The rise of threat intelligence gateways

According to ESG research, enterprise organizations continue to invest in all types of threat intelligence (note: I am an ESG employee). For example, 60 percent of organizations have had a threat intelligence program in place for more than two years, 69 percent consume six or more open-source or commercial threat intelligence feeds as part of cybersecurity analytics efforts, and 72 percent of enterprises plan on increasing spending on their threat intelligence programs over the next 12 to 18 months.

Why is threat intelligence gaining momentum? Security professionals know that because they can’t block every conceivable cyber attack, they need to collect, process and analyze all types of internal and external security data to improve their incident detection and response capabilities. Many also want to use threat intelligence more proactively for threat prevention. In fact, 36 percent of enterprise cybersecurity professionals say their organizations intend to use threat intelligence feeds to automate remediation actions over the next 24 months.

Hmm, this seems like a good idea. When threat intelligence points to bad IP address, URL or DNS lookups, why not simply block them from the get-go? Unfortunately, this hasn’t always been easy in the past, as it involved normalizing disparate threat intelligence feeds, building custom dashboards and rule sets, integrating various network security devices, etc. 

These issues are actually a microcosm for the state of threat intelligence today—lots of great data and good ideas, but it seems like it’s always much more difficult to operationalize threat intelligence than it should be.

Enter threat intelligence gateways. These devices from vendors such as Centripetal Networks, Ixia and Lookingglass Cyber Solutions are designed to alleviate the data management, policy management and technology integration challenges described above. How? With simple fixed-function network security appliances that:

1. Consume threat intelligence. Threat intelligence gateways are designed to consume threat intelligence directly, obviating the need to normalize cryptic threat intelligence feeds or integrate various types of threat intelligence and security analytics with network security infrastructure.
2. Provide options for policy management. Rather than relying on custom analysis and rule sets, threat intelligence gateways provide policy management dashboards and tools. This give the security team the ability to easily configure rule sets to block known threats based upon risk scores, threat sources, etc. In this way, threat intelligence gateways can help a CISO create company-specific policies for blocking industry-focused attacks, targeted attacks and more pedestrian “noise” from threat actors.
3. Operationalize threat intelligence. Threat intelligence gateways aren’t quite “set-it-and-forget-it” appliances, but they can be very efficient in helping organizations streamline security operations while mitigating risk—without requiring a lot of one-off integration or customized code. 

Threat intelligence gateways are typically positioned between an edge router and a firewall and can start to deliver value pretty quickly. In this deployment model, threat intelligence gateways can also filter traffic and thus improve firewall throughput.

Now, I know what you are thinking: “Why not just do this with a next-generation firewall and alleviate the need for another box?” Good question, as this functionality is certainly offered by leading firewall vendors such as Cisco, Check Point, Fortinet, Juniper and Palo Alto Networks.

In fact, firewalls can filter traffic based on threat intelligence, but this process can consume network resources and processor cycles, impacting firewall performance in some cases. And threat intelligence gateways are fixed-function devices designed for simple policy management for threat intelligence-based remediation rules.  Alternatively, NG-firewalls are built for a wide assortment of application, network, threat and user-centric rules. Threat intelligence remediation rules may be difficult to configure and manage or may not offer the granularity of a dedicated appliance.   

Threat intelligence gateways aren’t for everyone, but large organizations with massive global networks have a large target on their backs and need all the help they can get.  For these enterprises, threat intelligence gateways may provide strong benefits for relatively little cost.