Welcome!

Agile Computing Authors: Pavan Kumar, Darren Anstee, Elizabeth White, Liz McMillan, Pat Romanski

Blog Feed Post

What is a Threat Intelligence Platform

Last week, Anton Chuvakin from Gartner wrote a blog about what he is calling an Intelligence Management Platform. He includes some thoughts by Facebook on how they are building their own platform.  He alludes to non-public sources and I’m sure ThreatConnect™ is one, so rather than keep you all in suspense, I thought this would be an opportune time for ThreatConnect to say what we think a Threat Intelligence Platform is.

Rick Holland from Forrester said recently at a SANS conference that the threat intelligence platform is like the quarterback of your operations. The threat intelligence platform should be calling the shots and running the show.

There is also talk of how Threat Intelligence Platforms and Incident Response platforms are emerging into two distinct products.  I do not think that they should be, rather I believe that the pursuit of truly understanding security of the business will result in a single converged product category. You can’t have a football team with two quarterbacks on the field, and you can’t have two different platforms responsible for managing your threat intelligence and response activities.

I’m not sure what the industry will settle on as far as a name given the now extended scope of requirements, but whatever the name becomes, I believe the requirements are now well understood.

What is the Problem and Why Now?

Throughout the enterprise there are security personnel using a variety of processes and tools to conduct their incident response, network defense, and threat analysis.  Integration between teams supporting these functions and management have to this point been mostly manual efforts.

Unless they had vast resources to build a proper platform, security team efforts haven’t been integrated, or are integrated but through rudimentary technologies like email, spreadsheets, or maybe a SharePoint portal or a ticketing system.   These techniques, although better than nothing, do not scale as the team grows and the number of malicious events and security processes increases. We saw this same problem with other parts of the business, and platforms were created to support them in their quest for automation and better management processes.  For example, PeopleSoft for human resources, Salesforce for sales, Intuit for finance, SAP for manufacturing, and Eloqua for marketing.

Due to the ever-increasing threat of cyber attack and regulatory pressures there is a need for a new type of enterprise platform that can support the entire security team from the CIO to the personnel spanning processes for incident response, network defense, and threat analysis.  The platform must be used for tactical day-to-day blocking and tackling as well as strategic decision-making and process improvement.

What is a Threat Intelligence Platform?

A Threat Intelligence Platform permits personnel throughout the enterprise to manage processes on the security relevant data that they care about. Other personnel processes can be integrated on top of that same data simultaneously as part of the same or a different process.  Processes might include triaging events in the SOC, conducting incident response, or the threat team’s processes for integrating external feeds or intelligence.  From the management perspective, the platform must present trends, supply real-time updates, as well as support threat-driven long-term prioritization across the business. The platform must support the integration of all the stakeholders and data that is relevant to each in a way where they can work together as a team.  Customization of the platform is key, as each organization will have different processes, and data customizations needs across processes for aggregation, analysis, and action.

Aggregation – From Feeds to Intelligence

The culmination of one or more feeds is not sufficient on its own; instead you need to focus on processing your own data then overlay what everyone else knows on top of that.   Without this type of understanding you never know what is truly relevant to your organization.

There is a lot of emphasis on feeds in the marketplace right now.  How many feeds do you support and which ones? Can you support structured and unstructured data input?  Do you support STIX? What is the process (manual, automated, semi-automated) to get it into the system? Do you support API level integrations? Although these things are important, I would attest that these questions are just the beginning, and the easy part of the question.

Instead, we need to be thinking bigger and considering how incoming feeds will be made relevant and how they will support the various processes and stakeholders throughout the business that will use them in different ways. Incoming feed data must be correlated with the organization’s knowledge base, and tailored to meet the needs of the different stakeholders – from security team personnel to management and beyond.  Automation of processing feeds will be critical so that you can avoid overwhelming your staff with mundane data processing. Even with automation, you will need to support human processing on feed data to ensure its usefulness.  This will require analysis process support as described below.

