词条 | Threat Intelligence Platform |
释义 |
Threat Intelligence Platform is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates. Traditional approach to enterprise securityThe traditional approach to enterprise security involves security teams using a variety of processes and tools to conduct incident response, network defense, and threat analysis. Integration between these teams and sharing of threat data is often a manual process that relies on email, spreadsheets, or a portal ticketing system. This approach does not scale as the team and enterprise grows and the number of threats and events increases. With attack sources changing by the minute, hour, and day, scalability and efficiency is difficult. The tools used by large Security Operations Centers (SOCs), for example, produce hundreds of millions of events per day, from endpoint and network alerts to log events, making it difficult to filter down to a manageable number of suspicious events for triage. Threat intelligence platformsThreat intelligence platforms make it possible for organizations to gain an advantage over the adversary by detecting the presence of threat actors, blocking and tackling their attacks, or degrading their infrastructure. Using threat intelligence, businesses and government agencies can also identify the threat sources and data that are the most useful and relevant to their own environment, potentially reducing the costs associated with unnecessary commercial threat feeds.[1] Tactical use cases for threat intelligence include security planning, monitoring and detection, incident response, threat discovery and threat assessment. A TIP also drives smarter practices back into SIEMs, intrusion detection, and other security tools because of the finely curated, relevant, and widely sourced threat intelligence that a TIP produces. An advantage held by TIPs, is the ability to share threat intelligence with other stakeholders and communities. Adversaries typically coordinate their efforts, across forums and platforms. A TIP provides a common habitat which makes it possible for security teams to share threat information among their own trusted circles, interface with security and intelligence experts, and receive guidance on implementing coordinated counter-measures. Full-featured TIPs enable security analysts to simultaneously coordinate these tactical and strategic activities with incident response, security operations, and risk management teams while aggregating data from trusted communities.[2] Threat intelligence platform capabilitiesThreat intelligence platforms are made up of several primary feature areas[3] that allow organizations to implement an intelligence-driven security approach. These stages are supported by automated workflows that streamline the threat detection, management, analysis, and defensive process and track it through to completion:
Operational DeploymentsThreat intelligence platforms can be deployed as a software or appliance (physical or virtual) on-premises or in dedicated or public clouds for enhanced community collaboration. References1. ^{{Cite web|title = Threat Intelligence Platforms: The Next 'Must-Have' For Harried Security Operations Teams|url = http://www.darkreading.com/threat-intelligence-platforms-the-next-must-have-for-harried-security-operations-teams/d/d-id/1320671|website = Dark Reading|access-date = 2016-02-03}} 2. ^{{Cite web|url = https://www.sans.org/reading-room/whitepapers/threats/automated-defense-threat-intelligence-augment-35692|title = Automated Defense Using Threat Intelligence to Augment Security|date = January 15, 2015|access-date = |website = SANS Institute InfoSec Reading Room|publisher = |last = Poputa-Clean|first = Paul}} 3. ^{{Cite web|title = Technology Overview for Threat Intelligence Platforms|url = https://www.gartner.com/doc/2941522/technology-overview-threat-intelligence-platforms|website = www.gartner.com|access-date = 2016-02-03}} 4. ^{{Cite web|title = The Diamond Model of Intrusion Analysis {{!}} ActiveResponse.org|url = http://www.activeresponse.org/the-diamond-model/|website = www.activeresponse.org|access-date = 2016-02-03}} 5. ^{{Cite web|url = http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf|title = Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains|date = 2009|access-date = |website = Lockheed Martin|publisher = |author1=Eric M. Hutchins |author2=Michael J. Cloppert |author3=Rohan M. Amin }} 6. ^{{Cite web|url = http://pwc.blogs.com/cyber_security_updates/2015/05/diamonds-or-chains.html#_ftn1|title = Diamonds or chains|date = May 29, 2015|access-date = |website = |publisher = |last = MacGregor|first = Rob}} 7. ^{{Cite web|title = What’s in a true threat intelligence analysis platform?|url = https://www.threatconnect.com/whats-in-a-platform/|website = ThreatConnect {{!}} Enterprise Threat Intelligence Platform|access-date = 2016-02-03|language = en-US}} External links
3 : Information technology|Data security|Emerging technologies |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。