated with an attacker impersonating
them to defraud customers. Even if your organization wasnt a part of the attack chain, your brand
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378
will suffer. Its important to detect when attack infrastructure is being created to stay a step ahead
of attackers trying to impersonate your organization. One emerging threat that has gained attention
lately is homograph attacks, in which attackers use Unicode characters to create domains that are
indistinguishable from legitimate domain names.4
Track exploit kits to prioritize patching. Understanding attack trends and the use of exploit kits
is a critical first step in developing a strategy to combat ransomware and other similar malware-
based attacks.5 By collecting tactical intelligence from exploit kit advertisements, you can identify
common vulnerabilities and exposures (CVEs) being exploited and prioritize patching to prevent
your organization from being compromised.6
Detect breaches by monitoring darknet marketplaces for stolen data. One place you can
intercept an attack is at the point of data commoditization. Although detecting the sale of stolen
data is not an ideal time to identify an attacker moving against your organization, considering
dwell times for external attackers average 107 days its better to be aware of the breach than to
unknowingly allow it to persist.7 For example, a credit card processor identified GameStop as the
common link between cards being sold online this year.8
Vendors Market Varying Levels Of Processing And Analysis As Threat Intelligence
The intelligence cycle is the process by which a question is asked, researched, and answered. During
this process, organizations collect, process, and analyze data to turn it into a finished intelligence
product (see Figure 2). Organizations will take over this analysis at different stages of the intelligence
cycle, depending on their operational maturity, which is why vendors offer three types of intelligence
tactical indicators, raw intelligence, and finished intelligence.
Tactical indicators are useful if theres enough context. Indicators of compromise (IoC) are file
hashes, domain names, IP addresses, or other patterns that S&R pros can use to detect a threat
or compromise. One important caveat is the need for context when using these indicators. The
STIX language uses 12 different domain objects to describe threats, with indicators only being one
of them.9 You must understand the context surrounding an indicator to understand the implication
to your organization when triggering an alert based on this indicator. For instance, Symantec has
assigned a very low risk level to the Trojan.Corentry malware.10 How would your organization
respond to the knowledge there was a malware-infected system on your network? What if it was
a very low risk? What if the implication was the CIA had infiltrated your organization?11 You simply
should not spend money on indicator feeds that dont provide context beyond indictment.
Raw intelligence has been collected and processed but not analyzed. Frequently, raw
intelligence is offered through API access, enabling search or alerting based on keywords or other
information (see Figure 3). One example is pastebin alerts, which allows users to specify keywords
that, if pasted, will generate email alerts.12 This is raw, not finished, intelligence because the alert
just shows that you have a keyword match and does not include the sentiment or details of the
user who pasted the text. Similarly, while a reverse engineer may be said to analyze a piece of
malware, that analysis does not become part of a finished intelligence product until its paired with
additional context, such as where it has been observed in the wild, associated threat actors, and
motivations to better understand the risk posed by the malware.
Finished intelligence is consumable and doesnt require final analysis. Finished intelligence is
more than just reportage; it requires interpretation and putting the raw intelligence into context. For
instance, during analysis and production, the CIA take[s] a closer look at all the information and
determine[s] how it fits together, while concentrating on answering the original tasking.13 There
are several types of finished intelligence; each category represents a unique task for your external
threat intelligence service provider with requests for intelligence (RFIs) as your ability to leverage
directed research (see Figure 4).
FIGURE 2 The Synthesis Of Quantitative Analysis And Qualitative Judgment
Relationship of data, information, and intelligence
Operational
Data Information Intelligence
environment
Collection Processing Analysis

and and
exploitation production
Source: Joint Intelligence/Joint Publication 2.0 (Joint Chiefs of Staff)
FIGURE 3 Raw Intelligence Does Not Provide Context
Malware analysis Detailed analysis performed by reverse engineers or forensic

investigators to identify critical elements such as network/host
artifacts, vulnerabilities exploited, and other related indicators that
help you understand the tactics, techniques, and procedures in use
Compromised account data The ability to query or alert on accounts compromised in public
breaches or leaked from covert sources
Raw intelligence access API or portal-driven search capability for querying collected data for
keywords related to brand, identity, or other indicators
FIGURE 4 Finished Intelligence Puts Raw Intelligence Into Context
Executive protection Monitoring against impersonation, defamation, or hijack of accounts,

