In the recent blog, “Importance of Threat Intelligence Increasing in NIST Cybersecurity Framework,” we discussed how threat intelligence was becoming a more critical component of the NIST Framework. In this blog, we will look at how threat intelligence gateways (TIGs) and specifically Bandura’s PoliWall TIG™ can help companies of all sizes better align to the NIST Cybersecurity Framework.

What is a Threat Intelligence Gateways (TIG)

Threat intelligence gateways (TIGs) are an exciting, new area of cybersecurity technology. TIGs are purpose-built security solutions that use massive volumes of threat intelligence indicators (IPs and domains) to block known threats and unwanted traffic from entering your network. Now you may say “hey that’s what my firewall does!”

The answer is yes and no. While many firewalls incorporate an element of threat intelligence, they are only able to use a very small subset of available threat intelligence indicators. This is because they weren’t architected to handle the massive volume of threat indicators that exist today. To put this in perspective, at any one point there are 10+ million known threats and the best firewalls can only consume indicators covering 3% of these.

The result? An expanded attack surface, more alerts, and more load on our staff (i.e. alert overload, manual firewall log analysis).

At Bandura, we saw this problem several years ago, which led us to pioneer the TIG market with the development of our PoliWall TIG solution. PoliWall TIG sits in front of the firewall and can leverage hundreds of millions of threat indicators to detect and block known threats at massive scale with virtually no latency.

Over 100 customers have deployed PoliWall solution and they are seeing clear benefits including a significant reduction in attack surface, fewer events from firewall and SIEM systems, and more efficient use of scarce security staff. Customers are also getting more out of their firewalls.

The cool thing about TIGs is that they are helping companies of all sizes leverage the power of threat intelligence. Small and midsized companies that haven’t had the resources to use threat intelligence can use a TIG to easily and cost effectively incorporate threat intelligence into cyber protection efforts. Large enterprises that are using threat intelligence are looking to integrate this into TIGs to operationalize threat intelligence making it actionable.

How PoliWall TIG Can Help You Better Align to the NIST Cybersecurity Framework

As we discussed in the previous blog, consuming, operationalizing, and sharing threat intelligence is becoming a more important element across the NIST Framework. PoliWall TIG can help companies of all sizes better align to the core functions of the Framework and progress through the implementation tiers (i.e. maturity curve).

TIGS Help Alignment with Multiple Key Framework Functions

The NIST Cybersecurity Framework is comprised of five key functions: Identify, Protect, Detect, Respond, & Recover. The use of a threat intelligence gateway like PoliWall TIG can help organizations align to multiple functions.

  • Identify - Threat intelligence is becoming a requirement for organizations to better understand their cyber risk, a key goal of this function. The Framework specifically highlights that “cyber threat intelligence is received from information sharing forums and sources.” PoliWall TIG comes pre-integrated with millions of threat indicators from commercial, open source, industry (i.e. ISAC blacklists), and government sources enabling companies to better identify cyber risks and threats. To date, threat intelligence has been largely used by large enterprises with significant resources. However, now with PoliWall TIG, small and midsized companies can easily, and cost effectively leverage threat intelligence to gaining greater visibility into cyber threats.
  • Protect - PoliWall TIG can be used to enhance prevention efforts by enabling companies to operationalize threat intelligence and block the massive volume of known threats before they get to the firewall. Companies can leverage PoliWall’s pre-integrated threat intelligence and/or leverage the open nature of PoliWall (including support for standards like STIX and TAXII) to integrate third-party threat intelligence indicators and act on them.
  • Detect - While PoliWall TIG can be used in prevention mode to block known threats and unwanted traffic, it can also be used in detection mode providing visibility into malicious traffic on your network. In this case, PoliWall TIG enhances security monitoring efforts.
  • Respond - PoliWall TIG also helps with incident response efforts. As an element of response, the NIST Framework specifically points to containing and mitigating incidents. In this area new threat indicators can be rapidly deployed via automation and enforced by the PoliWall containing incidents and preventing future occurrences.

PoliWall & The NIST Framework Implementation Tiers

While PoliWall TIG helps companies of all sizes better align to NIST functions, it can also help companies progress along the NIST Framework Implementation tiers. Framework implementation tiers incorporate a progressive use of threat intelligence and information sharing as one goes from Tier 1 (Partial) to Tier 4 (Adaptive).

Because PoliWall TIG enables an organization to leverage threat intelligence to identify, protect, detect, and respond to cyber threats it represents a key technology to enable organizations to progress along the NIST Framework maturity spectrum.

For example, at Tier 1 (Partial) an organization can leverage PoliWall TIG to gain greater visibility into cyber threats and risks. As the maturity of a security operation increases, PoliWall can be leveraged to incorporate more sources of threat intelligence, enable greater intelligence information sharing (i.e. STIX and TAXII support), and enable more dynamic and adaptive threat-intelligence driven protection (i.e. new threat indicator identified by SIEM system; indicator automatically pushed out to PoliWall TIG for enforcement).