Airbus Cybersecurity To Offer A Richer Threat Intelligence With ThreatQ

Intelligentcio | February 27, 2020

  • With ThreatQ, the company has been enabled to offer a richer threat intelligence service that has more context and is faster.

  • The ThreatQ platform is complementary to an existing MISP solution and allows the customer to build up their own knowledge base adapted with their context.

  • With ThreatQuotien t solution, Airbus Cybersecurity analysts will be able to respond better and faster to customer requests.


Airbus Cybersecurity has strengthened its already mature and reliable offering by enriching the threat intelligence service it had been offering customers since 2011 with contextual information at scale with the help of ThreatQuotient.


With ThreatQ, the company has been enabled to offer a richer threat intelligence service that has more context and is faster – with the result that it is now able to continuously deliver cyber intelligence flows tailored to the needs of its customers.


Since 2011, our threat intelligence service has worked very closely with our incident response teams. Among other things, this has allowed us to be very relevant and responsive when it comes to tracking attackers.

- Julien Menissez, Product Manager for Managed Services in Europe, Airbus Cybersecurity.


This proximity has paid off, enabling the service to better contextualize alerts that would otherwise remain purely technical, such as lists of IP addresses and other indicators of compromise (IoCs).


Technical alerts are effective in blocking specific attacks, often in an automated way. However, when they are enriched with relevant, contextual information they can become real decision-making tools allowing security analysts to answer questions, such as: What do we know about the attacker’s current targets and campaigns? Are we a potential target for this group in particular?


But to deliver this attractive theory, Airbus Cybersecurity needed to be equipped to offer a robust, industry-ready service.


“In 2015, we decided to create a dissemination offering that would allow customers operating their own SOC to benefit from this increased information. We first worked with flat files, and then we deployed MISP interfaces for our customers,” said Julien Menissez.


Malware Information Sharing Platform


In a world of threat intelligence, the Malware Information Sharing Platform (MISP) is a necessity. MISP is a freely available solution that facilitates the sharing of IoCs between researchers after the IoCs have been acquired and consolidated.


And the complication lies here. Julien Menissez recalls: “MISP is very good for dissemination, but ingestion is not simple! We were forced to use many other open source tools in parallel, requiring a lot of scripting and manual operations before delivering the information to our customers, while remaining within the timeframes allowed by our SLAs.”


The dissemination service became so successful, that the load on the Airbus Threat Intelligence team increased dramatically.  It quickly became clear that a manual approach could not be scaled up, as customers demanded more and more context and richer information, beyond what MISP can do with its tagging and commenting functionalities.


READ MORE: Oca releases 'opendxl ontology' to drive greater interoperability

Delivering Continuous Information


The Airbus Cybersecurity team then decided to research a new ‘cyber-intelligence back office’ – a tool capable of natively managing concepts such as the freshness of information, reliability, context and related data.


Julien Menissez said, “We quickly saw in ThreatQuotient the vendor best suited to our needs. We shared the same vocabulary (coming from the defense sector). The ThreatQ platform met our criteria, and the technical level of the ThreatQuotient subject matter experts was excellent.”


With ThreatQ, Airbus Cybersecurity will now be able to meet their goals. “We can now deliver the same service and the same knowledge, with the same quality as before, but much more quickly and with far fewer technical manipulations. And, obviously, it’s our customers who benefit. Airbus has gone from weekly information delivery to continuous information delivery,” Julien said.


The Airbus team can now offer an optional tool capable of helping them capitalize on their knowledge for slightly more mature customers, who do not yet operate their SOC but still have an internal CSIRT team. The knowledge acquired during the customer’s internal investigations is seamlessly integrated into the ThreatQ platform to enrich the information delivered back to the customer via the Airbus service.


The ThreatQ platform is complementary to an existing MISP solution and allows the customer to build up their own knowledge base adapted with their context. Since customers will keep all of their data within the ThreatQ Threat Library and therefore all the knowledge acquired by their CSIRT, they also have the freedom to change their threat intelligence feeds and sources at any time.


Faster Response In The Time Of Crisis


With ThreatQuotient solution, Airbus Cybersecurity analysts will be able to respond better and faster to customer requests.


Most SOCs work with a workflow system to investigate IoCs collected during an incident. It is often a manual process but since the ThreatQ platform can be integrated with a SIEM to do the research and automatically identify patterns and linkages and how to pivot from a given IoC, we have even been able to reduce our response time to our customers. And obviously, in an incident, quickly identifying the pivots and monitoring malicious activities as closely as possible is a major advantage.

- Julien Menisse, Product Manager for Managed Services in Europe, Airbus Cybersecurity


Strategic approach to mitigate risk


The ThreatQuotient solution has allowed Airbus Cybersecurity to refine the information delivered to customers in order to better manage their security posture. The ThreatQ platform makes it possible to automatically “package” the most relevant flows according to the exposure of the client to specific risks, and thus take a strategic approach to mitigate risk.