targeted threats and exposure to untargeted threats due to travel, as well as
leaked personal information
Fraud intelligence Monitoring for information leakage, laundering schemes, and other
evidence of scams targeting the organization. An important part of
delivering this as a finished product is the ability to track down the source
of the information leak that fraudsters are attempting to commoditize
Brand protection Monitoring against impersonation, defamation, or intent to damage the

revenue or reputation of the brand
Vulnerability risk Reporting on exploitation trends to allow businesses to prioritize

vulnerability remediation efforts in the context of their threat landscape
Threat actor data Detailed profile of an actors tactics, motivations, and capabilities to allow
an organization to assess risk, combined with associated indicators to
assist with detection, attribution, and removal of the threat
Insider threat Monitoring of websites and forums for the recruitment of insiders or
monitoring attempts to sell privileged data
Third-party risk Assessment and scoring of third parties security posture, susceptibility to
attack, and evidence of data leakage to identify risk of incorporating them
into your supply chain
Strategic intelligence Executive consumable intelligence reports that inform security strategy and
provide understanding of the threat landscape
Request for intelligence Ability for customers to request an enriched, targeted investigation
Select Vendors According To Your Firms Maturity, Vertical, And Size

A common question we hear from clients is, What indicator feeds should I subscribe to? Unfortunately,
theres no simple answer. Recommendations vary based on your companys maturity, vertical, and size.
To help S&R pros make sense of the landscape, choose a vendor, and build a road map for integrating
external threat intelligence into their organizations, weve charted 30 external threat intelligence vendors
and their capabilities. And because its also important to understand where the information comes
from to properly assess how to prioritize and ingest it, weve included the vendor-reported ratios of the
intelligence sources they use for collecting their data (see Figure 5 and see Figure 6).
FIGURE 5 Understanding The Major Sources Of External Threat Intelligence
Surface web The surface web is the part of the internet that is indexed by search engines, where
information is freely accessible. While this type of intelligence is occasionally met
with disdain because it is collected from public sources, this disdain ignores two
critical factors: Criminals face a market imperative of providing an accessible
marketplace for their goods, and people commonly make mistakes with operational
security. The reality is that there is a lot of valuable information that you can derive
from open sources, but theres no guarantee that what you are getting isnt
repurposed marketing material.
Deep/dark web The deep web represents a collection of sites that are censored by search engines,
require authentication, or are only accessible via specific network protocols to
access. The dark web is a subset of this, requiring the use of TOR or similar
protocols to establish exclusivity and anonymity. Frequently, the information
gathered from the deep web requires a human to establish credibility to gain
access to assets, making this a very specialized and sensitive source of
intelligence.
Social media Social media could arguably be categorized as deep web since it is not indexed by
search engines; however, social is so pervasive that it would be fairer to think of it
as shallow web. Social media monitoring is frequently associated with reputation
risk, which is why this is frequently seen in messaging by digital risk monitoring
companies.
Sensor networks Sensor networks vary, from network monitors across the globe that detect the
registration of new domains, to endpoint products performing static analysis of
unknown files, to SIEM alerts coming out of global managed security service
providers. This information tends to be very tactical and requires a lot of further
analysis to attribute to an actor before it can become finished intelligence.
FIGURE 6 External Threat Intelligence Vendors And Capabilities
Finished intelligence
Vu pr en on
Raw intelligence
d llig ti
ln ote ce
Th ori hre a
n
an te tec
m sid tor k
it r t at
ird ng at
Tactical indicators
Th rab ctio
lli gi sk
i s
on e d
r
Br in ro
te te ri
at ty
ge c
p
e
in tra rty
re ili
nc
au v e
In c
S pa
a
Fr uti
-
d
e
ec
FI
Vendor Focus
Ex
R
4iQ Identity, digital risk monitoring
AlienVault Open, threat sharing network
CrowdStrike Adversarial intelligence, endpoint

monitoring
Digital Analyst-curated, tailored intelligence

Shadows
DomainTools Breadth of domain registration data
FireEye Adversarial intelligence, real-time

detection
Flashpoint Targeted data acquisition, analyst

expertise
Group-IB Targeted intelligence, Russian expertise
IBM Reputation services and actionable intel
InfoArmor Operatively sourced threat intelligence
Intel 471 Human collection of closed source,

