CrowdStrike, Google, Recorded Future Lead Threat Intel WaveKaspersky Falls From Leaderboard as Deliberate Decision Made to Nix Russian Firms
A surging Recorded Future has joined perennial stalwarts CrowdStrike and Google atop Forrester's external threat intelligence services rankings, while Kaspersky tumbled from the leaders category.
Leading threat intelligence providers have expanded into adjacent use cases such as brand protection and vulnerability management to help customers reduce the number of feeds they're paying for, said Forrester Principal Analyst Brian Wrozek. These firms can hunt for rogue domains and compromised credentials on the dark web and provide additional context to help organizations prioritize their patches.
"Forrester did a survey last year and we found that, on average, customers pay for seven commercial threat intel feeds," Wrozek told Information Security Media Group. "If you're a threat intel provider, you're thinking, 'Hey, wait a minute. If I can offer these other use cases, maybe I can displace those other threat intel feeds and become their go-to source.'"
Forrester deemed CrowdStrike's current threat intelligence offering the strongest, and Google, Recorded Future and ReliaQuest received the second-, third- and fourth-highest scores, respectively. That's in stark contrast to March 2021, when FireEye - now part of Google - blew its rivals away and the second, third, fourth and fifth top scores went to Kaspersky, Intel 471, CrowdStrike and Recorded Future, respectively.
CrowdStrike and Google tied for the highest score in strategy in the latest Forrester Wave. Recorded Future received the third-highest ranking, and ReliaQuest and Microsoft tied for fourth. That's very different than March 2021, when FireEye received the top ranking, and CrowdStrike, IBM, Kaspersky and RiskIQ - now part of Microsoft -captured the second-, third-, fourth- and fifth-highest scores, respectively.
Wrozek praised CrowdStrike for a tight integration of intelligence into its security tools and automated detection and response that's easy to use. He lauded Google for using different sources of intelligence, investing in generative AI and applying lessons from incident response to threat intelligence. He praised Recorded Future for its work around open-source intelligence and for having an intuitive and easy-to-use platform.
"Machine automation can only do so much," Wrozek said. "At some point, you need skilled human intelligence analysts weeding out the false positives and providing that context. And that's where they excel."
Stepping Back From Russia
Outside of the leaders, here's how Forrester saw the external threat intelligence services market (see: From Data to Action: Harnessing the Power of Threat Intelligence for Effective Cybersecurity).
- Strong Performers: ReliaQuest, ZeroFox, Flashpoint
- Contenders: Microsoft, Fortinet, Trellix, CybelAngel, Rapid7, IBM
Fortinet, Trellix and CybelAngel all appeared in this Forrester Wave for the first time, while Kaspersky, Group-IB and Intel 471 all fell out of the Wave between 2021 and the present. Forrester consciously decided not to include Kaspersky and Group-IB in the Wave for geopolitical and credibility reasons, given Russia's February 2022 invasion of Ukraine and each firm's historic ties to Russia, according to Wrozek.
"We have a number of customers and clients who don't purchase them because of the geopolitical issues," Wrozek said. "I'm really doing a disservice to my clients if I'm including somebody in this report that I know they're not going to leverage."
Going forward, Wrozek said, he expects to see more maturity in generative and natural language artificial intelligence and greater convergence of cyber and physical threat intelligence. Generative AI has thus far made it easier for vendors to gather and analyze massive volumes of threat intelligence, and he anticipates future advances in AI will make it easier for end-user organizations to efficiently consume and leverage threat intelligence.
"Machine automation can only do so much. At some point, you need skilled human intelligence analysts."
– Brian Wrozek, principal analyst, Forrester
As computer security and physical security teams combine, Wrozek expects threat intelligence will combine too since all of the data will be fed into the same security operations center. Instead of having one system monitor social media threats against an executive traveling to China and another focus on their movement, physical threats and nearby protests, a single vendor will deliver both services, Wrozek predicts.
"In the future, I think the advantage is going to shift from AI benefiting the threat intel company to AI benefiting the end customer," Wrozek said.
