For the purposes of building the effective Cyber Intelligence process relevance and completeness of the received data plays the crucial role. In most of the cases the work with the Threat Intelligence (TI) data starts with the adding of open source feeds. Regarding the 2021 SANS Cyber Threat Intelligence (CTI) Survey 66.3 % of the companies use open sources for the collecting of indicators of compromise (IoC) data and they strive to work with multiple sources in parallel.
On one hand using several sources seems the most simple and obvious way to start collecting data quickly but on the flipside there is a big issue in numerous detections when you upload these indicators to the security tools. And it makes the process of the data processing by the analyst almost impossible. We’d like to note also that if you want to create block lists for security tools from IoCs or a collection for search queries on the side of EDR solutions there will be a limitation by the number of entities. This means that anyway there has to be the manual work to prepare such collection of IoCs. Besides you have to keep in mind that only indicators itselves are useless.
It was very difficult to locate a host when something wrong occurred within the network.
Typically, cybersecurity specialists would call a large number of colleagues from different regions before collecting all the necessary data.
In addition, different systems installed within the infrastructure provided different equipment statistics.
Following the PoC process, there was a comprehensive implementation of the Defensys ACP solution that helped.
Defensys ACP does a healthcheck of the AV system giving the up-to-date reports weekly.
As a result, the Defensys ACP has become a source of reference for assets, not only for cybersecurity personnel, but also for other departments.
Some IT systems use the ACP’s API to enrich the required data with asset information.
The system’s metrics are distributed on the Cyber Security Office video wall where the Operations Center is located.