Network appliances designed to automatically block known threats, mitigate risk, and streamline security operations
According to ESG research, enterprise organizations continue to invest in all types of threat intelligence (note: I am an ESG employee). For example, 60% of organizations have had a threat intelligence program in place for more than 2 years, 69% consume 6 or more open source or commercial threat intelligence feeds as part of cybersecurity analytics efforts, and 72% of enterprises plan on increasing spending on their threat intelligence programs over the next 12 to 18 months.
Why is threat intelligence gaining momentum? Security professionals know that since they can’t block every conceivable cyber-attack, they need to collect, process, and analyze all types of internal and external security data to improve their incident detection and response capabilities. Many also want to use threat intelligence more proactively for threat prevention. In fact, 36% of enterprise cybersecurity professionals say that their organizations intend to use threat intelligence feeds to automate remediation actions over the next 24 months.
Hmm, this seems like a good idea. When threat intelligence points to bad IP address, URL, or DNS lookups, why not simply block them from the get go? Unfortunately, this hasn’t always been easy in the past as it involved normalizing disparate threat intelligence feeds, building custom dashboards and rule sets, integrating various network security devices, etc.
These issues are actually a microcosm for the state of threat intelligence today – lots of great data and good ideas, but it seems like it always much more difficult to operationalize threat intelligence than it should be.
Enter threat intelligence gateways. These devices from vendors like Centripetal Networks, Ixia, and Lookingglass Cyber Solutions are designed to alleviate the data management, policy management, and technology integration challenges described above. How? With simple fixed-function network security appliances that:
Consume threat intelligence. Threat intelligence gateways are designed to consume threat intelligence directly, obviating the need to normalize cryptic threat intelligence feeds or integrate various types of threat intelligence and security analytics with network security infrastructure.
Provide options for policy management. Rather than rely on custom analysis and rule sets, threat intelligence gateways provide policy management dashboards and tools. This give the security team the ability to easily configure rule sets to block known threats based upon risk scores, threat sources, etc. In this way, threat intelligence gateways can CISO create company-specific policies for blocking industry-focused attacks, targeted attacks, and more pedestrian “noise” from threat actors.
- Operationalize threat intelligence. Threat intelligence gateways aren’t quite “set-it-and-forget-it” appliances but they can be very efficient in helping organizations streamline security operations while mitigating risk – without requiring a lot of one-off integration or customized code.
Threat intelligence gateways are typically positioned between an edge router and a firewall and can start to deliver value pretty quickly. In this deployment model, threat intelligence gateways can also filter traffic and thus improve firewall throughput.
Now I know what you are thinking. “why not just do this with a next-generation firewall and alleviate the need for another box?” Good question as this functionality is certainly offered by leading firewall vendors like Cisco, Check Point, Fortinet, Juniper, and Palo Alto Networks.
In fact, firewalls can filter traffic based upon threat intelligence, but this process can consume network resources and processor cycles, impacting firewall performance in some cases. And threat intelligence gateways are fixed-function devices designed for simple policy management for threat intelligence-based remediation rules. Alternatively, NG-firewalls are built for a wide assortment of application, network, threat, and user-centric rules. Threat intelligence remediation rules may be difficult to configure and manage, or may not offer the granularity of a dedicated appliance.
Threat intelligence gateways aren’t for everyone but large organizations with massive global networks have a large target on their backs and need all the help they can get. For these enterprises, threat intelligence gateways may provide strong benefits for a relatively little cost.