Researching the threat intelligence space

Explosive growth, chaotic dynamics

threat intelligence

In 2015 IT-Harvest took another stab at compiling a list of all the IT security vendors in the world. Some of the preliminary data I presented at RSA on their TV channel.  The most difficult task in putting together such a list is deciding how to classify each vendor into a category. But once that arduous task is completed I can start digging into each category. I started to look at Threat Intelligence vendors last August, although I had been engaging with several of them for years.

RSA TV The Entire IT Security Space RSA TV

Richard Stiennon Presents at RSAC 2016

The threat intelligence market has three primary segments: threat intelligence providers, threat intelligence platforms (TIP), and the modern defenses that consume threat intelligence to identify and block targeted attacks. Threat intelligence feeds consist of Indicators of Compromise (IoC), IP reputation, file finger prints, and components of malware. Several vendors, particularly iSIGHT Partners sells subscriptions to reports that outline threat actor Tactics, Techniques, and Procedures (TTP). Platforms aggregate and analyze feeds and make them available to security enforcement tools.

[ MORE ON CSO: The IT security industry is not consolidating ]

According to my research the threat feed segment accounted for $190 million in revenue in 2015 and is growing at 85 percent annually. The TIP space accounted for $61 million and is growing at 84% which is three and a half times the overall security space which is growing at 24 percent annually.

The threat intelligence industry is still in its early stages. It has grown rapidly so far and is already experiencing strong M&A activity. It also appears that the current decline in venture capital activity may be sparking some early exits, although investments are still being made and will continue throughout 2016.

Countering targeted attacks has become the most pressing requirement for cyber defense. Long the domain of firewalls, anti-virus, and access controls, the cybersecurity industry is in the midst of a re-invention. As always the industry is driven by threat actors: hackers, cyber criminals, hacktivists, and now nation states.

However, for years the industry’s driving philosophy was to ignore the threat actors and focus on the actual attacks. Firewalls were deployed to limit access to corporate networks. Intrusion Prevention Systems (IPS) were deployed to block known worms and network exploits. Frequently updated anti-virus on the endpoint helped control the spread of malicious software such as Trojans, spyware, and worms. Defenders did not worry about who was attacking them, only the signature of the attack.

The rise of targeted attacks, specifically from nation state actors, can be traced to the 2003-4 Titan Rain incidents where a lone analyst at Sandia Labs, Shawn Carpenter, discovered widespread infiltration of many government research labs and military bases. While well known inside the defense industrial base (DIB) it was not until Mandiant published its APT1 report in 2013 that industry started to respond with new tools and services to the devastating impact of targeted attacks. That report, published the week before the RSA Conference in San Francisco, caused an entire industry to pivot.

One vendor scrapped its product and re-tooled to become a breach detection vendor in the weeks following. Breach detection, sandbox analysis of target-specific malware, network monitoring, packet capture, and threat intelligence services, became the fastest growing sectors in the IT security industry.

Types of threat intelligence vendors

I categorize the types of Threat Intel as: Reputation Services, Malware Analysis, Threat Actor Research, and DarkWeb Research. The providers of feeds and reports hope to gather information that, once consumed by their customers, can identify ongoing attacks, infections, and exfiltration activity.

Reputation services have long been a differentiator for IPS vendors. Identifying and blocking attack traffic at the gateway based on signatures is compute intensive because it requires full packet analysis. It is much easier to block all connection attempts from a particular IP address or Internet domain. Thus Cisco, Tipping Point (HP), Corero, and McAfee (Intel) have incorporated IP reputation into their products.

In the meantime, stand alone IP reputation services have sprung up to offer raw feeds of IP addresses scored on a risk scale. These services can scan IP addresses and websites looking for the presence of malware, or lay traps that identify attacks from particular IP addresses. Norse Corporation claimed over 35 such honeynets deployed around the world to attract attack traffic. They claimed to have records of over 5 million IP addresses (out of 4 billion) that they consider malicious. Of course IP reputation is a fluid quality. An IP address of a server associated with a particular Denial of Service (DoS) attack could become completely benign if the administrator cleans the machine. So IP reputation services have to be updated continuously, creating the business model for a subscription service.

MSSPs such as Dell SecureWorks, Symantec, NTT Solutionary, and TrustWave, collect security event information from all of their customers. They are able to correlate and scrub that data and often provide those feeds to customers, although they have yet to break these feeds out as separate service offerings.

Threat feeds based on malware analysis mirror the types of infrastructure that every antivirus firm has built to inform their own signature update ability. Providers like ThreatGrid (acquired by Cisco) and LastLine, spin up thousands of virtual machines–sandboxes–and instrument them to extract Indicators of Compromise (IoC) which can include: source IP address, Command and Control (C&C) IP addresses, MD5 hashes of the payload and its constituent parts, and other data. 

Threat actor research firms such as Intel 471, FlashPoint Security, Cyveillance and iSIGHT Partners have processes that require much greater human resources to provide. In addition to automated systems, these vendors rely on expert analysts to track particular cyber criminals, hacktivist groups, or teams associated with nation state cyber espionage. Their products are primarily in the form of research reports that contain detailed descriptions of the threat actors, including their Tactics Techniques and Procedures (TTP). This type of report does not lend itself to a feed but most vendors are building APIs so that their data can be queried. Intel 471 has based its offering on a dashboard and feed of the activities of over 9 million separate threat actor identifiers.

[ MORE THREAT INTELLIGENCE: Make threat intelligence meaningful: A 4-point plan ]

Another category of threat research service is that provided for purposes of brand protection or early alerting. Vendors such as BrandProtect, Digital Shadows, and Recorded Future, attempt to identify when a customer is being targeted or even the early planning stages of an attack. They use so-called Open Source Intelligence (OSINT) and tools for mining pastebin, chat channels and anonymous sites hidden within the Tor network to gather their intelligence; the so-called Deep Web.

Here are the vendors I tracked in my first Market Research Report on Threat Intelligence, listed in order of size based on number of employees.

iSIGHT Partners 
Webroot BrightCloud 
Recorded Future
LookingGlass Cyber Solutions
Team Cymru      
Digital Shadows    
FarSight Security 
Intel 471    
iDefense (Verisign)        
Emerging Threats (Proofpoint)

The hardest part of tracking an emerging space is its fluidity. Since I started tracking these vendors the space has seen some disruption. 

Norse Corp appears to be defunct, although its website is functioning. I took their numbers out of my calculations of market size.

iSIGHT Partners, perhaps spooked by plummeting valuations and reported scarcity of new venture investments in the 4th Quarter of 2015, abandoned its aspiration of a 2016 IPO and sold out to FireEye.

IID sold to InfoBlox at a fairly low valuation of $45 million.

But there are signs of a continued strong investment environment in the Threat Intel Space. Digital Shadows announced a $14 million funding in February.

LookingGlass acquired Cyveillance as part of a new influx of investment dollars from NewSpring Capital.

And there are more to come. Just looking at startups in Israel there are six I have been able to identify in the space:

Vigilance Networks
Cyfort Security 
ACID Technologies  

After posting this column I expect to learn of a dozen more.

The threat intel space is fragmented but vibrant. As new vendors enter and the pioneers continue to grow I expect several years of 84 percent growth. Next up: the Threat Intelligence Platform vendors.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)