You are on page 1of 17

For Security & Risk Professionals

Vendor Landscape: External Threat Intelligence,
2017
Tools And Technology: The Security Architecture And Operations Playbook

by Josh Zelonis
June 26, 2017 | Updated: July 14, 2017

Why Read This Report Key Takeaways
The threat intelligence market is muddled by Threat Intelligence Marketing Is Not Intelligent
confusing messaging that has hurt security and Threat intelligence refers to a wide range of
risk (S&R) pros’ ability to succeed with their products and services, which makes it difficult
intelligence capabilities. This report provides to compare offerings. This report brings clarity
a course correction for the industry by clearly to three key differentiators: tactical indicators,
delineating the offerings of 30 vendors that raw intelligence, and finished intelligence. We
provide externally sourced intelligence. It also give examples of each of these offerings and the
offers a guide for using this data to build a vendors that provide them.
successful threat intelligence capability.
Develop Your Security Strategy With Threat
Intel
S&R pros must build their intelligence capability
on a foundation of strategic intelligence to
understand the threat landscape. Develop a
risk register and implement targeted process
improvements, using risk prioritization to justify
your security spend.

Don’t Get Hung Up On “Trailing” Indicators
Tactical indicators are called “trailing” because
they require observation, analysis, and sharing
before they can be used. Understanding the
fundamental nature of these historical indicators
is essential to identifying their appropriate use
cases.

forrester.com

2017 | Updated: July 14. TechRadar. Cambridge. Inc.com or +1 866-367-7378 .For Security & Risk Professionals Vendor Landscape: External Threat Intelligence. Target Your Research Advanced Organizations Can Respond Aggressively To Threats Recommendations 12 Develop A Holistic Threat Intelligence Capability 14 Supplemental Material Forrester Research. MA 02140 USA +1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com © 2017 Forrester Research. Vertical. All other trademarks are the property of their respective companies. 60 Acorn Park Drive. Technographics®. Inc. 2017 Tools And Technology: The Security Architecture And Operations Playbook by Josh Zelonis with Stephanie Balaouras. 2017 Table Of Contents Related Research Documents 2 Use External Intelligence To Understand And Achieve Early Success In Threat Intelligence With Prevent Threats The Right Collection Strategy External Threat Intelligence Allows You To The Risk Manager’s Handbook: How To Identify Detect And Even Prevent Attacks And Describe Risks Vendors Market Varying Levels Of Processing Top Cybersecurity Threats In 2017 And Analysis As Threat Intelligence 6 Select Vendors According To Your Firm’s Maturity. And Size Follow Three Simple Steps When Building A Threat Intelligence Capability As Your Intelligence Capabilities Mature. Inc.. Forrester®. and Peggy Dostie June 26. Forrester Wave. Bill Barringham. Citations@forrester. Opinions reflect judgment at the time and are subject to change. Unauthorized copying or distributing is a violation of copyright law. and Total Economic Impact are trademarks of Forrester Research.

Even if your organization wasn’t a part of the attack chain. “The Pyramid of Pain. 2017 Tools And Technology: The Security Architecture And Operations Playbook Use External Intelligence To Understand And Prevent Threats In The Seven Basic Plots: Why We Tell Stories. 2014 External Threat Intelligence Allows You To Detect And Even Prevent Attacks A cyberattack does not start with exploitation and end with exfiltration. FIGURE 1 Tactics.For Security & Risk Professionals June 26.3 That means S&R pros must also plan carefully to detect and prevent such attacks.” Enterprise Detection & Response. 2017 Vendor Landscape: External Threat Intelligence. which you can use to better prepare for when those threat actors inevitably turn their attention toward you. your brand © 2017 Forrester Research. How can external threat intelligence help? It lets you: ›› Preempt attempts to defraud customers with impersonating domain registrations. Criminals plan carefully how they will develop the infrastructure they need to make an attack and then monetize the effort. and procedures TTPs — how they do things (see Figure 1). Unauthorized copying or distributing is a violation of copyright law.2 S&R pros can use external threat intelligence to understand trends and plotlines of attacks against other organizations. 2 Citations@forrester. Today’s organizations are aware of the innate reputational risk associated with an attacker impersonating them to defraud customers. techniques.1 Similarly. The hardest patterns for attackers to change are their tactics. there are only so many motivations and techniques for stealing information. from Greek drama through Hollywood blockbusters. Techniques. January 17. 2017 | Updated: July 14. And Procedures Are The Hardest Patterns For Cyberattackers To Change Tough! TTPs Tools Challenging Network/ Annoying host artifacts Domain names Simple IP addresses Easy Hash values Trivial Source: David Bianco.com or +1 866-367-7378 . Christopher Booker demonstrates that all storytelling. Inc. leverages the same basic plot mechanisms.

