The customer had some number of implemented systems not integrated between each other among them that logically caused frequent problems.
Moreover, there were 3 main types of information that were processed in the company:
All cyber security audits were carried out in 3 areas:
The hard challenge to find the right solution which could be flexible in settings and integrations and solve collected problems was set by the customer. After a careful search, the company has chosen Defensys SGRC solution.
First of all, regulatory and physical security requirements were fetched between each other via control checks framework built in Defensys SGRC. This way the user receives only one list with all the requirements needed to be assessed depending on the type of an asset and his role in the process (not all the requirements).
According to the 2021 SANS Cyber Threat Intelligence (CTI) Survey, 66.3% of companies use open sources to collect indicators of compromise and try to work with multiple sources simultaneously. It would seem that collecting indicators from open sources is a fairly simple task: you just need to download a txt or csv file from some web-site, and that’s it. In fact, there are many problems along this way. In this article, we will tell you what these difficulties can be, what the structure and format of the feed depend on, what metrics help to evaluate the usefulness of feeds, and also show what you can learn from the feed using a real example.
What are the pitfalls of open source TI
Let’s make a reservation right from the beginning: you cannot bypass problems when you are working with indicators from open sources. At the first loading of such indicators into security tools, you will receive thousands of positives per day. If you don’t even analyze the first 100 hits, you will most likely spit on this issue and just turn off the feed.
Let’s try to describe the main problems that will need to be resolved when collecting indicators from open sources:
Do not chase the number of indicators in the source and choose those with the most indicators.
Each of the company’s subsidiaries and branches has its own IT and OT networks.
The OT Cyber security department’s main desire was to aggregate data on OT assets in one place because standing on this up-to-date data they could proceed with different compliance procedures: national and internal.
Inventory data was stored in absolutely different places:
There was also one more complicated thing in this distributed chain of tenants – a lot of them were built based on one standard project, that’s why there were a lot of different subnets with the same addresses.
Colleagues felt the need for automation because it wasn’t at all efficient to try to gather all the information by email.
After the PoC process, the Defensys SGRC solution was selected to close all the objectives.
The system works in multitenancy mode. With this functionality, all assets can be stored in the same location for future use in other cybersecurity processes, regardless of whether they have the same addresses.