How is threat intelligence being used today?

By requiring heavy integration everywhere.

The challenge of managing threat intelligence across the enterprise

The challenge of managing threat
intelligence across the enterprise

Manually processing the data, understanding the reports, and creating the types of rules for the existing security devices is a time consuming effort. It's no wonder the largest complaint about threat intelligence is the inability to keep up and take action on the data.

 

Challenges with this approach:

  • Operator Intensive
  • Complex Log Queries
  • Overwhelming Datasets
  • Inefficient Process
  • Enforcement Limits
  • Multiple Standards

How will Threat Intelligence provide
better protection to my network?

By keeping up to date dynamically.

Automatically apply Machine Readable Threat Intelligence (MRTI) in your network

Automatically apply Machine Readable Threat Intelligence (MRTI) in your network

It's not enough to detect advanced threats in your network. By then, it's too late. Centripetal turns cyber threat intelligence into protective action on the network. A majority of the hacking events that have occurred in the news have had cyber threat intelligence related to the threat in advance. By leveraging this intelligence, we are able to block this activity in the moment, rather than react.

 

In order to keep up with the volume of intelligence, we must be able to do so dynamically, machine-to-machine. Machine Readable Threat Intelligence (MRTI) is available in kinds of formats and update intervals. By automating the effort to keep up with the data, analysts are able to focus on the important tasks and improve their efficiency.

 

Types of Threats:

  • State-Sponsored
  • Hacktivist
  • APTs
  • Cyber Crime
  • Newly Registed Domains
  • Malware

By addressing the large information challenges.

Approximately 3-5K malicious domains are registered every day

Approximately 3-5K malicious domains are registered every day

Every day there are approximately 130K new domains which are registered, of which analysts estimate 3-5K daily are for malicious activities. The challenge of keeping up to date with that growing list of malicious domains is a monumental task, but with threat intelligence feeds, the data can be updated across the infrastructure in real-time, dynamically protecting against these malicious attack sources.

 

Organizations are already seeing results by enabling feeds specifically to deal with newly registered domains. Just preventing access to domains that are only 1 week old, requires approximately 1,000,000 Domain Name Indicators. These indicators are updated dynamically every night as these domains are registered. Blocking this network activity significantly reduces risk.

By leveraging the threat analyst community.

By leveraging the threat analyst community.

Thousands of analysts in your defense

Threat intelligence is currently being produced from the work of thousands of cybersecurity analysts around the globe. From commercially available to open source, the IoCs, i.e., IP addresses, ports/protocol, domain names, URLs to malicious content, are being reported, with context.

 

IoC types supported:

  • IP Addresses
  • CIDRs
  • IP 5-Tuple
  • Domains
  • Hostnames
  • URLs/URIs

By closing the gap from discovery to protection.

Threat intelligence indicators are updated across QuickThreat® Gateways within seconds

Threat intelligence indicators are updated across
QuickThreat® Gateways within seconds

As cyber analysts produce reports and evaluate new malware, or track a threat actor's changing infrastructure, this information becomes extremely valuable. Often times, the challenge lies in getting the information distributed to the organizations that need to be aware of the threats. The time from discovery and sharing of threat intelligence to application in the network's defense is reduced to seconds.

How is Threat Intelligence being used with existing security technologies?

Gartner defines 3 key stages for an effective threat intelligence strategy: Acquire, Aggregate, Action.

Threat Intelligence Technology Strategy

Threat Intelligence Technology Strategy

Gartner provides a roadmap for a security strategy leveraging Threat Intelligence. In that strategy, products and services map to 3 key areas, Acquire, Aggregate, and Action.

3 Keys to a Threat Intelligence Strategy

  • Acquire - While Centripetal does not directly provide researched threat intelligence, the QuickThreat Platform connects organizations to over 40 sources of threat intelligence; Open Source, Community/Industry, and Commercial.
  • Aggregate - Centripetal's Threat Intelligence Gateway leverages an aggregation technology that collects, normalizes, and updates Threat Intelligence from a variety of sources, at update intervals critical to maintaining relevance.
  • Action - Centripetal's Threat Intelligence Gateway was designed from the ground up to scale to the demands of even the largest network environments. A single appliance is capable of supporting networks and datacenters of all sizes, blocking malicious traffic at an unmatched scale.

What is a Threat Intelligence Gateway?

A dedicated platform that simplifies the collection, management, and action of threat intelligence in network defense.

Protect your network using Threat Intelligence

Protect your network using Threat Intelligence

QuickThreat® is a Threat Intelligence Gateway (TIG) with real-time attack visualization and analytics. TIGs protect networks from a variety of cyber threats including hacktivists, cyber criminals and hostile nations, as well as campaigns involving malware, spam, phishing, and scanning. QuickThreat intelligence policies are fully automated with Centripetal’s threat intelligence subscription service.

Requirements of a Threat Intelligence Gateway (TIG):

  • Consume Threat Intelligence Directly
  • Provide Options for Policy Management
  • Operationalize Threat Intelligence

How is this different than using threat intelligence in my current firewall?

Achieve unparalleled performance from a purpose built appliance.

QuickThreat Gateways handles 125x more indicators than the most powerful Next-Generation Firewall  (NGFW) available

QuickThreat Gateways handles 125x more indicators than
the most powerful Next-Generation Firewall 
(NGFW) available

Current firewall devices provide several functions in a single device. Perimeter defense, remote access (VPN), and application layer network inspection are common functions of the traditional firewall. When all of these functions are combined in a single solution a performance tradeoff is reached that reduces network throughput. Additionally, firewall devices that enable threat intelligence are generally restricted in indicator count due to a limit of 10-20K bi-directional rules (40K Total).

 

QuickThreat Gateways currently supports over 5 million indicators at full network performance, up to 10Gb/s in a single device, with no degradation at full capacity. This increase in capability, without complexity, prevents valuable intelligence from being aged out to keep up with the latest threats dynamically.

How is the QuickThreat® NPS different from a SIEM?

We provide real-time enforcement and enrich your SIEM.

QuickThreat sends events to the SIEM with applied threat intelligence context in real-time

QuickThreat sends events to the SIEM with applied
threat intelligence context in real-time

QuickThreat Gateways output event logs to most SIEM devices in Common Event Format (CEF) with threat intelligence context at the moment of the event. This significantly reduces time to discovery, often from months to seconds, and also helps burdened security analysts prioritize their efforts, increasing the security effectiveness of the organization.