One example is pastebin alerts. ›› Raw intelligence has been collected and processed but not analyzed. a credit card processor identified GameStop as the common link between cards being sold online this year. 2017 Vendor Landscape: External Threat Intelligence. researched. ›› Tactical indicators are useful if there’s enough context. Inc. depending on their operational maturity.Corentry malware. which is why vendors offer three types of intelligence — tactical indicators. For instance.5 By collecting tactical intelligence from exploit kit advertisements. in which attackers use Unicode characters to create domains that are indistinguishable from legitimate domain names.com or +1 866-367-7378 .8 Vendors Market Varying Levels Of Processing And Analysis As Threat Intelligence The intelligence cycle is the process by which a question is asked. if pasted. not finished. The STIX language uses 12 different domain objects to describe threats. or other patterns that S&R pros can use to detect a threat or compromise. considering dwell times for external attackers average 107 days — it’s better to be aware of the breach than to unknowingly allow it to persist.10 How would your organization respond to the knowledge there was a malware-infected system on your network? What if it was a very low risk? What if the implication was the CIA had infiltrated your organization?11 You simply should not spend money on indicator feeds that don’t provide context beyond indictment.6 ›› Detect breaches by monitoring darknet marketplaces for stolen data. you can identify common vulnerabilities and exposures (CVEs) being exploited and prioritize patching to prevent your organization from being compromised. Understanding attack trends and the use of exploit kits is a critical first step in developing a strategy to combat ransomware and other similar malware- based attacks. 3 Citations@forrester. Frequently.For Security & Risk Professionals June 26. with indicators only being one of them. process. Although detecting the sale of stolen data is not an ideal time to identify an attacker moving against your organization. raw intelligence. Organizations will take over this analysis at different stages of the intelligence cycle.4 ›› Track exploit kits to prioritize patching. raw intelligence is offered through API access. and finished intelligence. One place you can intercept an attack is at the point of data commoditization. It’s important to detect when attack infrastructure is being created to stay a step ahead of attackers trying to impersonate your organization. 2017 | Updated: July 14.9 You must understand the context surrounding an indicator to understand the implication to your organization when triggering an alert based on this indicator. IP addresses. 2017 Tools And Technology: The Security Architecture And Operations Playbook will suffer. Indicators of compromise (IoC) are file hashes. Symantec has assigned a “very low” risk level to the Trojan. Unauthorized copying or distributing is a violation of copyright law. One emerging threat that has gained attention lately is homograph attacks. organizations collect. enabling search or alerting based on keywords or other information (see Figure 3). and answered. domain names.7 For example. while a reverse engineer may be said to analyze a piece of © 2017 Forrester Research. During this process. intelligence because the alert just shows that you have a keyword match and does not include the sentiment or details of the user who pasted the text. Similarly. and analyze data to turn it into a finished intelligence product (see Figure 2). One important caveat is the need for context when using these indicators.12 This is raw. will generate email alerts. which allows users to specify keywords that.