How the Threat Intel Leaders Climbed Their Way to the Top
|FireEye - now part of Google
CrowdStrike Brings Threat Intel, Threat Hunting Together
CrowdStrike brought its threat intelligence and threat-hunting capabilities into a single organization to make it harder for adversaries to operate against customers, said Adam Meyers, senior vice president of counter adversary operations. The company can take telemetry from its massive global footprint of endpoint security devices to include on its threat intelligence platform and drive quicker action, he said.
The company also strengthened its dark web monitoring module with machine-learning analytics and natural language processing to better understand slang and context from non-English speaking hackers, Meyers said. CrowdStrike's human analysts have built custom dictionaries with Russian slang to help natural language processing machines monitoring dark web forums produce more accurate information (see: CrowdStrike CEO on Why It's Tough to Defend Sensitive Assets).
"We are the confluence of what Recorded Future offers and what Mandiant offers," Meyers told ISMG. "And that's probably the thing that propelled us where we are on that chart - that we're doing all of those things. And we're doing them better every day."
Forrester criticized CrowdStrike for having underdeveloped brand protection threat intelligence and being unable to take down fraudulent domains. Meyers said CrowdStrike has made improvements to its brand protection technology over the past six months and is actively improving its capabilities. The company also intends to add fraudulent domain takedown services within the next six to nine months, he said.
"We understand what our customers need and how to deliver it to them effectively," Meyers said.
Google Combines Infrastructure, Expertise With Mandiant Buy
Last year's acquisition of Mandiant has allowed Google to combine its world-class infrastructure and artificial intelligence with Mandiant's human expertise to understand threats faster and better, said Sandra Joyce, vice president of Mandiant intelligence for Google Cloud. Google has allowed Mandiant to super-size its capabilities by offering massive compute power for tasks such as password cracking, she said.
Google has more than 400 analysts working purely on intelligence across Mandiant and VirusTotal as well as a plethora of other security researchers, which she said is far more than any of the company's competitors. Google has doubled down on infusing threat intelligence into its products ranging from Chronicle security operations to Mandiant's managed detection and response services, Joyce said (see: Kevin Mandia on Attacks Against Ukraine and Why They Matter).
"What we have and no one else has is the more than 15 years of threat visibility at our fingertips," Joyce told ISMG. "We've seen and been able to collect information from breaches that matter for a very long time. We've been able to monitor adversary infrastructure, take and glean all those insights."
Forrester chided Google for complex solution options and pricing, a nascent digital risk protection suite and relying on third-party services to execute rogue domain and profile takedowns. Joyce said she hasn't heard about price or complexity being an issue, wants to use artificial intelligence to help with digital risk, and values having access to talented, high-quality partners to scale Google's takedown capabilities.
"Partnerships in some of these areas is a really strong way to try to get the best services in each of the local markets," Joyce said. "I wouldn't necessarily say that partnering for some of these things is a bad thing. In some cases, it's a really strong decision to do something like that."
Recorded Future Infuses Intel With ChatGPT, New Data Sources
Recorded Future has trained ChatGPT on writing in the style of an analyst and using 10 years of the company's historical data to create thorough summaries of intel data with transparent sources, said Vice President of Product Marketing Kalpana Singh. The company has long used AI on the back-end of its platform, and Singh said adding a conversational piece and removing worries about AI hallucinations will drive workflows.
The company has worked to educate the market on the criticality of threat intelligence by redoubling its efforts in the public sector and elevating customers' stories about how they use threat intelligence to build stronger security defenses, according to Singh. Recorded Future also has added more sources for threat intelligence, such as Telegram, as well as additional regions around the globe, Singh said (see: Christopher Ahlberg on Recorded Future's Work to Aid Ukraine).
"We are a premium product because we invest a lot in the quality and breadth and depth of data, which is what drives intelligence," Singh told ISMG. "If you don't have that quality and it's just generic data that you find, we don't consider that intelligence."
Gartner criticized Recorded Future for having high prices, lacking breadth and depth in its internal telemetry, and having subpar dark web threat intelligence capabilities. Singh said Recorded Future does real-time monitoring of forums and Telegram channels to help customers take proactive action, has network and endpoint telemetry from a much broader variety of sources, and drives a lot of value at its price point.
"We also have human intelligence, but our platform seizes from a lot of that real-time information," Singh said. "There might be a couple of things where competitors may have done something more, but it's not real time. So, by the time you take action, it may be too late."