|By Adam Vincent||
|April 7, 2014 01:04 PM EDT||
Last week, Anton Chuvakin from Gartner wrote a blog about what he is calling an Intelligence Management Platform. He includes some thoughts by Facebook on how they are building their own platform. He alludes to non-public sources and I’m sure ThreatConnect™ is one, so rather than keep you all in suspense, I thought this would be an opportune time for ThreatConnect to say what we think a Threat Intelligence Platform is.
Rick Holland from Forrester said recently at a SANS conference that the threat intelligence platform is like the quarterback of your operations. The threat intelligence platform should be calling the shots and running the show.
There is also talk of how Threat Intelligence Platforms and Incident Response platforms are emerging into two distinct products. I do not think that they should be, rather I believe that the pursuit of truly understanding security of the business will result in a single converged product category. You can’t have a football team with two quarterbacks on the field, and you can’t have two different platforms responsible for managing your threat intelligence and response activities.
I’m not sure what the industry will settle on as far as a name given the now extended scope of requirements, but whatever the name becomes, I believe the requirements are now well understood.
What is the Problem and Why Now?
Throughout the enterprise there are security personnel using a variety of processes and tools to conduct their incident response, network defense, and threat analysis. Integration between teams supporting these functions and management have to this point been mostly manual efforts.
Unless they had vast resources to build a proper platform, security team efforts haven’t been integrated, or are integrated but through rudimentary technologies like email, spreadsheets, or maybe a SharePoint portal or a ticketing system. These techniques, although better than nothing, do not scale as the team grows and the number of malicious events and security processes increases. We saw this same problem with other parts of the business, and platforms were created to support them in their quest for automation and better management processes. For example, PeopleSoft for human resources, Salesforce for sales, Intuit for finance, SAP for manufacturing, and Eloqua for marketing.
Due to the ever-increasing threat of cyber attack and regulatory pressures there is a need for a new type of enterprise platform that can support the entire security team from the CIO to the personnel spanning processes for incident response, network defense, and threat analysis. The platform must be used for tactical day-to-day blocking and tackling as well as strategic decision-making and process improvement.
What is a Threat Intelligence Platform?
A Threat Intelligence Platform permits personnel throughout the enterprise to manage processes on the security relevant data that they care about. Other personnel processes can be integrated on top of that same data simultaneously as part of the same or a different process. Processes might include triaging events in the SOC, conducting incident response, or the threat team’s processes for integrating external feeds or intelligence. From the management perspective, the platform must present trends, supply real-time updates, as well as support threat-driven long-term prioritization across the business. The platform must support the integration of all the stakeholders and data that is relevant to each in a way where they can work together as a team. Customization of the platform is key, as each organization will have different processes, and data customizations needs across processes for aggregation, analysis, and action.
Aggregation – From Feeds to Intelligence
The culmination of one or more feeds is not sufficient on its own; instead you need to focus on processing your own data then overlay what everyone else knows on top of that. Without this type of understanding you never know what is truly relevant to your organization.
There is a lot of emphasis on feeds in the marketplace right now. How many feeds do you support and which ones? Can you support structured and unstructured data input? Do you support STIX? What is the process (manual, automated, semi-automated) to get it into the system? Do you support API level integrations? Although these things are important, I would attest that these questions are just the beginning, and the easy part of the question.
Instead, we need to be thinking bigger and considering how incoming feeds will be made relevant and how they will support the various processes and stakeholders throughout the business that will use them in different ways. Incoming feed data must be correlated with the organization’s knowledge base, and tailored to meet the needs of the different stakeholders – from security team personnel to management and beyond. Automation of processing feeds will be critical so that you can avoid overwhelming your staff with mundane data processing. Even with automation, you will need to support human processing on feed data to ensure its usefulness. This will require analysis process support as described below.
Finally, the feedback loop will be critical in order to support the processes of evaluating the feeds you are using. This will allow internal events to highlight what feed sources are most applicable to the organization, and what types of data have the most usefulness.
Analysis – Where the Rubber Meets the Road
Analysis is a core feature of the Threat Intelligence Platform and it needs to automate as much of the processing as is technically possible. This requires the platform to be built with data management in mind and automation can’t be an afterthought. ThreatConnect leverages the Diamond Model for Intrusion Analysis as its foundation for making sense of the dataset. This is not a data structure, as ThreatConnect allows each customer to extend their data structures to meet their own unique needs, but instead is a powerful baked-in methodology that allows the platform to make sense of the dataset.
Here are three use-cases that are typically done by ThreatConnect customers. Although I’m discussing three different teams in them, the productivity gains provided by the platform are even more apparent with more limited resources.
