We recently introduced TruSTAR Intel Workflows.This blog series explains our motivations for building this feature, how it works, and how users can better inform security operations. This is Part 2: How TruSTAR Intel Workflows Work.
Cybersecurity teams face serious challenges when it comes to intelligence data. From massive volumes of data being generated to how to integrate and share relevant data within the organization, with partners, and with industry groups. To learn more about modern data challenges, read part 1 of our TruSTAR Intel Workflows series here.
The TruSTAR platform sets itself apart by taking a data-centric approach to improving cybersecurity processes and operations. TruSTAR believes our data-centric approach to managing intelligence is the key to unlocking investments in SIEM, SOAR and XDR.
We’re excited to introduce TruSTAR Intel Workflows to our platform, a no-code way to create pipelines that automatically transform and curate data from your intel sources to make it actionable for automation in detection and response. TruSTAR Intel Workflows accelerate automation by providing a visual way to select intel sources, transform intel to make it more actionable and improve collaboration among teams by supporting a wide variety of destinations.
To answer the needs of security teams, there are two standard TruSTAR Intel Workflows: Indicator Prioritization and Phishing Triage.
Indicator Prioritization Workflow
The TruSTAR Indicator Prioritization Workflow is a specific Workflow set up to collect multiple sources of intelligence data, transform it, and send it on to one or more destinations, from teams to tools to collaborators. This Workflow is easily customizable to bring the power of intelligence data automation to any organization. This is done through the following:
The TruSTAR platform integrated with premium intelligence curated by well-known players in the cybersecurity space, open source lists, ISAO/ISAC data, and internal, historical data. TruSTAR offers more than two dozen external intelligence sources that can be used to assess whether a piece of data is malicious or benign. The platform allows users to specify a weighting factor for each source using a scale of 1 (low) to 5 (high).
Transformations refer to how to handle data named as sources. Some of these transformations are automatic in TruSTAR, such as cleaning and normalizing the data. Other actions are optional, such filtering by attribute, tags, or safelists.
Using third-party intelligence sources provides external validation as to whether a piece of data is bad or good, but each source uses its own scoring system. TruSTAR’s scoring normalization process automatically converts external scores to a simple 0-3 scale by looking at the source’s scoring system and then mapping it to our scale. Source scores become equivalent to each other without any need for human intervention.
The total of all of an Indicator’s normalized scores is the Indicator’s Priority Score. Any weighting added to sources when selecting them is used in calculating priority scores. For example, if Source A is assigned a weight of 5 (the highest possible value), then that source will have more influence over the priority score than a source with no weighting or with a lower-value weight.
Destinations provide the flexibility to send vetted data to almost anywhere imaginable, from internal security tools, ISAC/ISAO sharing groups, or external companies. TruSTAR provides workflow apps that integrate with dozens of third-party detection, SIEM, SOAR, XDR and other security tools, as well as the ability to leverage one of our Managed Connectors to direct a single data stream to third-party software. TruSTAR also provides a fully functional REST API and Python SDK for building custom interfaces.
Simpler Approach and Better Outcomes for Previously Tedious Processes
An analyst working to reduce false positives in a detection tool can customize a TruSTAR Indicator Prioritization Workflow to create a data set of indicators vetted as malicious by at least two external sources and then feed that data set into their detection tool. This not only reduces false positives, it also reduces mean Time to Resolution.
An automation engineer looking to reduce the complexity of their organization’s playbooks and reduce the overhead of managing a half-dozen external intelligence sources can use TruSTAR’s integration with SOAR tools to customize the TruSTAR Indicator Prioritization Workflow, as well as specify sources and tag indicators to later analyze how useful each source is in identifying malicious content.
"One of the biggest wins that we have the ability to automate and push indicators out of tickets... We've built a workflow to push those indicators into a vetted TruSTAR Enclave and back into Splunk, which then tells the team if they see these indicators again."
— Kyle Bailey, Manager, Threat Operations, Box
The Power of Intel Workflows
Moving from application-centric workflows to data-centric, automated workflows provides clear advantages to security teams dealing with terabytes of data. TruSTAR’s Intel Workflows take care of the onerous tasks of gathering, cleaning, and prioritizing data sources, as well as shipping that data off to multiple destinations. TruSTAR provides the ability to filter data by indicator type, scores, attributes, sources, and other features to produce a high-fidelity vetted data set specific to the needs of any organization. TruSTAR Intel Workflows help manage data and get to detection (MTTD) and resolution (MTTR) faster.
In part 3 of this blog series, we’ll take a deep dive into how the Prioritized Indicators Intel Workflow handles data, from sources to transformations and destinations.