cybercrime
Kaspersky Sensor-driven, advanced persistent

threat (APT) research
LookingGlass Breadth of collection, automated

integration
Optiv Threat intel collected from MSSP clients
PhishLabs Directly sourced cybercrime intelligence
PhishMe Human-vetted, antiphishing

intelligence
FIGURE 6 External Threat Intelligence Vendors And Capabilities (Cont.)
Finished intelligence
Vu pr en on
Raw intelligence
d llig ti
ln ote ce
rin re a
n
an te tec
m sid tor k
ito r th at
g at
Th ra ctio
lli gi k
In ac is
Tactical indicators
te te ris
on e d
r
Br in ro
at ty
ge c
p
e
in tra ty
re bili
nc
au ve
S ar
Fr uti
-p
d
ird
ec
FI
Vendor Focus
Th
Ex
R
Proofpoint Analyst expertise, global sensor
network
PwC Strategic focus on global and targeted

threats
Q6 Cyber Analyst expertise, underground sources
Recorded Breadth of collection, automated

Future processing
RiskIQ Breadth of collection, automated

processing
SecureWorks Diverse collection of internal sources as

MSSP
Security Brand protection, third-party risk

Scorecard
SenseCy Analyst language proficiency,

automation
SurfWatch Individualized analyst services,

Labs unlimited RFI
Symantec Adversarial intelligence, global sensor

network
Terbium Dark-web monitoring, fuzzy hashing of

results
Threat Analyst-curated, open source

Connect intelligence
Webroot Automated analysis with machine

learning
ZeroFOX Automated collection, machine learning

analysis
Intelligence
Finished intelligence sources
Raw intelligence
Tactical indicators
ito s
ce
e
n
g
ur
tio
un om s
in
at ed
en
si s
co pr ysi
at
eb
e
ta
t d is
lig
hi ash
gn
a
n
ne ns a
pu
w
a
eb
ss tel
on
Se edi
io
an
rk
h
re
w
om tat
tw or
ce in
ks
m
ng
m
Ph re
da
e
n
ar
ac m
pu
ac aw
or
et
a
ac
ai
al
p/
o
w
w
tn
re
ci
is
rf
R
ee
al
al
Vendor
Bo
So
Su
IP
M
M
D
D
4iQ 15% 70% 15% 0%
AlienVault 1% 1% 0% 98%
CrowdStrike 25% 25% 25% 25%
Digital 68% 10% 20% 2%

Shadows
DomainTools 0% 0% 0% 100%
FireEye 15% 25% 15% 45%
Flashpoint 10% 80% 5% 5%
Group-IB 5% 49% 1% 45%
IBM 1% 36% 0% 63%
InfoArmor 30% 50% 5% 15%
Intel 471 0% 100% 0% 0%
Kaspersky 7% 5% 3% 85%
LookingGlass 30% 26% 13% 31%
Optiv 60% 10% 5% 25%
PhishLabs 5% 10% 10% 75%
PhishMe 0% 0% 0% 100%
Intelligence
Finished intelligence sources
Raw intelligence
Tactical indicators
ito s
ce
e
n
g
ur
tio
un om s
in
at ed
en
si s
co pr ysi
at
eb
e
ta
t d is
lig
hi ash
gn
a
n
ne ns a
pu
w
a
eb
ss tel
on
Se edi
io
an
rk
h
re
w
om tat
tw or
ce in
ks
m
ng
m
Ph re
da
e
n
ar
ac m
pu
ac aw
or
et
a
ac
ai
al
p/
o
w
w
tn
re
ci
is
rf
R
ee
al
al
Vendor
Bo
So
Su
IP
M
M
D
D
Proofpoint 0% 0% 0% 100%
PwC 10% 10% 5% 75%
Q6 Cyber 10% 50% 10% 30%
Recorded 31% 24% 11% 34%

Future
RiskIQ 20% 25% 25% 30%
SecureWorks 12% 11% 11% 66%
Security 40% 20% 15% 25%

