Posted May 12, 2016
This blog series explores three fundamental challenges our customers have when leveraging a Threat Intelligence Platform (TIP). In this blog, we discuss the last challenge of operationalizing threat defense.
The TIP has become a critical part of any mature security operation environment, where threat analysis and relevant threat intelligence can drive the actions of other teams within an organization, as well as security mitigation technologies. The cross-functionality of threat intelligence is a foundational aspect of ScoutPrime’s architecture that drove us to create the concept of workspaces.
The key purpose of workspaces is to avoid unnecessary duplication of global Internet data and intelligence that all users may share. Workspaces accomplish this because they are an isolated container for all data including the threat intelligence within our system. In other words, workspaces allow different teams and individuals to work on threat intelligence data, reports, and analysis in isolation from other users or teams sharing the same physical system.
ScoutPrime has an innovative mechanism because changes to a specific workspace’s data are kept local to that workspace, while the underlying shared/global view remains the same. This is incredibly powerful as it allows changing global state to be updated for everyone while their local workspace view can inherit that shared state without requiring significant data replication or processing across all of the workspaces.
Workspaces can be customized even further, and individuals or teams have the ability to create their own threat intelligence or reports and dashboards on specific threat intelligence and change the scoring engine and all related information such that they can see changes to threat scores in isolation, etc.
One of the critical aspects of workspaces is to ensure all data local to the workspace remains local only. To achieve this, we had to ensure that all asynchronous notifications based on configured triggers would be isolated to the workspace. This isolation allows both threat analysts and security operations teams to share the same platform but having different requirements on data interactions between ScoutPrime and external systems such as SIEM or Firewalls.
Common Threat Team Operations
ScoutPrime focuses on threat team workflows that support their daily work tasks, as well as LookingGlass’ ability to deliver actionable threat intelligence. With that in mind, we wanted ScoutPrime’s dashboard to be customizable so different teams and individuals would only have to use widgets and tools necessary for their tasks.
Internet and Threat Investigation
For most threat analysts, search is the starting point for other workflows. ScoutPrime provides a comprehensive search capability that allows the user to easily express simple and complex combinatorial searches.
A simple search could include looking for an IP address, Classless Inter-domain routing (CIDR), Hash, Domain name, or a Threat Score.
An example of a complex combinatorial search could be pattern matching a set of common attributes across multiple different Observables that are associated with any network element.
ScoutPrime also provides customers with the ability to save searches so they can share searches with others in the same workspace, or keep a record of frequent searches without having to retype them. A saved search is similar to a bookmark within a browser.
Recalling user-defined saved searches is easily performed (as shown in the image below).
Similarly, the last executed searches performed in the workspace are logged for easy recall in a similar manner to a browser history keeping track of search history (as shown below).
Threat Relationship Exploration
Understanding the relationships between threat intelligence data or associated network assets is critical to discovering actionable, relevant threat intelligence, and ScoutPrime’s Graph Explorer widget let’s threat analysts do just that.
This widget creates a graph of where analysts can easily search and explore the connections between threat intelligence and networked intelligence. This information can also be expanded upon based on how the user wants to navigate the connected graph.
We often see customers use this feature to search for a specific malware hash that has been identified by one or more Observables and then to search for elements that have been associated with that Observable (and therefore the hash).
Optimized Threat Assessment Reporting
One of the key challenges our customers face is the sheer volume of threat intelligence and relevant threats to their organization. ScoutPrime fixes this with its summary view of threat scores for relevant assets, whether it is their own networked assets, third parties, or both that they wish to monitor.
The Confidence Summary widget provides customers with a dashboard that summarizes both real-time and historical scores for their selected collections and networked assets. A collection may be defined by the LookingGlass Threat Intelligence team to represent an industry sector or by an organization that wishes to represent all of their networked assets for a summarized view. In addition, security operations and threat teams may choose to represent threat incidents as a collection where they combine IPs, domain names, Observables, autonomous system numbers (ASNs), and any other related state to the incident in a collection providing them with an overall assessment of the incident and associated data.
Confidence Summary continuously summarizes all scoring associated with the collections and assets and allows the customer to double-click into any changes in threat intelligence within a sub-container that has caused changes in scores.
The example below shows how a user has zoomed into a communications sector, a ASN 7922, and a CIDR 220.127.116.11/8 to review the network elements and their associated threat scores.
Another example would be where a global enterprise has networked assets across various countries and would prefer to see threat confidence scoring across each country at the top-level and then the ability to see each site within that country and their associated scores. Finally, within that site, they may wish to see what threat Observables have occurred in the last 24 hours to explain why scoring for the site has changed, and may have caused an elevated score on the country level as well.
Over the last few weeks we’ve discussed the three fundamental challenges we see organizations facing when leveraging threat intelligence platforms. Contact us to learn how ScoutPrime solves these issues related to collection, aggregation, and distribution; analysis and enrichment; and what we reviewed today, threat defense operationalization.