The security services threat intelligence market is made up of vendors that provide products and services to meet enterprise demands for advanced persistent threat (APT) products and advice, the IDC report explained.
According to the report, the market will be driven by enterprise security needs in a number of areas, including: detection of and possibly defense for APTs; reduction of zero-day malware by providing early detection and near-real-time alerts; defense against professional criminal enterprises, industrial espionage firms, and government agencies engaged in disruptive activities, fraud, espionage, and/or hacktivism; data loss prevention via detection of compromised systems and exfiltrated data and documents, but in passive mode to avoid interference with threat detection and blocking of legitimate traffic; and capture of credentials in the wild from malware drop sites and other exfiltration rendezvous points that organizations themselves would not have the ability to track down and recover.
IDC analysts predict that there will be a consolidation of the market in the next few years, with larger firms acquiring medium-sized firms. Small boutique firms that are not acquired will have to scramble to target individual countries, specific verticals, or certain malware, such as Zeus and botnets. “Relative to the large vendors, small firms will struggle to expand their threat intelligence networks and analysis teams”, said Chris Christiansen, vice president of security products at IDC.
Joe Magee, cofounder and chief technology officer of Vigilant, one of the companies examined in the report, told Infosecurity that his company is “tracking a number of different campaigns related to SpyEye and a number of other threats….We are seeing more encrypted data being sent, so it is harder to detect SpyEye or Zeus”, Magee said.
Vigilant’s Collective Threat Intelligence (CTI) product consolidates sources of threat data and executes a range of data enrichment and validation routines. CTI eliminates the manual effort required to digest multiple sources of threat data and to identify and analyze infiltrations, Magee explained.
CTI provides awareness of cyberthreats integrated into customers’ security monitoring tools. The threat feed is an aggregation of a range of global information about botnets, malware, phishing, and other malicious activity. Through integration with security information and event monitoring (SIEM) use cases, it enables the use of SIEM correlation and automation to detect suspicious patterns of activity across the IT infrastructure, the company explained.
“We collect information from over 40 sources….When we pull the information, we go through a number of quality control checks to validate, prioritize, and normalize all that data”, Magee said.