READ MORE: SIEM  is a great tool but it's administrative challenges are a barrier

Spotlight

Eric Stevens, vice president of engineering and principal architect at ProtectWise, discusses the current state of artificial intelligence in cybersecurity and the company's recent report on the topic, The State of AI in Cybersecurity. This video covers these questions and more: How did you get involved in tech and transition into security and engineering? (1:05). What tasks is AI performing in regards to cybersecurity? (2:25). What are the benefits of AI-enabled security? (3:40).


Other News
DATA SECURITY, PLATFORM SECURITY, SOFTWARE SECURITY

LMG Security Introduces New Proactive Cybersecurity Solutions

LMG Security | September 30, 2022

LMG Security, an internationally recognized cybersecurity consulting firm, has expanded its popular selection of cybersecurity advisory, testing, and training services with a new line of cybersecurity solutions. These solutions are designed to reduce the burden organizations face from implementing or managing cybersecurity technology, as well as create fast, easy access to skilled cybersecurity staff to augment internal teams. LMG Security is pleased to announce it now offers the following new solutions and services: Virtual CISO and Staff Augmentation: Organizations struggle to find and retain cybersecurity talent. LMG Security provides staff augmentation services that enable organizations to quickly access the specialized cybersecurity skills they need on a fractional basis. Endpoint Detection and Response Implementation: LMG Security implements and seamlessly integrates an endpoint detection and response solution that helps organizations defend against zero-day attacks, supply chain vulnerabilities, and other common cybersecurity threats. Multi-Factor Authentication Implementation (MFA): Protect against attack vectors such as phishing, business email compromise, and cross-cloud attacks with a customized MFA implementation. Password Manager Implementation: A password manager is a simple, affordable way to decrease the risk of a data breach from weak or reused passwords. LMG Security's team implements the password manager and ensures that it is optimally configured. Managed On-Demand Employee Cybersecurity Training: Get experts to design and manage your cybersecurity training for you. An LMG Security cybersecurity specialist will plan and monitor your training program to ensure your employees have the skills to be an effective "human firewall." Continuous Attack Surface Monitoring: LMG Security's team implements and seamlessly integrates a solution that scans Internet-facing systems to help organizations identify assets that are exposed or vulnerable. All LMG Security cybersecurity solutions are implemented and managed by experts who ensure that each solution follows all cybersecurity best practices and is optimally integrated with each organization's existing tech stack. "Organizations are struggling to find and hire skilled cybersecurity talent. "We make it easy for our clients by offering expert virtual CISO and cybersecurity staff augmentation services, as well as implementation and management services for key cybersecurity solutions." Davidoff continued, "IT teams are stretched to the limit at most organizations. We're excited to launch these new cybersecurity solutions that will help organizations defend against the constantly changing threat landscape." Sherri Davidoff, president and CEO of LMG Security ABOUT LMG Security LMG Security is an internationally recognized leader in the cybersecurity consulting industry. This full-service cybersecurity firm provides one-stop shopping for a wide array of cybersecurity services. Specializing in technical testing, advisory and compliance services, and training for more than a decade, the LMG Security team's security testing services were featured on the Today show. In addition, the team has published cutting-edge research on cell phone intrusion detection and banking Trojans, written books on network forensics, data breaches, and an upcoming book on ransomware and cyber extortion, and routinely speak or train at Black Hat, RSA and many other security conferences. LMG Security is privately held and headquartered in Missoula, Montana.

