The first comprehensive study on cyber Threat Intelligence Platforms (TIPs) focused on the needs of consumers, users, developers, vendors and the security research community.
The study channels its efforts into identifying some of the key opportunities and limitations of existing platforms and solutions, since information exchange formats and tools remain central items on the agenda of the cybersecurity community in general, and particularly of incident responders.
The project came as an acknowledgment of the increasing demand for relevant and ‘context aware’ security data, as information security management is becoming a key component of any modern organisation.
For the purpose of this project, ENISA has engaged leading field experts and has performed a research of existing tools, practices and TIPs academic literature. The report concludes with a series of actionable findings and recommendations, so that current TIPs limitations are addressed and overcome.
Furthermore, the report presents a detailed overview of the users of these platforms, the main functional areas of TIPs as well as the current landscape of the TIPs used globally by different teams (CTI teams, SOCs, CSIRTs/CERTs, ISACs, etc.).
The report concludes with a series of recommendations addressed to users and organisations, TIPs developers and vendors as well as the research community and academia.
➢ ENISA recommends organisations to focus on their specific requirements and needs before developing and deploying TIP solutions. In addition, ENISA strongly encourages organisations to check if the different cyber intelligence activities they undertake are enabled by technology platforms and systems. Moreover, organisations are encouraged to invest time on Proof of Concepts with an open source TIPs, to familiarize themselves with the benefits of such systems, before making any significant financial investment.
➢ ENISA encourages TIPs solution developers to focus more on enhancing TIP analysis capabilities by providing efficient threat triage and relevancy assessment. In addition, TIPs should come with more flexible and usable trust modelling functionalities. Furthermore, TIPs developers and vendors are encouraged to provide threat information consumers with functionalities allowing them to be informed in case the confidence and accuracy of the shared information is not guaranteed by the source.
➢ ENISA calls upon the research community and academia to continue pursuing and investigating the benefits of TIPs, and the means by which these platforms may mature further.
The report is complemented by a TIPs maturity model assessment scheme provided as an ANNEX.
As a centre of expertise in the field of cyber security, ENISA will continue to monitor the evolution of threat intelligence platforms and services, as part of the Agency’s commitment to contribute to a more secure and safe cyberspace.
The full report can be consulted here [pdf document].