3. Data Management

Updated 2 years ago by TruSTAR

The TruSTAR platform combines your internal data with internal and external intelligence sources to provide automated threat intelligence that improves the quality of information exchanged between TruSTAR and your security tools.

Internal Data

Internal data is the raw data generated within your organization, such as logs, emails, and network traffic. This raw data is what you submit to TruSTAR to be enriched and then shared internally and/or externally to assist in security investigations and detections. Data submitted to TruSTAR starts out as an Event, and each Event can contain Observables.

Observables are entities, such as a URL, an IP address, a hash, or an email address. Observables do not always establish a baseline for whether an entity is good or bad, but they are useful for creating relationships between two or more data entities that can then lead to assigning a Safe or Malicious label to that Observable.

Events are anomalous behaviors or activities that are observed and captured by your internal systems, such as alerts, emails, or cases, or issues. Each event contains one or more observables.

Threat Intelligence

Threat Intelligence provides an outside opinion, or context, on Observables, such as maliciousness or attributes that can include actors, campaigns, malware, CVEs, and other non-malicious objects. You can combine external intelligence sources with your internal historical data to label and score internal events or suspicious alerts, automating the process of investigation and accelerating your response to events. 

Indicators are entities or data objects, such as a URL, an IP address, a hash or an email address associated with an attribute or set of attributes such as a campaign, a malware family, a threat actor, or a TTP. Indicators establish a baseline for badness of an entity.

Attributes are the context such as a ttp, a campaign, a malware family, or a threat actor used for the categorization of  an indicator as malicious or not. Attributes provide context as to why an indicator was scored a certain way.

Intelligence Reports are reports with an indicator or a collated list of indicators and its attributes that can help provide context such as indicator maliciousness or confidence.  Each Intelligence report contains one or more indicators and associated attributes. 

The surface area of where these intelligence sources add labels to unlabeled data in the form of scores or context is called coverage. The goal of threat intelligence is to maximize this coverage by choosing the best sources for your organization, given any budget constraints.

The TruSTAR platform categorizes threat Intelligence into three types: 

  • Premium Intelligence Sources: Privately maintained sources that require some commercial relationship with the provider or membership in a group, such as an ISAC/ISAO. The providers of these sources are intelligence specialists who curate and disseminate valuable enriched intelligence. 
  • Open Sources: Public data that is available to everyone, including blogs, RSS feeds, and Open APIs. These sources are generally less curated and provide less valuable labels (such as scores). 
  • Internal Intelligence: Your organization’s curated data from incidents and investigations. This can include Internally generated reports, closed cases and associated tags. This is actually the most useful source for your security workflow because it contains the most relevant and vetted context compared to external sources. 
The most valuable intelligence for your organization is your own historical data about previous events, such as incident reports, tickets, cases, and phishing emails. These events differ from raw data sources like logs and network traffic because they hold a record of context about maliciousness that is specific to your organization. 

Your organization’s historical events can provide context for evaluating Observables and Events in raw data sources and so help you decide how to prioritize future such events in the future.

How Did We Do?