SBN

SHARED INTEL: Here’s one way to better leverage actionable intel from the profusion of threat feeds

Keeping track of badness on the Internet has become a thriving cottage industry unto itself.

Related: ‘Cyber Pearl Harbor’ is upon us

There are dozens technology giants, cybersecurity vendors, government agencies and industry consortiums that identify and blacklist IP addresses and web page URLs that are obviously being used maliciously; and hundreds more independent white hat hackers are doing much the same.

This activity results in a rich matrix of overlapping threat feeds that, if all of the slices could somehow be combined, would present a heat map of an Internet throbbing with malicious traffic that unceasingly changes and steadily intensifies. Many of the badness trackers do, in fact, publish their blacklists for the greater good. This intel often gets leveraged by firewall suppliers who tap into a small selection of what they figure to be the most helpful threat feeds to configure their products.

Centripetal has gone several steps further. This 10-year-old cybersecurity services vendor pulls in threat feeds from some 90 plus sources, assigns a team of cybersecurity analysts to make sense of this intel, and then makes the output of this heavy lifting available to companies to help them better defend their networks. Byron Rashed, Centripetal’s vice president of marketing, broke this down for me. We had a chance to visit at Black Hat 2019. For a drill down of our conversation, give the accompanying podcast a listen. Here are key takeaways: 

Effective blocking

Centripetal’s CleanINTERNET service is built around correlating and analyzing threat feeds pulled in from some 90 commercial, government and open-source entities. The heavy lifting Centripetal does on behalf of its customers involves correlating billions of threat indicators to derive a set of robust correlation rules that, in turn, become the basis for which traffic is allowed to enter – or leave — a customer’s network.

This rule enforcement is done at Centripetal’s RuleGATE Threat Intelligence Gateway in such a way that minimizes false positives yet doesn’t sacrifice performance. Centripetal also delivers a Splunk-based SIEM (some clients opt for integration into their existing SIEM) that enables the client and Centripetal’s team of cyberthreat analysts to view events and work directly with the customer to identify malicious threats that are infiltrating the network and exfiltrating data. Creating policies with the customer to shield against these threats are implemented at the RuleGATE.

Rashed

“The RuleGATE sits in front of the firewall and looks at the traffic coming into the network — and leaving the network,” Rashed told me. “We shield against known threats, coming inbound or outbound. One of the benefits of CleanINTERNET, besides increasing the client’s cybersecurity posture, is that it creates greater efficiency within the cybersecurity stack because now your main SIEM is not triggering on the known threats, but on the unknown activity where internal cybersecurity teams should concentrate. This enables internal cyber teams to become more efficient and focus on the unknown.

“You don’t have to upload 4 million rules and watch the firewall blow up. You can upload rules into the firewall or your intrusion detection or intrusion prevention systems to help mitigate zero day threats, or any possible unknown threat, which makes them more efficient and enables the security stack to perform faster and better.”

Filtering outbound traffic

A notable aspect to Centripetal’s services is that it filters both the traffic arriving – and leaving – an organization’s network.

“We work with the client to increase their security posture by shielding known threats from entering the network – and also from leaving the network,” Rashed says. “You would be surprised at how many threats are already in an organization’s network that cybersecurity teams are unaware of. These internal threats exfiltrate data and, in turn, create compliance risks for the organization.”

Telling outbound traffic can include an infected computer node, functioning as part of a malicious botnet, that’s beaconing out to a command and control server – to let the botnet controller know it’s in place and awaiting further instructions. Or it could be a botnet node carrying out tasks to destroy or exfiltrate data; or to put the attacker in a position to take over industrial controls, or to encrypt targeted assets as part of a ransomware caper.

“We find hosts of many different types doing these types of malicious activities,” Rashed told me. “It could be a printer, a computer or a server. Many hosts within the network can be infected and it may not show up, but we’re able to identify the identify the host’s IP address that might be, say, exfiltrating data or performing other malicious acts such as crypto mining, etc.”

Relief valve needed

Centripetal has grown to 60 employees, with offices in Herndon, VA, and Portsmouth, NH, by supplying a white glove, client-centric service that essentially functions as a much-needed relief valve in today’s environment of continually intensifying attacks – for organizations of all sizes and in all sectors.  An elite team of cyberthreat analysts works directly with the customer’s cybersecurity team, which helps alleviate the skills gap .

For enterprise clients, Centripetal shields off a superset of known malicious traffic, culled from comprehensively correlating the best threat feeds available. “This enables the SIEM, and the other parts of the security stack, to trigger on those events that the cyber threat analysts should be spending their time on,” Rashed says.

For SMBs and SMEs that aren’t in position to stand up a full-blown SOC, the Centripetal team works closely with them since many of these businesses do not have the budget or resources to implement an enterprise-class cybersecurity team and program  – and invaluable shared expertise.

“The person leading the organization’s cybersecurity initiative at an SMB or SME might be the CFO and it’s a challenge for them because they’re not security experts,” he says. “Our cybersecurity analysts come in and we show them what’s going into their network, what’s coming out of their network, and what malicious traffic to shield. We simplify cybersecurity for them so they can concentrate on growing their business.

“We also give them a deep understanding including guidance and reports that can be understood at the executive level.”

I’ve written a lot about the many laudable efforts to bake-in security at a fundamental level. Many of these initiatives are evolving incrementally. Given the scope and scale of ongoing cyber attacks, it is also critical for companies to deal more effectively with what’s coming across the transom, right now. I’ll keep watch for more of them.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


 


*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/shared-intel-heres-one-way-to-better-leverage-actionable-intel-from-the-profusion-of-threat-feeds/