Scorecard
SenseCy 15% 50% 25% 10%
SurfWatch 35% 35% 30% 0%

Labs
Symantec 8% 15% 12% 65%
Terbium 0% 100% 0% 0%
Threat 99% 0% 0% 1%
Connect
Webroot 0% 5% 5% 90%
ZeroFOX 20% 15% 65% 0%
Follow Three Simple Steps When Building A Threat Intelligence Capability
Many Forrester clients question not only the effectiveness of threat intelligence capabilities in the
enterprise but also the cost of products, feeds, and headcount. Fortunately, you can obtain and
demonstrate immediate benefits with your initial investment in three simple steps:
1. Focus on finished intelligence to reduce staffing requirements. You dont need to make any
immediate hiring decisions to get started with threat intelligence. Many of the vendors we surveyed
provide finished-intelligence-as-a-service, which you can consume immediately. Dont fall into the
trap of investing in tactical indicator feeds right away; your organization wont be able to leverage
this type of intelligence effectively.
2. Use strategic intelligence and RFIs to understand the threat landscape. Your initial goal with
threat intelligence should be to evolve your own security strategy decision making beyond best
practices and into informed decisions based on the current and evolving threat landscape. Learn
and ask questions. From this vendor survey, use an RFI to leverage the intelligence vendor for
reverse engineering capabilities on unknown files. Not only will this new vendor relationship help
you understand and communicate threat more effectively, youll also immediately expand the
capabilities of your security operations center (SOC).
3. Look for vendors that collect data from multiple sources. Specific use cases will factor into
your decision making when you develop a complex collection strategy using multiple feeds. Threat
intelligence is a nuanced art form. As you make your initial investments, focus on vendors that
collect and analyze data from a breadth of sources.
As Your Intelligence Capabilities Mature, Target Your Research
As you go through the intelligence cycle, keep an eye on how you can improve the process and overall
output. Armed with an understanding of the threat landscape and how these attacks manifest in your
organization, tailor your collection strategy to operationalize your new intelligence capability. At this
point you will need to bring an analyst on staff to help develop your collection strategy, manage the
intelligence data, and prepare briefings.
Create a risk register to track identified threats to your organization. Your strategic intelligence
capability should produce a document that identifies key risks, actors, and business impact of
these threats.14 Be prepared to address these threats and show how your security strategy is
aligned to reduce these risks. Enrich your intelligence capability by focusing on these specific
threats to your organization. This report outlines many types of finished intelligence offerings to
help you get started.
Deconstruct attack patterns and target intelligence at various stages. Next, invest in raw and
finished intelligence offerings to gain more visibility into the threats youve identified. Heres where
intelligence from specific sources such as the deep web can help you target the intelligence youre
collecting. Use a sensor network to capture events such as domain registration as adversaries are
building attack infrastructure. Subscribe to feeds that track the advertising of exploit kits on social
media to identify new features and vulnerabilities being exploited. Monitor the resale of stolen
credentials on the dark web, not only to identify information leaking from within your organization,
but also to stay alert for customers who may be susceptible to credential stuffing.
Understand that no single vendor will be able to serve your needs. Vendors that specialize in
collecting from sources like the dark web will offer particular insights that you can benefit from.
Other vendors, such as ones with a sensor network that blankets the internet, will collect and
report on events in a different time frame and of a different nature. Having diversified sources will
allow you to reap the benefits of these perspectives, but youll need a multivendor solution.
Advanced Organizations Can Respond Aggressively To Threats
The biggest mistake technologists make with intelligence is thinking its something they can just
put into their security information management (SIM) or security analytics platform. While its
understandable to want to get something intelligent out of your SIM, this is not an effective use of this
data, and it will lessen the operational effectiveness of your SOC. Instead:
Manage your threat intelligence in a central location. As your organization begins working with
large quantities of intelligence data, its important to have a place to centralize the collection and
analysis of this data. Threat intelligence platforms automate a lot of these tasks and may even
integrate with your orchestration tools to automatically enrich alerts, which will make your SOC
more efficient.
Perform link analysis on detected threats to hunt for further compromise. The value of tactical
indicators is in their relationships. Even without attribution to a threat actor, being able to associate
two indicators that were observed in the same time and place allows you to infer that they may be
related. Herein lies the challenge of real-time streaming analysis IP addresses, DNS names, and
other tactical indicators are too transient for you to efficiently detect, share, and monitor. Searching
historical data for loosely correlated events, however, can expose a wider compromise.
Hunt for artifacts of the threat actors associated with your risk register. Understanding your
adversary, including their tactics, sophistication, and funding, enables you to defend proactively
against a known offense. Knowing how they are tooling and other attributable information about
them will allow you to actively hunt for signs of intrusion, reducing your time to detection on events
your mitigation strategies didnt identify. You cant do this without strategic intelligence.
Recommendations
Develop A Holistic Threat Intelligence Capability

