Search This Blog

Saturday, 18 October 2014

Know Your Threat Landscape - Standardized Security Threat Information (STIX & TAXII)

Over the years, many managed security service providers have been publishing variants of an external Threat Analysis in one form or another. Annual, Quarterly, Weekly, Daily, and live feeds are regular deliverables now from anyone who is anyone in the Security Industry.

Great news, right?  Well... sort of...

The fact is, that each of these service providers had their own proprietary naming conventions and threat report formats. This made it difficult for the consumer of these reports and feeds to understand what information was redundant, and what was really important.


Recently, however, many of these providers have banded together at the influence of the U.S. Department of Homeland Security (DHS) and Mitre Corporation. A community has formed, intent on standardizing not only the language used to to represent structured cyber threat information - Structured Threat Information Expression (STIX™) - but the transport mechanism used to distribute this cyber threat information as well, called Trusted Automated Exchange of Indicator Information (TAXII™).

By standardizing on the language and delivery of cyber threat information, clear and expeditious remediation can be put in place without wasting time wading through multiple vendor notifications. 



Links to the various Managed Security Service Providers Threat Intelligence.

IBM has X-Force 
  • IBM X-Force security professionals monitor and analyze security issues from a variety of sources, including its database of more than 76,000 computer security vulnerabilities, its global web crawler and its international spam collectors.

Symantec has DeepSight
  • Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of approximately 69 million attack sensors which record thousands of events per second.

CheckPoint has Threatcloud
  • ThreatCloud, the first collaborative security infrastructure to fight cybercrime. ThreatCloud dynamically reinforces Check Point Threat Prevention Software Blades with real-time threat intelligence derived from Check Point research, global sensors data, industry feeds and specialized intelligence feeds from the ThreatCloud IntelliStore.

Paolo Alto has Wildfire
  • WildFire offers a completely new approach to Cybersecurity, through native integration with Palo Alto Networks Enterprise Security Platform, the service brings advanced threat detection and prevention to every security platform deployed throughout the network, automatically sharing protections with all WildFire subscribers in about 15 minutes.

McAffee has GTI (Global Threat Intelligence)
  • McAfee Global Threat Intelligence (GTI) notices the anomalous behavior and predictively adjusts the website’s reputation so McAfee web security products can block access and protect customers. Then McAfee GTI looks out across its broad network of sensors and connects the dots between the website and associated malware, email messages, IP addresses, and other associations, adjusting the reputation of each related entity
Radware has Lancope StealthWatch
  • Lancope Inc. is a leading provider of network visibility and security intelligence to defend enterprises against today’s top threats. By collecting and analyzing NetFlow, IPFIX and other types of flow data, Lancope’s StealthWatch® System helps organizations quickly detect a wide range of attacks from APTs and DDoS to zero-day malware and insider threats. 

F5 has IP Intelligence
  • F5® IP Intelligence incorporates external, intelligent services to enhance automated
    application delivery with better IP intelligence and stronger, context-based security. By identifying IP addresses and security categories associated with malicious activity, the IP Intelligence service can incorporate dynamic lists of threatening IP addresses into the F5 BIG-IP® platform, adding context to policy decisions. IP Intelligence service reduces risk and increases data center efficiency by eliminating the effort to process bad traffic.

Cisco-Sourcefire has Talos
  • The Cisco Talos Security Intelligence and Research Group (Talos) is a group of elite cyber security experts whose threat intelligence detects, analyzes and protects against both known and emerging threats by aggregating and analyzing Cisco’s unrivaled telemetry data of billions of web requests and emails, millions of malware samples, open source data sets and millions of network intrusions. More than just a traditional response organization, Talos is a proactive member of your security ecosystem, working around the clock to proactively discover, assess, and respond to the latest trends in hacking activities, intrusion attempts, malware and vulnerabilities with new rules, signatures, file analysis and security tools to better protect your organization.
Trend Micro - Security Intelligence
  • With Trend Micro at your side, you can safely navigate the changing cyber security landscape. We defend tens of millions of customers around the clock through a worldwide network of 1000+ threat researchers and support engineers committed to 24x7 threat surveillance and analysis, attack prevention and remediation, and educational tools to help you secure your data against cyber crime in this ever-changing digital world.

Kaspersky Labs -Threat Intelligence
  • Kaspersky Lab’s Security Intelligence Services constantly monitor the threat landscape, identifying emerging dangers and taking steps to defend and eradicate. Combining our world-leading knowledge of malware and cybercrime with a detailed understanding of our clients’ operations, we create bespoke reports that provide actionable intelligence for an enterprise’s specific needs.  Our intelligence services range from subscriptions to our global network insights, monthly threat analysis specific to your organisation, through to bespoke training and education programmes.

Arcsight has Reputation Security Monitor
  • Actively enforce and manage reputation-based security policies to help focus on those threats with most risk. By using frequently scheduled updates of reputation data, vetted by a global cadre of experts, HP RepSM detects communication with sites known to have bad reputations-preventing exfiltration of intellectual property and reducing business risk. In addition, you can proactively monitor and protect the reputation of your own enterprise by making sure company and partner web sites and assets are not found on the bad reputation list.

Microsoft is soon announcing  Interflow
  •  The new Interflow platform, based on Microsoft's Azure cloud service, is geared for incident responders and security researchers. "We needed a better and more automated way to exchange information with incident responders. That's how we started on a path developing this platform," says Jerry Bryant, lead senior security strategist with Microsoft Trustworthy Computing. "This allows for automated knowledge exchange."

Note:  Apologies if I've missed your favorite Internet Threat Analysis feed or report.  
Add a quick comment below, and I'll update this list if appropriate.


References:

https://stix.mitre.org
https://taxii.mitre.org  
NetworkWorld: The International Security Community Should Embrace the STIX and TAXII Standards 
Networkworld: Symantec rolls out threat-intelligence sharing with Cisco, Check Point, Palo Alto Networks 
US-CERT: Information Sharing Specifications for Cybersecurity 
IBM X-Force Threat Intelligence
Infosec Institute: Reinventing Threat Intelligence
Large Organizations Need Open Security Intelligence Standards and Technologies 
SANS.org: Developing Cyber Threat Intelligence... 
BrightCloud: 2014 CYBERTHREAT DEFENSE REPORT 
Threat intelligence lifecycle maturation in the enterprise market 


1 comment:

  1. Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write ups thanks once again.

    Good!!
    IT security certification in Chennai

    ReplyDelete