- Collections – The organization is receiving feeds, tippers, community-derived intelligence, and possibly detection signatures from a variety of sources. They input all of this incoming data into ThreatConnect, triage its priority, and conduct processing to make it actionable. If the data already exists, the system can add additional context derived by the new source. If the data is new, ThreatConnect may assign initial priorities based on relations to already known threats or previously observed activity. Depending on the data type and integration, and the organization’s policy, processing for action can be completely automated at various thresholds (detect-only, block, report, etc.). Signature management is made simple through the process of automatically associating new feed indicators and context with already present signatures that have been previously associated with the same indicator, while any new indicators can be put into a process for signature creation.
- SOC – The SOC supplies the threat team with potential indicators of compromise via ThreatConnect. The threat team analyzes the indicators to provide additional context by leveraging data service integrations within ThreatConnect such as passive DNS and Reverse Whois tracking, and provides more indicators back to the SOC to search for in their logs. Like in the first use case, this process can be automated through integrations with SIEM or other network defense. This iterates until a point where no more information can be gleaned and the process is completed.
- Incident Response – The IR team processes an incident within ThreatConnect. Throughout the process, incident data is automatically associated with existing knowledge and potentially previous courses of action created during previous incident response activities or by the threat team based on their own proactive efforts. Throughout the process, asking for assistance is as easy as creating a task and assigning it to another team member.
Although redundant for each use case, there are several common analysis requirements supported through the platform.
- The ability for each ThreatConnect customer to customize the platform to meet his or her needs for data storage, management, and processing. This includes customizing data elements requiring storage and management, processes across various teams, as well as the input fields that help staff more quickly support data entry tasks.
- ThreatConnect will create new data, enrich current data, and/or make associations across the existing dataset. This allows the team to work collectively from the same knowledgebase, create more accurate data, and become more productive throughout all their processes.
- Using the ThreatConnect discussions feature allows collaboration across all processes, tasks, and even supports collaboration at the atomic indicator level. The ability to collaborate is essential as teams become larger and more geographically disparate. With the follow feature you can be alerted during or after a process is completed if anything changes.
- Using ThreatConnect workflow, the organization’s process is streamlined and tracked through completion. The ability to do postmortem inspection allows you to continually improve your processes.
- ThreatConnect cloud customers can leverage our Analyst On-Demand feature to seek virtual assistance for one task or across an entire process.
Action – The Pieces Come Together
Integrations are a key requirement of a Threat Intelligence Platform. Whether the integration leverages threat intelligence collected and analyzed from a feed, or new context found during a SOC event or incident response activity; data from the platform needs to make its way back into the products your organization uses to automate your organizations protection. By shortening the timeframe from aggregation, analysis processes, to action with automated integration, you can speed up the processes for detection and protection.
Use-cases with the ThreatConnect Platform:
- Signature Management – Customer defined processes for signature (currently snort, YARA, BRO, OpenIOC, clamAV, CybOX, Suricata) creation, approval, and installation.
- Context specific Watchlists – The process of creating tailored feeds of malicious indicators to hunt for and integrating them into a variety of SIEMs or other products based on common threats, exploits, or other areas of concern.
- Block Approvals – There are a variety of ways to approve malicious indicators for blocking. Depending on the source, rating, or relevancy to your business, the system can approve blocks or submit them for human approval.
- Subsequent Analysis – Sometimes you need to look for the needle in the haystack or allow external partners access to the data for their analysis. API integration with third party data analysis tools allows customers to conduct further analysis. Sharing with external parties may also create its own cycle of sharing and receiving back threat intelligence, so easily extracting data in a structured format has proven an important capability.
But that isn’t where it should stop, as described in the SOC and IR processes, response processing should also be done within the platform as well. To truly realize the potential of the platform, threat intelligence-derived events should be communicated back to the platform as internally derived intelligence for automated association and subsequent processing. This would allow you to prioritize your response based on the risk of the unknown event (based on existing data) and shorten the timeframes for processing of true threats to your network. This also can serve a prioritization scheme for budget approval of threat intelligence feeds that are most relevant to your business.
In order for threat data to be threat intelligence it has to be relevant. In the world of network defense, this means it must be relevant to the threats that your organization faces. For this reason it does not make sense to separate incident response and threat analysis processes or teams into separate platform environments. Doing so would be needlessly segmenting internal intelligence gleaned from incident response and external intelligence from research and indicator feeds. By pulling all your stakeholders and data into a single enterprise security platform you can make everyone more productive, make better decisions, and begin to automate the processes of detecting and responding to cyber threats in a more comprehensive way.