Read More

DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY

GreyNoise Intelligence Partner Network Launches in the Cybersecurity Arena

GreyNoise Intelligence | November 07, 2022

GreyNoise Intelligence, the cybersecurity company analyzing internet scanning traffic to separate threats from background noise, today announced the official launch of a mulit-faceted partner program to help customers defend against mass exploitation attacks. As an ecosystem for cybersecurity solution providers, the program offers an array of opportunities for technical alliances, channel resale and OEM partners. "Mass exploitation attacks like Log4j have become the attack vector of choice for cyber criminals and state actors. "Security teams are struggling to defend themselves against these kinds of attacks with tools and threat intelligence designed for last year's threats. By building partnerships with other leading cyber solution providers, we can help customers implement new security strategies to end mass exploitation attacks." Andrew Morris, Founder and CEO of GreyNoise Mass exploitation attacks leverage internet-wide scanning technologies to find and exploit vulnerable computer systems around the world in minutes. When a new internet-exploitable vulnerability like Log4j is announced, these attacks can start in a matter of hours, before security teams have a chance to put their defenses in place. The GreyNoise Intelligence Partner Network enables other cybersecurity solution providers to expand their reach, increase revenues and deepen customer relationships. The network has three primary components: 1) GreyNoise Technical Alliance Program. GreyNoise provides contextual data on noisy IP addresses that scan the Internet. Technical Alliance partners collaborate with GreyNoise to ensure that mutual customers can seamlessly leverage inter scanner intelligence in their existing workflows, tools and processes. Customers use this data to reduce their alert volumes by 25% and minimize alert fatigue. GreyNoise also sharpens threat detection fidelity for mutual customers by providing valuable context on known malicious internet-wide scanners, speeding up the triage process. With GreyNoise data, technical partners have real time visibility into mass exploitation IPs targeting specific vulnerability, which provides critical actionable data during an active emergent attack. “Whenever a vulnerability is disclosed the dinner bell sounds for good and bad actors alike, meaning organizations are already on their back foot,” explains Robert Huber, chief security officer and head of research, Tenable. “We know threat actors are monitoring disclosure programs in the same way we are, looking for newly announced vulnerabilities, studying all available information such as proof of concepts, but they’re looking to utilize the flaw. OUr partnership with GreyNoise gives our customers the tools to address these weaknesses when they’re publicly announced. In doing so, we reduce that intelligence gap and hand the advantage back to the good guys.” 2) GreyNoise OEM Partnership Program. GreyNoise provides an integrated out-of-the-box threat intelligence solution for security vendors, ISPs and technology firms to embed in their product and service offerings. Unlike other threat intelligence vendors, GreyNoise is solely focused on providing high fidelity data on IPs that are actively mass scanning, crawling and attacking the internet. Integrating GreyNoise data directly into the platform of OEM partners enables customers to intelligently rule out internet background noise, and helps them to prioritize emerging threats and targeted activity more effectively. “Modern security teams need a fast, flexible and scalable platform for threat detection capable of analyzing terabytes of data per day, with built-in threat intelligence to rule out activity from trusted sources, and immediately flag activity from known bad actors,” said Jack Naglieri, CEO and founder, Panther Labs. “With Panther and GreyNoise, security teams can cut through background noise, improve alert fidelity, speed up analyst workflows and ensure prioritization of the most critical alerts. By making detection and response faster and more accurate, security teams can better protect their organizations from disruptive cyberattacks.” 3) GreyNoise Channel Resale Program. GreyNoise is committed to developing partnerships with highly focused, security-dedicated channel partners to deliver the best results to mutual customers. Value-added resellers and distributors offer GreyNoise protection and intelligence solutions to meet the IT security needs of their enterprise customers. In addition to providing a unique data and automation security solution that is relevant to Incident Response, SOC and Threat Intel teams, GreyNoise has a transparent, simple and profitable, channel sales program with a generous deal registration and rebate structure. GreyNoise sales teams provide materials for channel partners to explain the value GreyNoise offers in improving analyst efficiency, leveraging customer investment in existing technologies, and reducing the overall risk landscape. About GreyNoise Intelligence GreyNoise is THE source for understanding internet noise. We collect, analyze and label data on IPs that saturate security tools with noise. This unique perspective helps analysts waste less time on irrelevant or harmless activity, and spend more time focused on targeted and emerging threats. GreyNoise is trusted by Global 2000 enterprises, government organizations, top security vendors and tens of thousands of threat researchers.

Read More

DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY

Next DLP Announces Cybersecurity Industry Veteran, Constance Stack, as New CEO

Next DLP | November 03, 2022

Next DLP (“Next”), formerly Qush Security, today announced the appointment of Constance (“Connie”) Stack as its new chief executive officer. With Stack leading the way, Next expects to aggressively grow its market share and disrupt the legacy Data Loss Prevention (DLP) category. The DLP market is projected to reach 3.5 Billion USD by 2025 with the SaaS deployment model expected to dominate during the forecast period. Next’s “Reveal Cloud”, which was included in Gartner’s 2022 Market Guide for Data Loss Prevention, is an industry leading, user-centric, DLP solution, that uncovers risk, educates employees and fulfills security, compliance and regulatory needs. “This is an exciting time for all of us at Next DLP,. “We are pleased to have Connie lead Next and believe her leadership will further accelerate the company’s growth and deliver on our mission of reinventing data protection for today's distributed organization.” Fredrik Halvorsen, Chairman of Next’s board of directors and co-founder of Ubon Partners Most recently, Stack served as Managing Director/GM of the Data Protection Business Unit for HelpSystems, which included the Digital Guardian, Titus, Boldon James and Vera brands. Prior to acquisition by HelpSystems, Stack served as chief strategy officer and chief marketing officer of Digital Guardian. Earlier in her career, Stack was vice president of marketing at Veracode (acquired by CA Technologies) and chief revenue officer at WordStream (acquired by the Gannett Company). “Today’s most used DLP solutions came to market over twenty years ago; before the shift to cloud and SaaS really took off and well before the COVID-19 pandemic drove global knowledge workers to a remote working model. Put plainly, legacy DLP approaches are outdated and prone to failure,” said Constance Stack, Chief Executive Officer, Next DLP. “Next DLP offers a new and flexible approach to protecting data where it is most at risk. Its patent-pending endpoint agent and cloud platform were purpose-built for today’s IT environment and threat landscape. I look forward to this opportunity to work with Next’s incredibly talented team and to deliver DLP that works to our customers.” About Next DLP Next DLP (“Next”) is a leading provider of data protection solutions for organizations with valuable data who need to uncover risk, educate employees and fulfill security, compliance and regulatory needs. Next's mission is to reinvent data protection for today's distributed organization and it is disrupting the legacy data loss prevention market with a user-centric, flexible, cloud-native, AI/ML powered solution built for today’s threat landscape. The company's leadership brings decades of cyber and technology experience from HelpSystems, DigitalGuardian, Forcepoint, Mimecast, IBM, Cisco and Shopify. Next is trusted by organizations big and small, from Fortune 100 finance and retailers to fast growing healthcare and technology companies.