during analysis and production. and intelligence Operational Data Information Intelligence environment Collection Processing Analysis and and exploitation production Source: Joint Intelligence/Joint Publication 2.For Security & Risk Professionals June 26. information. each category represents a unique task for your external threat intelligence service provider with requests for intelligence (RFIs) as your ability to leverage directed research (see Figure 4).”13 There are several types of finished intelligence. Inc. it requires interpretation and putting the raw intelligence into context. 2017 Tools And Technology: The Security Architecture And Operations Playbook malware. FIGURE 2 The Synthesis Of Quantitative Analysis And Qualitative Judgment Relationship of data. 2017 | Updated: July 14.com or +1 866-367-7378 . ›› Finished intelligence is consumable and doesn’t require final analysis. while concentrating on answering the original tasking. that analysis does not become part of a finished intelligence product until it’s paired with additional context. Unauthorized copying or distributing is a violation of copyright law. and motivations to better understand the risk posed by the malware. 2017 Vendor Landscape: External Threat Intelligence. 4 Citations@forrester. For instance. the CIA “take[s] a closer look at all the information and determine[s] how it fits together. Finished intelligence is more than just reportage. associated threat actors. such as where it has been observed in the wild.0 (Joint Chiefs of Staff) © 2017 Forrester Research.

An important part of delivering this as a finished product is the ability to track down the source of the information leak that fraudsters are attempting to commoditize Brand protection Monitoring against impersonation. defamation. 2017 Vendor Landscape: External Threat Intelligence. or hijack of accounts. or intent to damage the revenue or reputation of the brand Vulnerability risk Reporting on exploitation trends to allow businesses to prioritize vulnerability remediation efforts in the context of their threat landscape Threat actor data Detailed profile of an actor’s tactics. Unauthorized copying or distributing is a violation of copyright law. and capabilities to allow an organization to assess risk. and removal of the threat Insider threat Monitoring of websites and forums for the recruitment of insiders or monitoring attempts to sell privileged data Third-party risk Assessment and scoring of third parties’ security posture. susceptibility to attack. and other evidence of scams targeting the organization. 2017 Tools And Technology: The Security Architecture And Operations Playbook FIGURE 3 Raw Intelligence Does Not Provide Context Malware analysis Detailed analysis performed by reverse engineers or forensic investigators to identify critical elements such as network/host artifacts. and evidence of data leakage to identify risk of incorporating them into your supply chain Strategic intelligence Executive consumable intelligence reports that inform security strategy and provide understanding of the threat landscape Request for intelligence Ability for customers to request an enriched. targeted threats and exposure to untargeted threats due to travel. 5 Citations@forrester. combined with associated indicators to assist with detection. attribution. Inc. and other related indicators that help you understand the tactics. and procedures in use Compromised account data The ability to query or alert on accounts compromised in public breaches or leaked from covert sources Raw intelligence access API or portal-driven search capability for querying collected data for keywords related to brand. motivations.com or +1 866-367-7378 . techniques.For Security & Risk Professionals June 26. vulnerabilities exploited. defamation. targeted investigation © 2017 Forrester Research. identity. as well as leaked personal information Fraud intelligence Monitoring for information leakage. or other indicators FIGURE 4 Finished Intelligence Puts Raw Intelligence Into Context Executive protection Monitoring against impersonation. 2017 | Updated: July 14. laundering schemes.

