CAL™ 2.2 Brings Improved Data Hygiene and More Robust Graph Modeling

Right on the heels of our 2.1 CAL update, we’re keeping up the momentum with the release of CAL 2.2!

As a refresher, ThreatConnect’s CAL™ (Collective Analytics Layer) provides anonymized, crowdsourced intel about your threats and indicators. It leverages the collective insight of the thousands of analysts who use ThreatConnect worldwide to provide you with even more context regarding your indicators and threats.

The analytics engine that powers CAL has been improved over time, and is something that you can really think of as the ‘Brain of CAL’.

Once all of the data is collected and aggregated, CAL allows for data classification, and consequently, pivoting across related indicators. This is extremely beneficial when determining relationships between indicators.

The improvements in 2.2 include Better Data Hygiene and More Robust Graph Modeling.

Let’s dig deeper into each.

Better Data Hygiene

To say CAL handles a lot of data would be an understatement. We’re talking nearly half a billion indicators as of June 2019 that are sent to CAL for further analysis. CAL takes those indicators and, through proprietary algorithms leveraging overlaying datasets, creates a threat score to indicate the potential maliciousness associated with the respective indicator. We combine this score with ThreatConnect’s in-app reputation engine, called ThreatAssess, which gives users a score from a 0-1000 scale to help them make better decisions. Furthermore, CAL can modulate an indicator’s in-app status, reducing clutter from false positives and promoting relevant indicators in analyst workflows.

Keeping that in mind, ThreatAssess is only as reliable as the algorithms and scoring that are in place. In an effort to continuously make our data more reliable and accurate, a few things have been added to allow for even better data hygiene. With every CAL release, we’re adding additional data sources to help with data hygiene.  In this release,new capabilities include:

  • The ability for CAL to benefit directly from ThreatConnect Research team’s curation. Our Research Team is already working to ensure that we’re keeping a clean house in the ThreatConnect cloud, now CAL can benefit from their analysis and pass those insights along to private instances.
  • Dynamic inclusion of Microsoft Office365 networks for better whitelisting. By using some of their newer endpoints, we can keep a finger on the pulse of Microsoft’s entire Office365 infrastructure.  These IP addresses are responsible for tens of millions of noisy observations per month, and CAL’s analytics can deprioritize them appropriately.

More Robust Graph Modeling

To drive its analytics, CAL models the highly relational dataset of the threat landscape at a behemoth scale.  To replicate the analysis that humans make at the scale of hundreds of millions of relationships a day, we needed to improve our ability to model and process the graph that CAL extends every day.

As CAL learns about new indicators and discovers new links, its analytics need to be able to scan deeper and faster across the information model to generate new insights.  This lays a foundation for us to inject even more data into the CAL engine, enabling more sophisticated analytics and insights in the releases to come!

 

About the Author
Drew Gidwani

Drew Gidwani is the Director of Analytics at ThreatConnect. He drives the data modeling, collection, and analytics both within the core ThreatConnect platform and in CAL. Previously, Drew worked for the Department of Defense where he leveraged his varied analysis experiences to scale growing intelligence teams in the face of the ever-changing threats we face today. Drew holds a B.S. from Carnegie Mellon University and an M.S. from Johns Hopkins University. He currently resides in Maryland with his fierce warrior dog named Gimli.