Posted
Earlier this week, we saw an article by Robert Ackerman Jr. on Dark Reading about crowdsourced threat intelligence and cyber security. Of course we were excited to see more discussion on threat intelligence and the value of collaboration.
Robert states that challenges remain, and while we agree that some organizations have not yet found the right balance and rhythm to effectively collaborate with others around their threat data, we built ThreatConnect to be the solution to some of the challenges he mentioned.
“The challenge, of course, is how to source from the crowd when trust and transparency are the watchwords of cyber security. How do you ensure the veracity of submissions (“attribution”), represented as the work of good guys and not a potential “Trojan Horse,” in a world where anonymity is the norm and may in fact be a legal requirement? How do you establish an audit trail of accountability to ensure trust and transparency? How do you create an incentive system that rewards contributions from the best and brightest?”
Security teams are notoriously cagey, and for good reason. Once trust is established, then you’re good to go – but how do you know what shared data you can trust? To Robert’s point, how do you ensure that the data is “good” and trustworthy? The first step is to make sure you’re working within a secure platform that has vetted organizations. That’s why the security email list “Fight Clubs” and ISACs of the world have thrived based on trusted networks and referrals. Our community driven threat intelligence platform, ThreatConnect, gives users the flexibility to use anonymous or attributed profiles, based on the trust level of the community they are participating in. This is valuable because you know that the data you are giving and receiving is coming from a real person from a vetted organization.
Working within ThreatConnect ensures that accountability is king, every action within the system is logged and attributed. Trust and transparency are key cornerstones of a platform. The audit trail is open to anyone who has access to that data. Our private communities of industry leaders and organizations have the ability to view any changes or additions to data made, similar to a Wikipedia log.
While some companies may “collect threat intelligence from a spectrum of sources and package it for distribution to customers, often as part of an integrated security management platform”, we take it two steps further.
We certainly agree that the collection piece is important. Whether you’re importing data from multiple sources, from within your own network, or from third party vendors (like iSIGHT Partners), there should be a way to have all of your data aggregated in one place. ThreatConnect was built to be vendor agnostic. We recognize that threat analysts have multiple sources of intelligence.
The next step is analysis. We built our analytic capabilities off of The Diamond Model for Intrusion Analysis, and we allow any user to quickly pivot between datapoints, dig deeper and find relationships with pDNS and reverse WHOIS queries, and easily visualize using our integrated Maltego transform sets or other tools. Back to the sharing of threat intelligence, our platform was built to allow different communities to have unique privacy settings and share information only with the connections that they want to share with. It’s helpful to analyze and find new data and patterns with a little help from your friends.
The final step is action. ThreatConnect allows you to take all of that data and analysis and put it into action, right within the platform. Interacting with your SIEM and other end-point capabilities, security teams are able to automate and move faster because of the deep data analysis that takes place right within ThreatConnect.
Threat intelligence sharing is not a new concept. But, what makes it new is the rise of platforms like ThreatConnect, which put power directly into the hands of users much in the same way that Salesforce.com gave sales teams a platform, and PeopleSoft gave HR a platform. Threat intelligence platforms and collaboration capabilities are just the beginning of the next phase of the security market.
Interested in learning more or checking out ThreatConnect for yourself? Contact us for a demo today!