to SIEM alerts coming out of global managed security service providers. but there’s no guarantee that what you are getting isn’t repurposed marketing material. 2017 Vendor Landscape: External Threat Intelligence. This information tends to be very tactical and requires a lot of further analysis to attribute to an actor before it can become finished intelligence. Recommendations vary based on your company’s maturity. 6 Citations@forrester. Sensor networks Sensor networks vary.For Security & Risk Professionals June 26.” Social media monitoring is frequently associated with reputation risk. FIGURE 5 Understanding The Major Sources Of External Threat Intelligence Surface web The surface web is the part of the internet that is indexed by search engines. Vertical. Social media Social media could arguably be categorized as deep web since it is not indexed by search engines. “What indicator feeds should I subscribe to?” Unfortunately. 2017 Tools And Technology: The Security Architecture And Operations Playbook Select Vendors According To Your Firm’s Maturity.com or +1 866-367-7378 . © 2017 Forrester Research. we’ve charted 30 external threat intelligence vendors and their capabilities. which is why this is frequently seen in messaging by digital risk monitoring companies. Inc. To help S&R pros make sense of the landscape. from network monitors across the globe that detect the registration of new domains. vertical. The reality is that there is a lot of valuable information that you can derive from open sources. making this a very specialized and sensitive source of intelligence. and people commonly make mistakes with operational security. choose a vendor. this disdain ignores two critical factors: Criminals face a market imperative of providing an accessible marketplace for their goods. to endpoint products performing static analysis of unknown files. however. social is so pervasive that it would be fairer to think of it as “shallow web. The dark web is a subset of this. requiring the use of TOR or similar protocols to establish exclusivity and anonymity. or are only accessible via specific network protocols to access. and size. we’ve included the vendor-reported ratios of the intelligence sources they use for collecting their data (see Figure 5 and see Figure 6). Deep/dark web The deep web represents a collection of sites that are censored by search engines. 2017 | Updated: July 14. And because it’s also important to understand where the information comes from to properly assess how to prioritize and ingest it. Frequently. where information is freely accessible. there’s no simple answer. the information gathered from the deep web requires a human to establish credibility to gain access to assets. Unauthorized copying or distributing is a violation of copyright law. While this type of intelligence is occasionally met with disdain because it is collected from public sources. and build a road map for integrating external threat intelligence into their organizations. require authentication. And Size A common question we hear from clients is.

antiphishing intelligence © 2017 Forrester Research. endpoint monitoring Digital Analyst-curated. 2017 | Updated: July 14. cybercrime Kaspersky Sensor-driven.For Security & Risk Professionals June 26. 2017 Vendor Landscape: External Threat Intelligence. analyst expertise Group-IB Targeted intelligence. threat sharing network CrowdStrike Adversarial intelligence. digital risk monitoring AlienVault Open. 7 Citations@forrester. Inc. automated integration Optiv Threat intel collected from MSSP clients PhishLabs Directly sourced cybercrime intelligence PhishMe Human-vetted. real-time detection Flashpoint Targeted data acquisition. Unauthorized copying or distributing is a violation of copyright law. Russian expertise IBM Reputation services and actionable intel InfoArmor Operatively sourced threat intelligence Intel 471 Human collection of closed source.com or +1 866-367-7378 . tailored intelligence Shadows DomainTools Breadth of domain registration data FireEye Adversarial intelligence. 2017 Tools And Technology: The Security Architecture And Operations Playbook FIGURE 6 External Threat Intelligence Vendors And Capabilities Finished intelligence Vu pr en on Raw intelligence d llig ti ln ote ce Th ori hre a n an te tec m sid tor k it r t at ird ng at Tactical indicators Th rab ctio lli gi sk i s on e d r Br in ro te te ri at ty ge c p e in tra rty re ili nc au v e In c S pa a Fr uti - d e ec FI Vendor Focus Ex R 4iQ Identity. advanced persistent threat (APT) research LookingGlass Breadth of collection.

