With 5 independent regional SOCs connected to the main SOC in HQ the Company’s cybersecurity staff had to register incidents in service desk, that wasn’t connected to an IT SD but all the other data needed for the investigation was manually collected from multiple sources: security tools, data lakes, billing systems. Also, it was quite difficult to quickly find properties of the technical equipment involved in the cyber incident. Threat Intelligence data was processed semi-automatically without any connections to other systems.
After a comprehensive procedure of comparing different technologies for building the next version of SOC the Company have chosen Defensys as a leader in automating cybersecurity processes. The decision was to use SOAR and TIP to enhance capabilities of an existing SOC with a lot of systems not connected with each other.
All the incidents from different security tools along with customers’ enquiries are processed in one system that helps to use the same investigation frameworks for different teams that is important when it comes to collect performance metrics. These incidents are automatically registered based on the MITRE ATT&CK framework so the whole team operates with the same terms when working during the response process.
Defensys has updated Defensys Threat Intelligence Platform (TIP) to version 2.5. Key changes have affected the logic of enriching Indicators of compromise, working with the bulletin tool and vulnerability cards, and there have also been major changes in the system interface.
In the new version of Defensys TIP, the logic of enriching IoCs has been improved with additional context. Now users can configure the maximum number of days for storing enrichment data. After the specified period, the system will automatically re-request the enrichment data, which will help users process information related to indicators more accurately.
A significant part of the improvements in the new version of Defensys TIP is related to improvements in the bulletin tool. Threat and vulnerability bulletins are used to inform employees / community / customers / colleagues about new security threats, current vulnerabilities in software and hardware relevant to a particular infrastructure or organization. The platform now has the ability to create bulletins for multiple vulnerabilities, while in the new version it has become even more convenient to work with the vulnerabilities section: the presence of a bulletin and its identifier are displayed for each vulnerability.
In Defensys TIP 2.5, when viewing a vulnerability card, as well as when creating and editing a vulnerability bulletin, the entire structure of Common Weakness Enumeration (CWE) security defects is reflected, taking into account the attached elements.
Sometimes it is rather hard to briefly explain what threat intelligence means since many things depend on the context in which the term is used: this may be both a process and an action. There is a number of academic terms, for example, from Gartner and SANS Institute.
Cyber threat intelligence is a knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help cybersecurity and business staff at all levels protect the critical assets of the enterprise.
Definitive Guide to Cyber Threat Intelligence
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.
Gartner, McMillan (2013) from Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study
The set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators.
SANS Institute
The need for intelligence data results from the development of cybersecurity and improvements of its maturity level.