Threat intelligence platforms
A threat intelligence platform (TIP) is a technology solution that collects, aggregates and organizes threat intel data from multiple sources and formats
A TIP provides security teams with information on known malware and other threats, powering efficient and accurate threat identification, investigation and response
It enables threat analysts to spend their time analyzing data and investing potential security threats rather than spending their time collecting and managing data
Moreover, a TIP allows security and threat intelligence teams to easily share threat intelligence data with other stakeholders and security systems
Security teams used multiple tools and processes in the past to manually gather and review threat intelligence data from a variety of sources
This approach no longer works because:
Today, companies are collecting massive amounts of data in a wide variety of different formats such a STIX/TAXII, JSON, XML, PDF, CSV, email and so on
With each passing year, the number and type of security threats (from malicious actors, malware, phishing, botnets, denial-of-service (DDoS) attacks, ransomware, etc) continues to increase in both scope and sophistication
Millions of potential threat indicators are spun up every day
Companies need to respond to potential security threats much quicker than they have had to in the past in order to prevent widespread damage
TIP helps security and threat intelligence teams:
Automate, streamline and simplify the entire process of researching, collecting, aggregating and organizing threat intelligence data, as well as normalizing, de-duping and enriching that data
Monitor and quickly detect, validate and respond to potential security threats in real time
Obtain details about current and future security risks, threats and vulnerabilities, as well as information on threat adversaries and their tactics, techniques and procedures (TTPs)
Share threat intelligence data with other stakeholders via dashboards, alerts, reports, etc
Continually feed the most up-to-date threat intelligence data to other security systems SIEM, endpoints, firewalls, Intrusion Prevention Systems (IPSes) and others
EDR/XDR solutions
Endpoint Detection and Response (EDR)
EDR is an incident response and threat-hunting solution designed for security operations center (SOC) teams
Key capabilities:
EDR continuously records and stores comprehensive endpoint activity data, so that security professionals can hunt threats in real-time and visualize the complete attack kill chain
It leverages threat intelligence, which is applied to the endpoint activity system of record for evidence and detection of these identified threats and patterns of behavior
Live response for remote remediation, where incident responders can create a secure connection to infected hosts to pull or push files, kill processes, perform memory dumps and quickly remediate from anywhere in the world
It also includes antivirus and endpoint security capabilities to block every stage of attack
EDR solutions provide granular control over USB access and firewall policies
A single, lightweight end-to-end agent for endpoint threat prevention, detection and response
Extended Detection and Response (XDR)
Traditional EDR tools focus only on endpoint data, providing limited visibility into suspected threats
This can result in missed detections, increased false positives and longer investigation times
The evolution of EDR is XDR with the following key capabilities
XDR is a new approach to endpoint threat detection and response
The "X" stands for "extended", but it really represents any data source, such as network, cloud and endpoint data, recognizing that it's not effective to investigate threats in isolated silos
XDR systems use heuristics, analytics, modelling and automation to stitch together and derive insight from these sources, increasing security visibility and productivity compared to siloed security tools
The result is simplified investigations across security operations, reducing the time it takes to discover hunt, investigate and respond to any form of threat
Last updated