Finally, the feedback loop will be critical in order to support the processes of evaluating the feeds you are using.  This will allow internal events to highlight what feed sources are most applicable to the organization, and what types of data have the most usefulness.

Analysis – Where the Rubber Meets the Road

Analysis is a core feature of the Threat Intelligence Platform and it needs to automate as much of the processing as is technically possible.  This requires the platform to be built with data management in mind and automation can’t be an afterthought. ThreatConnect leverages the Diamond Model for Intrusion Analysis as its foundation for making sense of the dataset.  This is not a data structure, as ThreatConnect allows each customer to extend their data structures to meet their own unique needs, but instead is a powerful baked-in methodology that allows the platform to make sense of the dataset.

Here are three use-cases that are typically done by ThreatConnect customers.  Although I’m discussing three different teams in them, the productivity gains provided by the platform are even more apparent with more limited resources.

  • Collections – The organization is receiving feeds, tippers, community-derived intelligence, and possibly detection signatures from a variety of sources. They input all of this incoming data into ThreatConnect, triage its priority, and conduct processing to make it actionable.   If the data already exists, the system can add additional context derived by the new source. If the data is new, ThreatConnect may assign initial priorities based on relations to already known threats or previously observed activity.  Depending on the data type and integration, and the organization’s policy, processing for action can be completely automated at various thresholds (detect-only, block, report, etc.).   Signature management is made simple through the process of automatically associating new feed indicators and context with already present signatures that have been previously associated with the same indicator, while any new indicators can be put into a process for signature creation.
  • SOC – The SOC supplies the threat team with potential indicators of compromise via ThreatConnect. The threat team analyzes the indicators to provide additional context by leveraging data service integrations within ThreatConnect such as passive DNS and Reverse Whois tracking, and provides more indicators back to the SOC to search for in their logs.  Like in the first use case, this process can be automated through integrations with SIEM or other network defense. This iterates until a point where no more information can be gleaned and the process is completed.
  • Incident Response – The IR team processes an incident within ThreatConnect.  Throughout the process, incident data is automatically associated with existing knowledge and potentially previous courses of action created during previous incident response activities or by the threat team based on their own proactive efforts.  Throughout the process, asking for assistance is as easy as creating a task and assigning it to another team member.

Although redundant for each use case, there are several common analysis requirements supported through the platform.

  • The ability for each ThreatConnect customer to customize the platform to meet his or her needs for data storage, management, and processing.   This includes customizing data elements requiring storage and management, processes across various teams, as well as the input fields that help staff more quickly support data entry tasks.
  • ThreatConnect will create new data, enrich current data, and/or make associations across the existing dataset.  This allows the team to work collectively from the same knowledgebase, create more accurate data, and become more productive throughout all their processes.
  • Using the ThreatConnect discussions feature allows collaboration across all processes, tasks, and even supports collaboration at the atomic indicator level.  The ability to collaborate is essential as teams become larger and more geographically disparate.  With the follow feature you can be alerted during or after a process is completed if anything changes.
  • Using ThreatConnect workflow, the organization’s process is streamlined and tracked through completion. The ability to do postmortem inspection allows you to continually improve your processes.
  • ThreatConnect cloud customers can leverage our Analyst On-Demand feature to seek virtual assistance for one task or across an entire process.

Action – The Pieces Come Together

Integrations are a key requirement of a Threat Intelligence Platform. Whether the integration leverages threat intelligence collected and analyzed from a feed, or new context found during a SOC event or incident response activity; data from the platform needs to make its way back into the products your organization uses to automate your organizations protection.  By shortening the timeframe from aggregation, analysis processes, to action with automated integration, you can speed up the processes for detection and protection.