open source Connect intelligence Webroot Automated analysis with machine learning ZeroFOX Automated collection.For Security & Risk Professionals June 26. 2017 Vendor Landscape: External Threat Intelligence. fuzzy hashing of results Threat Analyst-curated.) Finished intelligence Vu pr en on Raw intelligence d llig ti ln ote ce rin re a n an te tec m sid tor k ito r th at g at Th ra ctio lli gi k In ac is Tactical indicators te te ris on e d r Br in ro at ty ge c p e in tra ty re bili nc au ve S ar Fr uti -p d e ird ec FI Vendor Focus Th Ex R Proofpoint Analyst expertise. Unauthorized copying or distributing is a violation of copyright law. 2017 Tools And Technology: The Security Architecture And Operations Playbook FIGURE 6 External Threat Intelligence Vendors And Capabilities (Cont. automated Future processing RiskIQ Breadth of collection.com or +1 866-367-7378 . global sensor network PwC Strategic focus on global and targeted threats Q6 Cyber Analyst expertise. third-party risk Scorecard SenseCy Analyst language proficiency. underground sources Recorded Breadth of collection. 8 Citations@forrester. Labs unlimited RFI Symantec Adversarial intelligence. 2017 | Updated: July 14. global sensor network Terbium Dark-web monitoring. machine learning analysis © 2017 Forrester Research. automation SurfWatch Individualized analyst services. automated processing SecureWorks Diverse collection of internal sources as MSSP Security Brand protection. Inc.

2017 | Updated: July 14.) Intelligence Finished intelligence sources Raw intelligence Tactical indicators ito s ce e n g ur tio un om s in at ed en si s co pr ysi at eb e r ta t d is lig hi ash gn l a n ne ns a pu w a eb ss tel on Se edi io an rk h re w om tat tw or ce in ks m ng m Ph re e da e n ar ac m pu ac aw or et a ac ai al p/ o w w tn re ci is C rf R ee al al Vendor Bo So Su IP M M D D 4iQ 15% 70% 15% 0% AlienVault 1% 1% 0% 98% CrowdStrike 25% 25% 25% 25% Digital 68% 10% 20% 2% Shadows DomainTools 0% 0% 0% 100% FireEye 15% 25% 15% 45% Flashpoint 10% 80% 5% 5% Group-IB 5% 49% 1% 45% IBM 1% 36% 0% 63% InfoArmor 30% 50% 5% 15% Intel 471 0% 100% 0% 0% Kaspersky 7% 5% 3% 85% LookingGlass 30% 26% 13% 31% Optiv 60% 10% 5% 25% PhishLabs 5% 10% 10% 75% PhishMe 0% 0% 0% 100% © 2017 Forrester Research.For Security & Risk Professionals June 26.com or +1 866-367-7378 . 2017 Vendor Landscape: External Threat Intelligence. Unauthorized copying or distributing is a violation of copyright law. Inc. 9 Citations@forrester. 2017 Tools And Technology: The Security Architecture And Operations Playbook FIGURE 6 External Threat Intelligence Vendors And Capabilities (Cont.

For Security & Risk Professionals June 26.) Intelligence Finished intelligence sources Raw intelligence Tactical indicators ito s ce e n g ur tio un om s in at ed en si s co pr ysi at eb e r ta t d is lig hi ash gn l a n ne ns a pu w a eb ss tel on Se edi io an rk h re w om tat tw or ce in ks m ng m Ph re e da e n ar ac m pu ac aw or et a ac ai al p/ o w w tn re ci is C rf R ee al al Vendor Bo So Su IP M M D D Proofpoint 0% 0% 0% 100% PwC 10% 10% 5% 75% Q6 Cyber 10% 50% 10% 30% Recorded 31% 24% 11% 34% Future RiskIQ 20% 25% 25% 30% SecureWorks 12% 11% 11% 66% Security 40% 20% 15% 25% Scorecard SenseCy 15% 50% 25% 10% SurfWatch 35% 35% 30% 0% Labs Symantec 8% 15% 12% 65% Terbium 0% 100% 0% 0% Threat 99% 0% 0% 1% Connect Webroot 0% 5% 5% 90% ZeroFOX 20% 15% 65% 0% © 2017 Forrester Research. 2017 | Updated: July 14. 2017 Tools And Technology: The Security Architecture And Operations Playbook FIGURE 6 External Threat Intelligence Vendors And Capabilities (Cont.com or +1 866-367-7378 . Unauthorized copying or distributing is a violation of copyright law. 2017 Vendor Landscape: External Threat Intelligence. Inc. 10 Citations@forrester.

