close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Threat Intelligence and the Downfall of the Galactic Empire

Threat Intelligence and the Downfall of the Galactic Empire

ThreatConnect 4.2 Reduces Fragmentation in Your Security Organization

As is always the case, Star Wars metaphors can teach us a lot about infosec. I’d like to highlight some of the new features in ThreatConnect 4.2 by summing up the geopolitical situation during and immediately after Return of the Jedi.

 

    1. The Galactic Empire is a well-oiled mighty military machine of quadrillions of citizens that can field thousands of mile-long warships.
    2. The Rebel Alliance is a ragtag group of political extremists - woefully undermanned and outgunned
    3. The Battle of Endor takes place.
    4. The Rebels commit all of their resources in a pitched battle against a small fraction of the Galactic Empire’s starfleet and ground forces.
    5. The Emperor is killed.
    6. Less than thirty years later, the Empire is gone.

Whoa, wait - back up.

How does losing a single battle suddenly translate into the downfall of an organization of the scope and scale of the Galactic Empire? The Rebels put their entire fleet into the Battle of Endor. Sure, it was a devastating loss, but the Empire still had an entire galaxy of resources to fall back on.

 

Threat-Intelligence-and-the-downfall-of-the-Galactic-Empire

Pictured: Emperor Sheev Palpatine, shortly before being killed by insider threat actor Darth Vader.

 

I have a theory, and it can be summed up in a single word: fragmentation. The Emperor was dead! He was a single force that united the people, processes, and technologies of the Empire. Without him, communication broke down and silos went up. Critical intel was no longer being shared. As the spark of rebellion spread, incidents were not responded to in a unified manner. Military responses to threats became kneejerk instead of intelligence-driven.

In short, the Empire fell because it was functioning like a security organization without a Threat Intelligence Platform.

 

Through the Emperor: Unity

With our recently-launched version 4.2 of the ThreatConnect platform (or as we call it, Episode IV, Scene 2), we’ve worked hard to deliver features that aid in reducing fragmentation and keeping your security empire safe and secure. And what’s the opposite of fragmentation? Unity! So, without further ado, I present Emperor Palpatine’s Four Keys to Unity: Sharing, Awareness, Consensus, and Control.

 

Keys to Unity: Sharing

We agree that machine-readable threat intelligence is critical to keeping up with the high volume of data that security organizations must deal with on a daily basis. However, at the end of the day, a lot of intel needs to be consumed by a human. This is especially critical in high-impact breaches when individuals outside the security organization might need to be exposed to important information. You need Artoo Detoo to talk to the machine and See Threepio to make it digestible to humans (and aliens)

In 4.2, we’ve made some important strides toward “human-readable threat intelligence”: PDF reports and Markdown support. Markdown allows users to take any attribute in ThreatConnect and format it so that other analysts and stakeholders can more easily digest it in the platform.

threat-intelligence-naikon-overview

threat-intelligence-naikon-overview-complete

Markdown on the left and the final, formatted threat on the right.

ThreatConnect 4.2 lets you share Incidents, Adversaries, and Threats quickly and easily with a one-click export to PDF. They can even be stored in ThreatConnect as PDFs for easy retrieval later.

threatconnect-incident-pdf-win32-trojan

A PDF of an incident, ready for sharing.

 

Keys to Unity: Awareness

It’s important to know all facets of a particular piece of intel: is it accurate? Is it relevant? Is the source reliable? In 4.2, we’re taking a global awareness approach. When you view an Indicator of Compromise, you can now see information on all of the other feeds, sources, and communities in which the Indicator appears. We’ve also included data on the Indicator’s rating and confidence so that you can have the full puzzle in front of you.

threat-intelligence-fragmentation-intel-acquisition

No bothans were harmed in the acquisition of this intel.

 

Also critical to awareness is understanding where the intel is coming from. We’ve extended our Observations and False Positives capabilities so that you can see which of your integrations are actually reporting the data. This lets you hone in and prioritize your response.

 

Threat-Intelligence-fragmentation-and-false-positives

Requires a supported integration.

 

Keys to Unity: Consensus

At the Battle of Endor, a Rebel A-Wing smashed into the command bridge of the Super Star Destroyer Executor, causing it to spiral out of control and ultimately smash into the Death Star. How did this happen? Where were the plans for continuity of operations? My theory is that there was a breakdown in incident response. The shield generator was out, the bridge was destroyed, Rebels were attacking, and rather than prioritizing the main issue of keeping the ship on course, crews were running everywhere playing whack-a-mole. They needed a way to prioritize the top threats and the most important information.

Threat-Intelligence-fragmentation

This is what happens when your incident response team is not coordinating around the biggest problem.

ThreatConnect 4.2 introduces the first of our “Evaluate Your Intel” features. Users can upvote or downvote intelligence that they feel is relevant and useful (or irrelevant and useless!), so that only the most critical or important items can rise to the top. That way you can coordinate around the biggest problems and ensure that your ship stays on course, even in the chaos.

yes-no-threat-intelligence

Keys to Unity: Control

One thing I love about workflow in ThreatConnect is how we provide context to everything. When you assign someone a task to take action on a piece of intel, you’re not just assigning a task to someone: you’re giving them the tools they need to complete the task by tying in all the related intel. Proper workflow ensures that everything moves smoothly through your security empire and that all your “troops” are addressing the most important jobs. We’ve expanded that capability in 4.2 by exposing our Task system to our API. Now you can integrate our Tasks with other workflow management platforms.

The Final Key

If the Empire had something like ThreatConnect, it’s likely that the Battle of Endor would have been just a temporary setback rather than the beginning of the end. In the same vein, ThreatConnect 4.2 is just the beginning of some of these new features and initiatives. In addition to what I’ve mentioned here, 4.2 includes dozens of new features, enhancements, tweaks, and integrations.
Start your free trial and see how ThreatConnect 4.2 helps you unite your security empire!

ABOUT THE AUTHOR

Dan Cole, Director of Product Management at ThreatConnect, has spent the last decade as a product manager working to create awesome software that gets to the core of solving the unique problems faced by a myriad of industry verticals. From large financial and insurance providers, to global telecom carriers, to federal agencies, Dan believes that the right software can free companies and users to focus on and enable their key missions.