Advanced Cyber Threat (ACT)®
An intelligence service that synchronizes critical data feeds from vendors and communities of threat intelligence, including open source, normalizes and delivers threat intelligence to RuleGATE. read more
RuleGATE® Gateway devices deploy at the enterprise network perimeter and alert/block using cyber security policies based on threat intelligence. RuleGATE can handle the volume of ALL of the relevant sources of threat intelligence. read more
QuickTHREAT Analytics Manager® Visualizes a host of threat intelligence based activity and provides instantaneous internal host-correlation, simplifying the process for identifying compromised systems in even the largest of organizations. read more
Threat intelligence in its most basic form, is Indicators of Compromise (IoCs), such as an IP address associated with command and control infrastructure, malicious phishing domain names, or URL paths to download malware.
Reporting and context informs and relates this information in a meaningful way. Who is behind this attack? What are they looking for? Why are they coming after me? Threat intelligence provides relevant context to organizations to prioritize and defend against the changing threat landscape.
Manually processing the data, understanding the reports, and creating the types of rules for the existing security devices is a time consuming effort. It's no wonder the largest complaint about threat intelligence is the inability to keep up and take action on the data.
|Operator Intensive||Inefficient Process|
|Complex Log Queries||Enforcement Limits|
|Overwhelming Datasets||Multiple Standards|
It's not enough to detect advanced threats in your network. By then, it's too late. Centripetal turns cyber threat intelligence into protective action on the network. A majority of the hacking events that have occurred in the news have had cyber threat intelligence related to the threat in advance. By leveraging this intelligence, we are able to block this activity in the moment, rather than react.
In order to keep up with the volume of intelligence, we must be able to do so dynamically, machine-to-machine. Machine Readable Threat Intelligence (MRTI) is available in kinds of formats and update intervals. By automating the effort to keep up with the data, analysts are able to focus on the important tasks and improve their efficiency.
|Hacktivist||Newly Registed Domains|
Every day there are approximately 130K new domains which are registered, of which analysts estimate 3-5K daily are for malicious activities. The challenge of keeping up to date with that growing list of malicious domains is a monumental task, but with threat intelligence feeds, the data can be updated across the infrastructure in real-time, dynamically protecting against these malicious attack sources.
Organizations are already seeing results by enabling feeds specifically to deal with newly registered domains. Just preventing access to domains that are only 1 week old, requires approximately 1,000,000 Domain Name Indicators. These indicators are updated dynamically every night as these domains are registered. Blocking this network activity significantly reduces risk.
Threat intelligence is currently being produced from the work of thousands of cybersecurity analysts around the globe. From commercially available to open source, the IoCs, i.e., IP addresses, ports/protocol, domain names, URLs to malicious content, are being reported, with context.
As cyber analysts produce reports and evaluate new malware, or track a threat actor's changing infrastructure, this information becomes extremely valuable. Often times, the challenge lies in getting the information distributed to the organizations that need to be aware of the threats. The time from discovery and sharing of threat intelligence to application in the network's defense is reduced to seconds.
Gartner provides a roadmap for a security strategy leveraging Threat Intelligence. In that strategy, products and services map to 3 key areas, Acquire, Aggregate, and Action.
3 Keys to a Threat Intelligence Strategy
QuickThreat® is a Threat Intelligence Gateway (TIG) with real-time attack visualization and analytics. TIGs protect networks from a variety of cyber threats including hacktivists, cyber criminals and hostile nations, as well as campaigns involving malware, spam, phishing, and scanning. QuickThreat intelligence policies are fully automated with Centripetal’s threat intelligence subscription service.
Requirements of a Threat Intelligence Gateway (TIG):
Current firewall devices provide several functions in a single device. Perimeter defense, remote access (VPN), and application layer network inspection are common functions of the traditional firewall. When all of these functions are combined in a single solution a performance tradeoff is reached that reduces network throughput. Additionally, firewall devices that enable threat intelligence are generally restricted in indicator count due to a limit of 10-20K bi-directional rules (40K Total).
QuickThreat Gateways currently supports over 5 million indicators at full network performance, up to 10Gb/s in a single device, with no degradation at full capacity. This increase in capability, without complexity, prevents valuable intelligence from being aged out to keep up with the latest threats dynamically.
QuickThreat Gateways output event logs to most SIEM devices in Common Event Format (CEF) with threat intelligence context at the moment of the event. This significantly reduces time to discovery, often from months to seconds, and also helps burdened security analysts prioritize their efforts, increasing the security effectiveness of the organization.
Typical network deployments usually take only a single day to install, configure, and analyze network traffic. QuickThreat Gateways are most effective when installed at each Internet facing link, outside the firewall security stack. Due to the performance of QuickThreat Gateways, often 1 or 2 devices can support an entire datacenter or corporate headquarters. Additional deployment use cases are available; please contact us for more information.
When deployed in-line, outside the firewall security stack, QuickThreat® Gateways alert and block network traffic in real-time using dynamically updated threat intelligence. Internal TAP infrastructure provides internal network visibility to truly identify the compromised internal host and match that network traffic with traffic leaving the environment. This provides the most advanced data correlation capability available to pinpoint malicious traffic without compromise.