Next. 11 Citations@forrester. you’ll also immediately expand the capabilities of your security operations center (SOC). As you make your initial investments. 2017 | Updated: July 14. use an RFI to leverage the intelligence vendor for reverse engineering capabilities on unknown files. ›› Create a risk register to track identified threats to your organization. Inc. Here’s where intelligence from specific sources such as the deep web can help you target the intelligence you’re collecting. and prepare briefings.For Security & Risk Professionals June 26. and business impact of these threats. Your strategic intelligence capability should produce a document that identifies key risks. invest in raw and finished intelligence offerings to gain more visibility into the threats you’ve identified. As Your Intelligence Capabilities Mature. Not only will this new vendor relationship help you understand and communicate threat more effectively. Look for vendors that collect data from multiple sources. Unauthorized copying or distributing is a violation of copyright law. You don’t need to make any immediate hiring decisions to get started with threat intelligence. Threat intelligence is a nuanced art form. Your initial goal with threat intelligence should be to evolve your own security strategy decision making beyond best practices and into informed decisions based on the current and evolving threat landscape. 2017 Tools And Technology: The Security Architecture And Operations Playbook Follow Three Simple Steps When Building A Threat Intelligence Capability Many Forrester clients question not only the effectiveness of threat intelligence capabilities in the enterprise but also the cost of products. actors. Don’t fall into the trap of investing in tactical indicator feeds right away. manage the intelligence data. tailor your collection strategy to operationalize your new intelligence capability. Enrich your intelligence capability by focusing on these specific threats to your organization.com or +1 866-367-7378 . feeds. and headcount.14 Be prepared to address these threats and show how your security strategy is aligned to reduce these risks. keep an eye on how you can improve the process and overall output. This report outlines many types of finished intelligence offerings to help you get started. From this vendor survey. Use a sensor network to capture events such as domain registration as adversaries are © 2017 Forrester Research. you can obtain and demonstrate immediate benefits with your initial investment in three simple steps: 1. At this point you will need to bring an analyst on staff to help develop your collection strategy. Specific use cases will factor into your decision making when you develop a complex collection strategy using multiple feeds. Target Your Research As you go through the intelligence cycle. Armed with an understanding of the threat landscape and how these attacks manifest in your organization. your organization won’t be able to leverage this type of intelligence effectively. Many of the vendors we surveyed provide finished-intelligence-as-a-service. ›› Deconstruct attack patterns and target intelligence at various stages. Focus on finished intelligence to reduce staffing requirements. Learn and ask questions. focus on vendors that collect and analyze data from a breadth of sources. 2. 3. Fortunately. which you can consume immediately. 2017 Vendor Landscape: External Threat Intelligence. Use strategic intelligence and RFIs to understand the threat landscape.

