We recently introduced TruSTAR Intel Workflows. This blog series explains our motivations for building this feature, how it works, and how users can better inform security operations.
In part 1 of this series, we looked at how the events of the past year have accelerated cyberattacks and generated even more data for cybersecurity teams to manage. In part 2, we saw how data-driven security can automate many aspects of data management and provide faster, more accurate information to cybersecurity teams and tools. In this section, we dive into the three stages of the Prioritized Indicator Intel Workflow. This is Part 3: Setting Up an Intel Workflow.
The TruSTAR Intel Workflow is a no-code intelligence pipeline that you can easily customize to fit your organization’s unique needs. You can set up multiple Intel Workflows to pinpoint responses or target data to specific tools in your arsenal. Intel Workflows reduce data wrangling, accelerate intelligence automation, and reduce false positives, making your team and your processes more efficient and more effective in making security decisions.
The TruSTAR Indicator Prioritization Intel Workflow is laser-focused on automating the extraction, transformation and dissemination of Indicators that meet your specific requirements. For example, you may want one Intel Workflow to identify common malware Indicators and share that with one of your cybersecurity tools while a second Intel Workflow rates and ranks IP addresses and domain names. Let’s look at the three stages of setting up your Indicator Prioritization Intel Workflow: sources, transformations, and destinations.
In the first stage of the Intel Workflow, you specify the external intelligence sources or internal intelligence you want to use. With Indicator Prioritization, you can customize source weights to influence indicator priority scores. The Sources part of the Intel Workflow extracts Indicators from all the sources you select, including any scores and attributes that have been assigned to them and passes them to the Transformations step.
To make it simple, the Intel Workflow setup displays a list of all the external intelligence sources you can access. You simply click the checkbox for each source you want to use. You can optionally choose a weighting for each intelligence source, which will be used in calculating priority scores. The scale runs from 1 to 5, with 1 being lowest weight and 5 being the highest weight you can assign.
As an example, you might subscribe to Source A and Source B. You know from previous experience with both sources that Source A is very aligned with the threats your organization sees, while Source B is less focused but still brings some value. You might choose to assign Source A a weight of 5 and give Source B a weight of 2. The Intel Workflow takes your assigned weights into account when calculating priority scores in the Transformations work.
You can also include events from your historical TruSTAR Enclave. If you have already stored a set of vetted indicators in an Enclave, you can use it as a source for this Workflow.
- External Sources: 3 premium intelligence sources
- Internal Sources: Vetted Data Enclave
In this stage, TruSTAR normalizes the scores of each Indicator and then filters the data set based on the criteria you select. Why normalize the scores of Indicators coming from different sources? Each source uses a different scoring system, making it hard to compare across sources. For example, one source may use 1-10 for severity and another might use text labels such as Benign or Malicious. TruSTAR uses a conversion table to normalize the different scores so that they are comparable to each other. The total of all these normalized scores is the Indicator Priority Score.
You can set up filters to winnow down the data:
- Scoring: Select any of the values from Benign, Low, Medium, or High. For example, if you want to keep the most malicious of Indicators, you would select High.
- Indicator Type: Select any or all of the Indicator types you want.
- Safelist Libraries: Use one or more safelists to further reduce the data set.
- Priority Score = High
- Indicator Types = Threat Actor, Malware, SHA2
- Safelist Library = a custom list of malware your organization has collected, imported into TruSTAR
After the data has been transformed, you can choose if you want to store it in a TruSTAR Enclave or send it to a third-party tool, such as a SOAR or TIP tool. For example, if your workflow identifies Malicious IP addresses, you may want to send the destination set to your Detection tool so that it can use that data to reduce false positives when handling emails.
TruSTAR has created integrations with more than two dozen third-party applications, including QRadar, Splunk ES, XSOAR, and TAXII clients. We’ve also built a series of Managed Connectors that can stream data to any SOAR or Detection tool.
- Application: QRadar
- Enclaves: Vetted Bad Actors
Using Multiple Workflows
Looking at the example we’ve been using, you can see how multiple Intel Workflows can be set up to meet different needs. If one tool you use is specific to email, this example data set would indeed be useful for that tool. But, perhaps another tool in your organization is designed to quickly identify threat actors and malware. You can set up a second Intel Workflow with just those Indicator types and then set that tool as your destination. With TruSTAR, you can create as many Indicator Prioritized Workflows as you need to manage and control your data.
Talk to Us
The TruSTAR Indicator Prioritization Workflow is the fastest, easiest way to accelerate automation and improve collaboration within your security teams and tools. Talk to us about how you can move to data-driven security using TruSTAR’s Intel Workflows in your organization.