5 Reasons You Need a Threat Intelligence Solution
A threat intelligence solution is a hardware appliance deployed between an edge router and your firewall and is dedicated to blocking malicious IP addresses at the perimeter. Right away you might be thinking, “Why do I need a threat intelligence solution? Isn’t that what my firewall or intrusion prevention system (IPS) does?” In most cases, yes. But the job of your security architecture is to keep moving the goal line further away—making it harder for the bad guys to penetrate your defenses. Because they never stop trying. The real question is whether a threat intelligence solution adds incremental value and directly addresses the problem of an attacker getting around your firewall and/or IPS.
Here are five reasons to add threat intelligence to your security architecture:
- Catch problems your firewall doesn’t
Let’s start with the most compelling reason. It’s not that firewalls and IPSs don’t add immense value, it’s just that they don’t stop all attacks. It’s hard for a single solution to provide all the types of security needed to stop the creative and intelligent forces at work against you. Recently Ixia set up a proof of concept with a large global service provider to demonstrate the value of ThreatARMOR, our threat intelligence solution. The appliance was set up in “recording mode” rather than “blocking mode” so the security team could see what ThreatARMOR was identifying, without the risk of impacting network traffic. Several weeks later, with the PoC running largely unattended in the background, the provider suffered a major security breach. During the subsequent investigation, an analyst noticed that ThreatARMOR had recorded communications between a malicious site and one of the company’s servers—a server they thought had been decommissioned. Sounds like a textbook example of a successful hack. If only ThreatARMOR had been given the greenlight for deployment and switched into blocking mode…
- Reduce the alert pressure on your security team
Another compelling reason to add threat intelligence is to reduce the number of security alerts your team receives for investigation—particularly if they are having trouble keeping up and you worry about what could be hiding in the backlog. Threat intelligence allows you to automate some of the work your team is asked to perform—verifying malicious traffic. ThreatARMOR uses a cloud-based intelligence feed to receive constant updates on all IP addresses known to be compromised. Using this information, ThreatARMOR removes all packets traveling to or from these sites, so they never even arrive at your firewall or IPS. This reduces the number of security alerts your security appliances issue. The alerts that are issued are more likely to come from new or emerging sources and be a better use of time for your skilled staff. Hyper Box, a large service provider in Japan, reported an immediate 80% reduction in security alerts after their deployment of ThreatARMOR.
- Improve performance of security appliances
If you compare threat intelligence solutions to traditional security appliances, you will see why they are complementary and not substitutes. NGFWs and IPSs are designed primarily to perform deep packet inspection by looking for the signatures of threats and attacks. The ThreatARMOR appliance is designed for super-fast identification of IP addresses from a very large database. Internal tests at Ixia found that when asked to filter large numbers of non-sequential IP addresses, NGFWs suffer greater rates of connection failures, increased latency, and decreased throughput. ThreatARMOR deployed in front of the same appliances yielded an average 50% improvement in transaction rate and throughput. By offloading some of the grunt work from your high value security appliances, you can actually help them work more efficiently. And by reducing their overall workload you may also be able to delay or reduce the need to increase capacity to stretch your security budget.
- Ease capacity constraints on your NGFW and IPS
With traffic volumes increasing at record rates, you may be facing capacity shortages on the firewall or IPS deployed at your perimeter. Upgrading these devices can be costly and take a big chunk out of your security budget. So, the fourth reason to add threat intelligence to your architecture is strictly economic. As you remove malicious traffic, you also reduce the workload on your security appliances and create more headroom. If that eliminates the need for an upgrade, you can calculate a nice positive return on the investment to your management team.
- Get automatic and verified updates, every five minutes
There are many sources of security intelligence available today. The problem is making the data actionable without adding work to an under-resourced security team. Ixia’s dedicated team in the Application and Threat Intelligence Research Center integrates hundreds of intelligence sources into a comprehensive database that you can start using immediately. ThreatARMOR is ready-to-go right out of the box, with no need to configure filters or establish policies. Plug it in and the ThreatARMOR appliance starts receiving automatic intelligence updates every five minutes, with no need for staff intervention. What really differentiates the solution though is that Ixia is constantly verifying every threat and provides detailed information on any IP address that is blocked, so you always know what you’re dealing with and don’t need to worry about false positives.