To successfully detect and prevent cyberattacks, S&R pros must look both outside and inside of
their organizations:
Make strategic intelligence the foundation of your security program. An understanding of the
threat landscape allows you to effectively prioritize security spend, focusing on mitigation of threats
your organization needs the most. Tooling for the adversary will not only decrease alert volume, but
ensure that generated alerts are more salient.
Try it before you buy it; ask vendors for sample or redacted reports. These will help you
understand the final work product you are subscribing to. While this recommendation is tailored
more toward finished intelligence, in the age of the customer, external threat intelligence vendors
should be happy to demonstrate the quality of analysis and writing behind their research.
Close the loop with your own internal intelligence. External intelligence provides valuable
information about the threat landscape and what is going on beyond your own perimeter. That said,
dont neglect your internal sources. Intelligence generated from within your organization is the most
relevant and actionable intelligence available to you, and its free!
Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply
our research to your specific business and technology initiatives.
Analyst Inquiry Analyst Advisory Webinar
To help you put research Translate research into Join our online sessions
into practice, connect action by working with on the latest research
with an analyst to discuss an analyst on a specific affecting your business.
your questions in a engagement in the form Each call includes analyst
30-minute phone session of custom strategy Q&A and slides and is
or opt for a response sessions, workshops, available on-demand.
via email. or speeches.
Learn more.
Learn more. Learn more.
Forresters research apps for iPhone and iPad

Stay ahead of your competition no matter where you are.
Supplemental Material
Companies Interviewed For This Report
We would like to thank the individuals from the following companies who generously gave their time
during the research for this report.
4iQ PhishMe
AlienVault Proofpoint
CrowdStrike PwC
Digital Shadows Q6 Cyber
DomainTools Recorded Future
FireEye RiskIQ
Flashpoint SecureWorks
Group-IB SecurityScorecard
IBM SenseCy
InfoArmor SurfWatch Labs
Intel 471 Symantec
Kaspersky Terbium
LookingGlass ThreatConnect
Optiv Webroot
PhishLabs ZeroFOX
Endnotes
Source: Kasia Boddy, Everything ever written boiled down to seven plots, The Telegraph, November 21, 2004 (http://
1
www.telegraph.co.uk/culture/books/3632074/Everything-ever-written-boiled-down-to-seven-plots.html).
Source: David Bianco, The Pyramid of Pain, Enterprise Detection & Response, January 17, 2014 (https://detect-
2
respond.blogspot.com/2013/03/the-pyramid-of-pain.html).
While not all cyberattacks are motivated by profit, the ability to make money from cyberattacks warrants the capital
3
investment of time and architecture to perform the attack.
Source: Mohit Kumar, This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera, The
4
Hacker News, April 17, 2017 (https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html).
See the Forrester report Top Cybersecurity Threats In 2017.

5
Source: Bye Empire, Hello Nebula Exploit Kit. Malware dont need Coffee, March 3, 2017 (http://malware.
6
dontneedcoffee.com/2017/03/nebula-exploit-kit.html).
Source: M-Trends Reports, FireEye (https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html).

7
Source: Steven Petite, Gamestop.Com Customers Credit Card Information May Have Been Compromised, Digital
8
Trends, April 8, 2017 (https://www.digitaltrends.com/gaming/gamestop-online-security-breach/).
STIX stands for Structured Threat Information eXpression. Source: About STIX, Github (https://oasis-open.github.io/
9
cti-documentation/stix/about.html).
10
Source: Trojan.Corentry, Symantec, November 26, 2015 (https://www.symantec.com/security_response/writeup.
jsp?docid=2015-111823-1849-99).
11
Source: Longhorn: Tools used by cyberespionage group linked to Vault 7, Symantec Official Blog, April 10, 2017
(https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7).
12
Source: Pastebin My Alerts, Pastebin, April 17, 2012 (https://pastebin.com/PNxAR80G).
13
Source: The Intelligence Cycle, Central Intelligence Agency, March 23, 2013 (https://www.cia.gov/kids-page/6-12th-
grade/who-we-are-what-we-do/the-intelligence-cycle.html).
14
See the Forrester report The Risk Managers Handbook: How To Identify And Describe Risks.
We work with business and technology leaders to develop
customer-obsessed strategies that drive growth.
Products and Services
Core research and tools
Data and analytics
Peer collaboration
Analyst engagement
Consulting
Events
Forresters research and insights are tailored to your role and

