Scientia potentia est — knowledge is power. Philosophers have said it since ancient times, and in various languages. Today, we at Kaspersky Lab offer yet another illustration of this statement: Meet our Machine-Readable Threat Intelligence Platform, which converts our accrued knowledge of the threat landscape into real protective power, defending the information infrastructures of large enterprises from cyberattacks.
Nearly every enterprise uses multiple security systems to cover the various segments of their infrastructure. They continuously gather data on what is going on in the network, endpoints, proxy-servers, gateways, firewalls and various actuators. To bring together these data feeds, security information and event management (SIEM) systems are employed.
In addition to gathering data on processes within the enterprise information infrastructure, SIEM systems perform many other tasks. Most important, the advanced systems are capable of analyzing the events in corporate systems. Therefore, we developed a tool that feeds SIEM systems with additional data regarding actual threats. This information allows the systems to detect signs of malicious activity and block cyberthreats.
That’s the way the Machine-Readable Threat Intelligence Platform works, being part of the Kaspersky Security Intelligence Services product line. It receives logs of everything that happens in company’s infrastructure and compares them with the data on all known threats. If crossings are detected, our system sends an alert in SIEM-readable format. Currently our Machine-Readable Threat Intelligence Platform provides integration tools for the most popular SIEM platforms — Splunk, IBM QRadar, and HP ARCsight. Compatibility with these platforms allows most enterprises to deploy our solution. But we plan to make our platform compatible with other SIEM systems, because its architecture does not depend on the type of the data source.
Using the Machine-Readable Threat Intelligence Platform fits well with our general position on security: multilayeredness everywhere. Even if all endpoints, servers, and nodes in your information infrastructure are already protected, it always makes sense to provide an extra layer of security by means of a SIEM system. After all, a security program protecting a given endpoint knows only what is happening on that particular machine, whereas a SIEM system has access to a much broader range of data. As a result, operating security centers can see the full picture and detect more sophisticated attacks that can circumvent endpoint protection.
In some cases, establishing efficient information security using a SIEM system is the most preferable scenario; to do otherwise would mean migrating all of the endpoints to new security solutions, which requires a lot of effort. Using SIEM doesn’t require enterprises to make considerable changes in their infrastructure to set up a reliable security system.
At present, data feeds from our Machine-Readable Threat Intelligence Platform to SIEM systems comprise several types. First are network indicators with IP address reputation, malicious and phishing URL’s as well as the URLs of command-and-control (C&C) servers detected by Kaspersky Lab’s technologies; these URLs may be reliably indicative of concealed cyberattacks. Second are indicators (hashes) of malicious code that enable us to intercept even the newest malware. Third is a feed on mobile threats, which are particularly topical for telecoms. All of these feeds have additional context data to help clients get all needed information about a threat, prioritize work of IT security teams and security operation centers and react on incidents with the utmost efficiency.
Kaspersky Lab’s Machine-Readable Threat Intelligence Platform is now available worldwide. Find out more about it here.