Read More

DATA SECURITY, PLATFORM SECURITY, SOFTWARE SECURITY

Datadog Launches Cloud Security Management to Provide Cloud Native Application Protection

Datadog | October 20, 2022

Datadog, Inc., the monitoring and security platform for cloud applications, today announced the general availability of Cloud Security Management. This product brings together capabilities from Cloud Security Posture Management (CSPM), Cloud Workload Security (CWS), alerting, incident management and reporting in a single platform to enable DevOps and Security teams to identify misconfigurations, detect threats and secure cloud-native applications. As organizations' cloud architectures become more complex, assessing security risks and collaborating across teams to mitigate them has become increasingly difficult. While security engineers are responsible for identifying threats and misconfigurations, DevOps teams are responsible for remediating them. DevOps and security teams often use multiple point solutions and tools to report on and resolve issues, but these tools provide an incomplete view of security risks and create silos between teams. Datadog's Cloud Security Management brings together observability and security insights across an organization's entire cloud environment—without the need to deploy additional agents. This shared context provides security engineers with deeper insights to collaborate with DevOps teams and more quickly remediate security issues. "Tight collaboration between security and DevOps teams is required to mitigate security risks in today's environments. This change has been brought on by the move to the cloud. Security teams today cannot take countermeasures alone without potentially impacting the performance and reliability of production systems. "Datadog Cloud Security Management helps these teams work together to remediate issues quickly by providing a single platform—as opposed to multiple point solutions—that delivers a complete view of an organization's infrastructure and risk exposure." Prashant Prahlad, VP of Product at Datadog "Using Cloud Security Management was like having a member of the InfoSec team embedded within our DevOps team," said Chad Upton, Vice President of Infrastructure at FirstUp. "All the security metrics were front and center so they could easily see the number of misconfigured resources in a single view and they didn't have to wait for someone from InfoSec to reach out and let them know there was an issue." "Because Datadog Cloud Security Management shows observability and security data together, alongside the resource relationship graph, we were able to remove cloud resources that were no longer in use and easily understand the impact of misconfigured cloud resources by visualizing all dependencies," said Ben Collen, Senior Director of Engineering and CISO at Vertex. Cloud Security Management expands on the foundational capabilities of cloud security posture management and cloud workload security of a CNAPP solution through: Resource Relationship Graph: By providing a visual risk assessment of misconfigured resources and vulnerabilities across an organization's cloud infrastructure, DevOps teams can take remedial actions based on the impact of the risk. Custom Detection Rules: Teams can now create fine-grained threat detection rules across all cloud resources—including their associated logs and security incident events. Resource Catalog (Beta): Engineers can access a comprehensive visual representation of all security risks associated with each cloud resource in a customer's environment and identify the owners of every cloud infrastructure resource to remediate vulnerabilities and misconfigurations. About Datadog Datadog is the monitoring and security platform for cloud applications. Our SaaS platform integrates and automates infrastructure monitoring, application performance monitoring and log management to provide unified, real-time observability of our customers' entire technology stack. Datadog is used by organizations of all sizes and across a wide range of industries to enable digital transformation and cloud migration, drive collaboration among development, operations, security and business teams, accelerate time to market for applications, reduce time to problem resolution, secure applications and infrastructure, understand user behavior and track key business metrics.

Read More

Spotlight

Eric Stevens, vice president of engineering and principal architect at ProtectWise, discusses the current state of artificial intelligence in cybersecurity and the company's recent report on the topic, The State of AI in Cybersecurity. This video covers these questions and more: How did you get involved in tech and transition into security and engineering? (1:05). What tasks is AI performing in regards to cybersecurity? (2:25). What are the benefits of AI-enabled security? (3:40).

Resources