In his session at @ThingsExpo, Eric Lachapelle, CEO of the Professional Evaluation and Certification Board (PECB), will provide an overview of various initiatives to certifiy the security of connected devices and future trends in ensuring public trust of IoT. Eric Lachapelle is the Chief Executive Officer of the Professional Evaluation and Certification Board (PECB), an international certification body. His role is to help companies and individuals to achieve professional, accredited and worldw...
Mar. 24, 2017 08:15 PM EDT Reads: 243
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
Mar. 24, 2017 08:00 PM EDT Reads: 1,502
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, will provide a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services ...
Mar. 24, 2017 06:30 PM EDT Reads: 4,105
My team embarked on building a data lake for our sales and marketing data to better understand customer journeys. This required building a hybrid data pipeline to connect our cloud CRM with the new Hadoop Data Lake. One challenge is that IT was not in a position to provide support until we proved value and marketing did not have the experience, so we embarked on the journey ourselves within the product marketing team for our line of business within Progress. In his session at @BigDataExpo, Sum...
Mar. 24, 2017 06:30 PM EDT Reads: 2,604
What sort of WebRTC based applications can we expect to see over the next year and beyond? One way to predict development trends is to see what sorts of applications startups are building. In his session at @ThingsExpo, Arin Sime, founder of WebRTC.ventures, will discuss the current and likely future trends in WebRTC application development based on real requests for custom applications from real customers, as well as other public sources of information,
Mar. 24, 2017 05:30 PM EDT Reads: 373
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
Mar. 24, 2017 05:15 PM EDT Reads: 1,290
SYS-CON Events announced today that Ocean9will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Ocean9 provides cloud services for Backup, Disaster Recovery (DRaaS) and instant Innovation, and redefines enterprise infrastructure with its cloud native subscription offerings for mission critical SAP workloads.
Mar. 24, 2017 04:45 PM EDT Reads: 1,764
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
Mar. 24, 2017 01:15 PM EDT Reads: 561
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
Mar. 24, 2017 01:15 PM EDT Reads: 3,841
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
Mar. 24, 2017 12:45 PM EDT Reads: 1,858
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor - all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
Mar. 24, 2017 12:15 PM EDT Reads: 1,395
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
Mar. 24, 2017 12:15 PM EDT Reads: 958
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
Mar. 24, 2017 12:00 PM EDT Reads: 1,885
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
Mar. 24, 2017 12:00 PM EDT Reads: 1,640
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
Mar. 24, 2017 10:45 AM EDT Reads: 1,420
SYS-CON Events announced today that Infranics will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Since 2000, Infranics has developed SysMaster Suite, which is required for the stable and efficient management of ICT infrastructure. The ICT management solution developed and provided by Infranics continues to add intelligence to the ICT infrastructure through the IMC (Infra Management Cycle) based on mathemat...
Mar. 24, 2017 09:45 AM EDT Reads: 2,736
Now that the world has connected “things,” we need to build these devices as truly intelligent in order to create instantaneous and precise results. This means you have to do as much of the processing at the point of entry as you can: at the edge. The killer use cases for IoT are becoming manifest through AI engines on edge devices. An autonomous car has this dual edge/cloud analytics model, producing precise, real-time results. In his session at @ThingsExpo, John Crupi, Vice President and Eng...
Mar. 24, 2017 08:45 AM EDT Reads: 3,678
In the enterprise today, connected IoT devices are everywhere – both inside and outside corporate environments. The need to identify, manage, control and secure a quickly growing web of connections and outside devices is making the already challenging task of security even more important, and onerous. In his session at @ThingsExpo, Rich Boyer, CISO and Chief Architect for Security at NTT i3, will discuss new ways of thinking and the approaches needed to address the emerging challenges of securit...
Mar. 24, 2017 08:30 AM EDT Reads: 4,263
The taxi industry never saw Uber coming. Startups are a threat to incumbents like never before, and a major enabler for startups is that they are instantly “cloud ready.” If innovation moves at the pace of IT, then your company is in trouble. Why? Because your data center will not keep up with frenetic pace AWS, Microsoft and Google are rolling out new capabilities In his session at 20th Cloud Expo, Don Browning, VP of Cloud Architecture at Turner, will posit that disruption is inevitable for c...
Mar. 24, 2017 08:30 AM EDT Reads: 1,907
There are 66 million network cameras capturing terabytes of data. How did factories in Japan improve physical security at the facilities and improve employee productivity? Edge Computing reduces possible kilobytes of data collected per second to only a few kilobytes of data transmitted to the public cloud every day. Data is aggregated and analyzed close to sensors so only intelligent results need to be transmitted to the cloud. Non-essential data is recycled to optimize storage.
Mar. 24, 2017 08:15 AM EDT Reads: 2,903