critical business initiatives.
Roles We Serve
Marketing & Strategy Technology Management Technology Industry
Professionals Professionals Professionals
CMO CIO Analyst Relations
B2B Marketing Application Development
B2C Marketing & Delivery
Customer Experience Enterprise Architecture
Customer Insights Infrastructure & Operations
eBusiness & Channel Security & Risk
Strategy Sourcing & Vendor
Management
Client support
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.
Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with
business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary
research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a
singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations.
For more information, visit forrester.com. 136769

Vendor Landscape External Threat Intelligence - Forrester

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Vendor Landscape External Threat Intelligence - Forrester

Transféré par

Droits d'auteur :

Formats disponibles

For Security & Risk Professionals

Vendor Landscape: External Threat Intelligence,

Why Read This Report Key Takeaways

Dont Get Hung Up On Trailing Indicators

Vendor Landscape: External Threat Intelligence, 2017

Table Of Contents Related Research Documents

Vendors Market Varying Levels Of Processing Top Cybersecurity Threats In 2017

6 Select Vendors According To Your Firms

Follow Three Simple Steps When Building A

As Your Intelligence Capabilities Mature,

Advanced Organizations Can Respond

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

Use External Intelligence To Understand And Prevent Threats

Domain names Simple

Hash values Trivial

Preempt attempts to defraud customers with impersonating domain registrations. Todays

Vendors Market Varying Levels Of Processing And Analysis As Threat Intelligence

FIGURE 2 The Synthesis Of Quantitative Analysis And Qualitative Judgment

Relationship of data, information, and intelligence

Collection Processing Analysis

Source: Joint Intelligence/Joint Publication 2.0 (Joint Chiefs of Staff)

FIGURE 3 Raw Intelligence Does Not Provide Context

Malware analysis Detailed analysis performed by reverse engineers or forensic

FIGURE 4 Finished Intelligence Puts Raw Intelligence Into Context

Executive protection Monitoring against impersonation, defamation, or hijack of accounts,

Brand protection Monitoring against impersonation, defamation, or intent to damage the

Vulnerability risk Reporting on exploitation trends to allow businesses to prioritize

Select Vendors According To Your Firms Maturity, Vertical, And Size

FIGURE 5 Understanding The Major Sources Of External Threat Intelligence

FIGURE 6 External Threat Intelligence Vendors And Capabilities

AlienVault Open, threat sharing network

CrowdStrike Adversarial intelligence, endpoint

Digital Analyst-curated, tailored intelligence

DomainTools Breadth of domain registration data

FireEye Adversarial intelligence, real-time

Flashpoint Targeted data acquisition, analyst

Group-IB Targeted intelligence, Russian expertise

IBM Reputation services and actionable intel

InfoArmor Operatively sourced threat intelligence

Intel 471 Human collection of closed source,

Kaspersky Sensor-driven, advanced persistent

LookingGlass Breadth of collection, automated

Optiv Threat intel collected from MSSP clients

PhishLabs Directly sourced cybercrime intelligence

PhishMe Human-vetted, antiphishing

FIGURE 6 External Threat Intelligence Vendors And Capabilities (Cont.)

PwC Strategic focus on global and targeted

Q6 Cyber Analyst expertise, underground sources

Recorded Breadth of collection, automated

RiskIQ Breadth of collection, automated

SecureWorks Diverse collection of internal sources as

Security Brand protection, third-party risk

SenseCy Analyst language proficiency,

SurfWatch Individualized analyst services,

Symantec Adversarial intelligence, global sensor

Terbium Dark-web monitoring, fuzzy hashing of

Threat Analyst-curated, open source

Webroot Automated analysis with machine

ZeroFOX Automated collection, machine learning

FIGURE 6 External Threat Intelligence Vendors And Capabilities (Cont.)

CrowdStrike 25% 25% 25% 25%

Digital 68% 10% 20% 2%

FireEye 15% 25% 15% 45%

Flashpoint 10% 80% 5% 5%