Use-cases with the ThreatConnect Platform:

  • Signature Management – Customer defined processes for signature (currently snort, YARA, BRO, OpenIOC, clamAV, CybOX, Suricata) creation, approval, and installation.
  • Context specific Watchlists – The process of creating tailored feeds of malicious indicators to hunt for and integrating them into a variety of SIEMs or other products based on common threats, exploits, or other areas of concern.
  • Block Approvals – There are a variety of ways to approve malicious indicators for blocking.  Depending on the source, rating, or relevancy to your business, the system can approve blocks or submit them for human approval.
  • Subsequent Analysis – Sometimes you need to look for the needle in the haystack or allow external partners access to the data for their analysis. API integration with third party data analysis tools allows customers to conduct further analysis.  Sharing with external parties may also create its own cycle of sharing and receiving back threat intelligence, so easily extracting data in a structured format has proven an important capability.

But that isn’t where it should stop, as described in the SOC and IR processes, response processing should also be done within the platform as well. To truly realize the potential of the platform, threat intelligence-derived events should be communicated back to the platform as internally derived intelligence for automated association and subsequent processing. This would allow you to prioritize your response based on the risk of the unknown event (based on existing data) and shorten the timeframes for processing of true threats to your network. This also can serve a prioritization scheme for budget approval of threat intelligence feeds that are most relevant to your business.

Conclusion

In order for threat data to be threat intelligence it has to be relevant. In the world of network defense, this means it must be relevant to the threats that your organization faces. For this reason it does not make sense to separate incident response and threat analysis processes or teams into separate platform environments. Doing so would be needlessly segmenting internal intelligence gleaned from incident response and external intelligence from research and indicator feeds. By pulling all your stakeholders and data into a single enterprise security platform you can make everyone more productive, make better decisions, and begin to automate the processes of detecting and responding to cyber threats in a more comprehensive way.

 

The post What is a Threat Intelligence Platform appeared first on ThreatConnect - Threat Intelligence.

Read the original blog entry...

More Stories By Adam Vincent

Adam is an internationally renowned information security expert and is currently the CEO and a founder at Cyber Squared Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. The culmination of this knowledge has led to the company’s creation of ThreatConnect™, the first-of-its-kind threat intelligence platform. He currently serves as an advisor to multiple security-focused organizations and has provided consultation to numerous businesses ranging from start-ups to governments, Fortune 500 organizations, and top financial institutions. Adam holds an MS in computer science with graduate certifications in computer security and information assurance from George Washington University. Vincent lives in Arlington, VA with his wife, two children, and dog.

