What are Threat Intelligence Gateways?

Threat Intelligence Gateways are a type of network security solution that enterprises of all kinds can choose to deploy as a way to streamline threat intelligence to guard external (internet) entry vectors to internal networks. They’re called TIGs for short.

Some security solution vendors offer their own TIGs. These vendors have access to their own threat intelligence, and threat intelligence shared within the cybersecurity community. Threat intelligence sources are constantly updated with new intel about suspicious IP addresses, domain names (DNS records), and TLS certificates. These are identifiers that are believed to be associated with cyber threat actors-- from nation state cyberwarfare to petty financially motivated cybercriminals. TIGs can engage in deep packet inspection to look for known malicious identifiers and block those network transmissions automatically.

If for instance a known ransomware APT (advanced persistent threat) group has been discovered to use specific IP addresses when they attempt to penetrate a targeted network, wouldn’t it be nice if they were automatically blocked at your enterprise’s network perimeter? It’s not pragmatic to blacklist a lot of zero day threat actors, but many significant cyber threats can be stopped through threat actor associated identifiers known to the cybersecurity community.

If your enterprise network uses a TIG, it should be placed as close to the network perimeter as possible. It’s also not a substitute for NGFW (next generation firewalls), IPS (intrusion prevention systems), or any similar network security solutions that may blacklist network transmissions based on IPs, domains, or network behavior. Instead, TIGs should be used as an additional layer of network security, to complement other security solutions used in the network.

A TIG isn’t a “set it and forget it” solution. A wise usage of a TIG requires configuring it to suit the network security needs and policies that are specific to your organization. Administrators can configure their TIG to block known threats based upon risk scores, certain threat sources, and so on.

When used effectively, a TIG can reduce the network filtering burden on other network security devices. TIGs typically use the processing capacity of the vendors that deploy them, rather than having to use a lot of extra CPU cycles and bandwidth in network security devices (NGFW, IPS, SOAR, etc.) on the enterprise’s premises or in their cloud infrastructure. I think of a TIG as like boiling and filtering your well water. But then you still need to chemically sterilize the water before it’s safe to drink.

Several network security solution vendors offer TIGs. It’s worth looking into them, and choosing a vendor with a service that suits the particular network security needs of your organization.