enables you to defend proactively against a known offense. Understanding your adversary. While it’s understandable to want to get something intelligent out of your SIM. ›› Hunt for artifacts of the threat actors associated with your risk register. can expose a wider compromise. Even without attribution to a threat actor. ›› Perform link analysis on detected threats to hunt for further compromise. reducing your time to detection on events your mitigation strategies didn’t identify. Instead: ›› Manage your threat intelligence in a central location. however. Advanced Organizations Can Respond Aggressively To Threats The biggest mistake technologists make with intelligence is thinking it’s something they can just put into their security information management (SIM) or security analytics platform. Searching historical data for loosely correlated events. being able to associate two indicators that were observed in the same time and place allows you to infer that they may be related. 2017 Tools And Technology: The Security Architecture And Operations Playbook building attack infrastructure. 2017 Vendor Landscape: External Threat Intelligence. Monitor the resale of stolen credentials on the dark web. and other tactical indicators are too transient for you to efficiently detect. 12 Citations@forrester. The value of tactical indicators is in their relationships. Subscribe to feeds that track the advertising of exploit kits on social media to identify new features and vulnerabilities being exploited. such as ones with a sensor network that blankets the internet.For Security & Risk Professionals June 26. and monitor. sophistication. 2017 | Updated: July 14. ›› Understand that no single vendor will be able to serve your needs. Knowing how they are tooling and other attributable information about them will allow you to actively hunt for signs of intrusion. Having diversified sources will allow you to reap the benefits of these perspectives. S&R pros must look both outside and inside of their organizations: © 2017 Forrester Research. You can’t do this without strategic intelligence. including their tactics. this is not an effective use of this data. Inc. which will make your SOC more efficient. share.com or +1 866-367-7378 . not only to identify information leaking from within your organization. Recommendations Develop A Holistic Threat Intelligence Capability To successfully detect and prevent cyberattacks. DNS names. Herein lies the challenge of real-time streaming analysis — IP addresses. it’s important to have a place to centralize the collection and analysis of this data. and funding. Threat intelligence platforms automate a lot of these tasks and may even integrate with your orchestration tools to automatically enrich alerts. but you’ll need a multivendor solution. Other vendors. As your organization begins working with large quantities of intelligence data. will collect and report on events in a different time frame and of a different nature. Vendors that specialize in collecting from sources like the dark web will offer particular insights that you can benefit from. and it will lessen the operational effectiveness of your SOC. Unauthorized copying or distributing is a violation of copyright law. but also to stay alert for customers who may be susceptible to credential stuffing.

While this recommendation is tailored more toward finished intelligence. workshops. External intelligence provides valuable information about the threat landscape and what is going on beyond your own perimeter. and it’s free! Engage With An Analyst Gain greater confidence in your decisions by working with Forrester thought leaders to apply our research to your specific business and technology initiatives. external threat intelligence vendors should be happy to demonstrate the quality of analysis and writing behind their research. Inc. but ensure that generated alerts are more salient. Tooling for the adversary will not only decrease alert volume. ask vendors for sample or redacted reports. That said. An understanding of the threat landscape allows you to effectively prioritize security spend. Forrester’s research apps for iPhone® and iPad® Stay ahead of your competition no matter where you are. focusing on mitigation of threats your organization needs the most. don’t neglect your internal sources.For Security & Risk Professionals June 26. Unauthorized copying or distributing is a violation of copyright law. 2017 | Updated: July 14. ›› Try it before you buy it. Learn more. available on-demand. your questions in a engagement in the form Each call includes analyst 30-minute phone session of custom strategy Q&A and slides and is — or opt for a response sessions. Learn more. Learn more. 2017 Vendor Landscape: External Threat Intelligence. Analyst Inquiry Analyst Advisory Webinar To help you put research Translate research into Join our online sessions into practice.com or +1 866-367-7378 . ›› Close the loop with your own internal intelligence. connect action by working with on the latest research with an analyst to discuss an analyst on a specific affecting your business. 13 Citations@forrester. 2017 Tools And Technology: The Security Architecture And Operations Playbook ›› Make strategic intelligence the foundation of your security program. © 2017 Forrester Research. via email. These will help you understand the final work product you are subscribing to. in the age of the customer. Intelligence generated from within your organization is the most relevant and actionable intelligence available to you. or speeches.

html). “The Pyramid of Pain. 2017 Tools And Technology: The Security Architecture And Operations Playbook Supplemental Material Companies Interviewed For This Report We would like to thank the individuals from the following companies who generously gave their time during the research for this report. See the Forrester report “Top Cybersecurity Threats In 2017. Inc. 14 Citations@forrester. Source: Mohit Kumar.co.uk/culture/books/3632074/Everything-ever-written-boiled-down-to-seven-plots. 2014 (https://detect- 2 respond. While not all cyberattacks are motivated by profit.html). November 21. 2017 Vendor Landscape: External Threat Intelligence. 2017 | Updated: July 14.” The 4 Hacker News. 2004 (http:// 1 www.html). Firefox and Opera.For Security & Risk Professionals June 26. Source: David Bianco. “This Phishing Attack is Almost Impossible to Detect On Chrome. January 17. April 17.com/2013/03/the-pyramid-of-pain.com or +1 866-367-7378 .telegraph. 4iQ PhishMe AlienVault Proofpoint CrowdStrike PwC Digital Shadows Q6 Cyber DomainTools Recorded Future FireEye RiskIQ Flashpoint SecureWorks Group-IB SecurityScorecard IBM SenseCy InfoArmor SurfWatch Labs Intel 471 Symantec Kaspersky Terbium LookingGlass ThreatConnect Optiv Webroot PhishLabs ZeroFOX Endnotes Source: Kasia Boddy.” Enterprise Detection & Response. 2017 (https://thehackernews. “Everything ever written boiled down to seven plots.blogspot.com/2017/04/unicode-Punycode-phishing-attack.” 5 © 2017 Forrester Research. Unauthorized copying or distributing is a violation of copyright law. the ability to make money from cyberattacks warrants the capital 3 investment of time and architecture to perform the attack.” The Telegraph.

2013 (https://www. 10 Source: “Trojan. Source: “About STIX.html). April 17. 2017 | Updated: July 14. jsp?docid=2015-111823-1849-99).’” Pastebin.html). 15 Citations@forrester. March 3.cia.com/PNxAR80G).io/ 9 cti-documentation/stix/about. Source: “M-Trends Reports.com/gaming/gamestop-online-security-breach/). 14 See the Forrester report “The Risk Manager’s Handbook: How To Identify And Describe Risks.” Digital 8 Trends.” © 2017 Forrester Research. STIX stands for Structured Threat Information eXpression.gov/kids-page/6-12th- grade/who-we-are-what-we-do/the-intelligence-cycle.digitaltrends.fireeye.” Github (https://oasis-open. 2012 (https://pastebin. 2017 (http://malware.” Symantec Official Blog. March 23. April 10.symantec.Com Customers’ Credit Card Information May Have Been Compromised. Unauthorized copying or distributing is a violation of copyright law.For Security & Risk Professionals June 26. 2017 Tools And Technology: The Security Architecture And Operations Playbook Source: “Bye Empire.com/current-threats/annual-threat-report/mtrends. 2015 (https://www. Hello Nebula Exploit Kit.” Symantec.com or +1 866-367-7378 . 2017 Vendor Landscape: External Threat Intelligence. Inc.com/security_response/writeup. 12 Source: “Pastebin ‘My Alerts. 2017 (https://www. November 26. 6 dontneedcoffee.Corentry. 13 Source: “The Intelligence Cycle.” Central Intelligence Agency.” Malware don’t need Coffee. 11 Source: “Longhorn: Tools used by cyberespionage group linked to Vault 7.com/2017/03/nebula-exploit-kit.github.html). April 8.” FireEye (https://www.symantec. 2017 (https://www.html). “Gamestop. 7 Source: Steven Petite.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7).

We offer quantity discounts and special pricing for academic and nonprofit institutions. please contact Client Support at +1 866-367-7378.We work with business and technology leaders to develop customer-obsessed strategies that drive growth. custom consulting. and events. exclusive executive peer groups. visit forrester. the Forrester experience is about a singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations. Roles We Serve Marketing & Strategy Technology Management Technology Industry Professionals Professionals Professionals CMO CIO Analyst Relations B2B Marketing Application Development B2C Marketing & Delivery Customer Experience Enterprise Architecture Customer Insights Infrastructure & Operations eBusiness & Channel ›› Security & Risk Strategy Sourcing & Vendor Management Client support For information on hard-copy or electronic reprints. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. For more information. 136769 . Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. or clientsupport@forrester. +1 617-613-5730.com.com. Products and Services ›› Core research and tools ›› Data and analytics ›› Peer collaboration ›› Analyst engagement ›› Consulting ›› Events Forrester’s research and insights are tailored to your role and critical business initiatives. data. Through proprietary research.