@ThingsExpo Stories
According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
If you’re responsible for an application that depends on the data or functionality of various IoT endpoints – either sensors or devices – your brand reputation depends on the security, reliability, and compliance of its many integrated parts. If your application fails to deliver the expected business results, your customers and partners won't care if that failure stems from the code you developed or from a component that you integrated. What can you do to ensure that the endpoints work as expect...
As ridesharing competitors and enhanced services increase, notable changes are occurring in the transportation model. Despite the cost-effective means and flexibility of ridesharing, both drivers and users will need to be aware of the connected environment and how it will impact the ridesharing experience. In his session at @ThingsExpo, Timothy Evavold, Executive Director Automotive at Covisint, will discuss key challenges and solutions to powering a ride sharing and/or multimodal model in the a...
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lea...
IoT is fundamentally transforming the auto industry, turning the vehicle into a hub for connected services, including safety, infotainment and usage-based insurance. Auto manufacturers – and businesses across all verticals – have built an entire ecosystem around the Connected Car, creating new customer touch points and revenue streams. In his session at @ThingsExpo, Macario Namie, Head of IoT Strategy at Cisco Jasper, will share real-world examples of how IoT transforms the car from a static p...
Cloud computing is being adopted in one form or another by 94% of enterprises today. Tens of billions of new devices are being connected to The Internet of Things. And Big Data is driving this bus. An exponential increase is expected in the amount of information being processed, managed, analyzed, and acted upon by enterprise IT. This amazing is not part of some distant future - it is happening today. One report shows a 650% increase in enterprise data by 2020. Other estimates are even higher....
From wearable activity trackers to fantasy e-sports, data and technology are transforming the way athletes train for the game and fans engage with their teams. In his session at @ThingsExpo, will present key data findings from leading sports organizations San Francisco 49ers, Orlando Magic NBA team. By utilizing data analytics these sports orgs have recognized new revenue streams, doubled its fan base and streamlined costs at its stadiums. John Paul is the CEO and Founder of VenueNext. Prior ...
One of biggest questions about Big Data is “How do we harness all that information for business use quickly and effectively?” Geographic Information Systems (GIS) or spatial technology is about more than making maps, but adding critical context and meaning to data of all types, coming from all different channels – even sensors. In his session at @ThingsExpo, William (Bill) Meehan, director of utility solutions for Esri, will take a closer look at the current state of spatial technology and ar...
The Internet of Things can drive efficiency for airlines and airports. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Sudip Majumder, senior director of development at Oracle, will discuss the technical details of the connected airline baggage and related social media solutions. These IoT applications will enhance travelers' journey experience and drive efficiency for the airlines and the airports. The session will include a working demo and a technical d...
What happens when the different parts of a vehicle become smarter than the vehicle itself? As we move toward the era of smart everything, hundreds of entities in a vehicle that communicate with each other, the vehicle and external systems create a need for identity orchestration so that all entities work as a conglomerate. Much like an orchestra without a conductor, without the ability to secure, control, and connect the link between a vehicle’s head unit, devices, and systems and to manage the ...
Businesses are struggling to manage the information flow and interactions between all of these new devices and things jumping on their network, and the apps and IT systems they control. The data businesses gather is only helpful if they can do something with it. In his session at @ThingsExpo, Chris Witeck, Principal Technology Strategist at Citrix, will discuss how different the impact of IoT will be for large businesses, expanding how IoT will allow large organizations to make their legacy ap...
The many IoT deployments around the world are busy integrating smart devices and sensors into their enterprise IT infrastructures. Yet all of this technology – and there are an amazing number of choices – is of no use without the software to gather, communicate, and analyze the new data flows. Without software, there is no IT. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the protocols that communicate data and the emerging data analy...
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management solutions, helping companies worldwide activate their data to drive more value and business insight and to transform moder...
Digital innovation is the next big wave of business transformation based on digital technologies of which IoT and Big Data are key components, For example: Business boundary innovation is a challenge to excavate third-party business value using IoT and BigData, like Nest Business structure innovation may propose re-building business structure from scratch, as Uber does in the taxicab industry The social model innovation is also a big challenge to the new social architecture with the design fr...
What are the new priorities for the connected business? First: businesses need to think differently about the types of connections they will need to make – these span well beyond the traditional app to app into more modern forms of integration including SaaS integrations, mobile integrations, APIs, device integration and Big Data integration. It’s important these are unified together vs. doing them all piecemeal. Second, these types of connections need to be simple to design, adapt and configure...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, wh...
Data is an unusual currency; it is not restricted by the same transactional limitations as money or people. In fact, the more that you leverage your data across multiple business use cases, the more valuable it becomes to the organization. And the same can be said about the organization’s analytics. In his session at 19th Cloud Expo, Bill Schmarzo, CTO for the Big Data Practice at EMC, will introduce a methodology for capturing, enriching and sharing data (and analytics) across the organizati...
SYS-CON Events announced today that Bsquare has been named “Silver Sponsor” of SYS-CON's @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. For more than two decades, Bsquare has helped its customers extract business value from a broad array of physical assets by making them intelligent, connecting them, and using the data they generate to optimize business processes.
SYS-CON Events has announced today that Roger Strukhoff has been named conference chair of Cloud Expo and @ThingsExpo 2016 Silicon Valley. The 19th Cloud Expo and 6th @ThingsExpo will take place on November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. "The Internet of Things brings trillions of dollars of opportunity to developers and enterprise IT, no matter how you measure it," stated Roger Strukhoff. "More importantly, it leverages the power of devices and the Interne...
19th Cloud Expo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterpri...