Using Multi-Source Threat Intelligence to Strengthen Network Security
An Ongoing Blog Series Highlighting Threater’s Best-In-Class Threat Intelligence
In the first blog of this series, we talked about the need to use threat intelligence from multiple sources and highlighted some of the key threat intelligence challenges. These included identifying which sources to use amidst a plethora of options and challenges integrating third-party threat intelligence into traditional security controls like next-generation firewalls. We provided a high level overview of how the Threater platform simplifies and solves these challenges by putting best-in-class threat intelligence at your fingertips and allowing you to take action with the threat intelligence that works best in your environment.
In this blog, we will take a closer look at the importance of using multi-sourced threat intelligence and how our platform provides and allows you to use best-in-class threat intelligence to to secure your networks, data and users in real-time – wherever they are – on-prem, cloud, remote, or all of the above.
The Importance of Multi-Source Threat Intelligence
Defending against today’s threats is a volume game that requires the use of threat intelligence from multiple sources. Cyber attacks are big business, with threat actors ranging from individual attackers to well funded, coordinated cyber threat organizations, to state sponsored attacks. Therefore, one vendor or threat intelligence provider’s view of the threat landscape is simply not enough to protect from the constantly evolving and sophisticated threat actors that are attacking. This is proven not only in the volume of threat intelligence available, but also the fact that when comparing various threat intelligence from multiple vendors, the overlap is negligible.
Presenting at the 29th Usenix conference and symposium, researchers from the Delft University of Technology in the Netherlands and the Hasso Plattner Institute at the University of Potsdam, Germany, found that between a mix of both commercial, open source, and vendor threat feeds, that using threat intelligence from multiple sources yielded the most benefit with minimal overlap. From their findings:
- Between open and paid threat intel sources, there was almost no overlap in indicators
- Between two paid threat intel vendors, there was a 1.3% – 13% overlap in indicators. In other words, 13% of vendor #1’s indicators were in vendor #2’s set. 1.3% of vendor #2’s indicators were in vendor #1’s set.
- When the researchers drilled down to the 22 threat actors for which both vendors had indicators, they found an average overlap of no more than 2.5%-4.0% per group, depending on the type of indicator.
These findings prove academically what Threater has always known – protection from cyber threats requires the use of a broad set of threat intelligence, from multiple sources. Providing this is core to our platform and one of the features that provides high value to our customers.
Threater Delivers “Out-of-the-Box” Threat Intelligence From Multiple Sources
Enough of academia. At the end of the day…Threater makes your IT life easier by filtering through the noise and delivering threat intelligence from multiple trusted and best-in-class sources so that you don’t have to. These include:
- Commercial: This is threat intelligence provided by commercial cybersecurity companies that specialize in this craft. Threater provides threat feeds from leading commercial providers, including Webroot, DomainTools, and Proofpoint (EmergingThreats) to name a few.
- Open Source: There is a lot of valuable open source threat intel data. However, there’s also a lot of “not so valuable” data. At Threater, we curate best-in-class, high fidelity, open-source threat intelligence. Examples include AlienVault’s Open Threat Exchange, Blocklist.de, CINS Army List, Emerging Threats Rules, and others.
- Government: Given the rise of nation state cyberwarfare, it’s no surprise that government organizations are a valuable source of threat intelligence. For example, at Threater, we participate in the U.S. Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) and Cyber Information Sharing and Collaboration Program (CISCP) and provide a DHS threat feed. We also provide government threat intel from other sources like the State of Missouri’s Security Operations Center, which is a phenomenal threat feed.
- Industry: Attackers often launch campaigns targeting specific industries making it critical to incorporate industry-specific threat intelligence. Industry-focused Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) collect, analyze, and disseminate actionable threat information to their members and provide tools, such as threat feeds, to mitigate risks and enhance resiliency. We make it easy for customers that are members of ISACs and ISAOs to integrate this industry threat intelligence into our platform. Examples of our growing roster of integrations includes E-ISAC, FS-ISAC, H-ISAC, MS-ISAC and others.
…But these aren’t the only sources of threat intelligence that our platform can use. In addition to the threat intelligence data we provide “out of the box,” Threater can integrate threat intelligence in real time from any source, including from your current deployed security tools. Below are a few examples of the ways we make it simple for you to integrate threat intelligence into the platform:
Connectors
Our platform provides connectors that make it easy for you to create automated IP and domain denied lists. For example, with our Basic IPv4 address list and Basic Domain connectors you can create automated denied and allowed lists by importing IP and domains addresses stored single line in text files located on a web server. If you prefer STIX/TAXII, you can use our STIX/TAXII connector. In the near future, we will also provide the ability to do bulk CSV uploads.
Third-Party Integrations
Our platform has a growing number of “out of the box” integrations with third-party systems like Threat Intelligence Platforms (TIPs), SIEMs, and SOARs to name a few.
With a few simple clicks, you can easily integrate threat intelligence from leading threat intel providers and TIPs like Anomali, IntSights, Recorded Future, ThreatConnect, ThreatQuotient, and ThreatSTOP.
When it comes to SIEMs, of course we have great syslog export capabilities. However, what’s even cooler are integrations that enable you to automatically block threats in Threater right from the SIEM. For example, with our IBM QRadar App users can automatically add an IP or domain to a Threater denied list right from the QRadar interface.
We also have plans this year to add integrations with leading SOAR platforms, which are increasingly being used by organizations to automatically respond to threats
REST API
Last but not least, we make it simple for users to build their own integrations using our robust and easy to use set of REST APIs. If this is your cup of tea, feel free to check out our APIs here.
As you can see, when it comes to threat intelligence Threater is all about allowing you to use best-in-class threat intelligence to secure your networks, data and users in real-time – wherever they are – on-prem, cloud, remote, or all of the above. This best-in-class comes from multiple sources including the threat intelligence data we provide “out of the box” as well as the many ways we make it easy for you to integrate threat intelligence from any source in real time.
Stay Tuned!
In our coming blogs, we will take a deeper look at our threat intelligence data and partner integrations, and how we interact with them. And as always…
If you are a current customer and have any questions, feel free to reach out to our customer support team at support@threater.com
If you’d like to learn more about Threater’s platform integrations, visit the Integrations tab on www.threater.com
If you’d like to get started with Threater’s platform today, contact sales@threater.com