3. Data Management
The TruSTAR platform combines your internal data with internal and external intelligence sources to provide automated threat intelligence that improves the quality of information exchanged between TruSTAR and your security tools.
Internal data is the raw data generated within your organization, such as logs, emails, and network traffic. This raw data is what you submit to TruSTAR to be enriched and then shared internally and/or externally to assist in security investigations and detections. Data submitted to TruSTAR starts out as an Event, and each Event can contain Observables.
Events are anomalous behaviors or activities that are observed and captured by your internal systems, such as alerts, emails, or cases, or issues. Each event contains one or more observables.
Threat Intelligence provides an outside opinion, or context, on Observables, such as maliciousness or attributes that can include actors, campaigns, malware, CVEs, and other non-malicious objects. You can combine external intelligence sources with your internal historical data to label and score internal events or suspicious alerts, automating the process of investigation and accelerating your response to events.
Attributes are the context such as a ttp, a campaign, a malware family, or a threat actor used for the categorization of an indicator as malicious or not. Attributes provide context as to why an indicator was scored a certain way.
Intelligence Reports are reports with an indicator or a collated list of indicators and its attributes that can help provide context such as indicator maliciousness or confidence. Each Intelligence report contains one or more indicators and associated attributes.
The surface area of where these intelligence sources add labels to unlabeled data in the form of scores or context is called coverage. The goal of threat intelligence is to maximize this coverage by choosing the best sources for your organization, given any budget constraints.
The TruSTAR platform categorizes threat Intelligence into three types:
- Premium Intelligence Sources: Privately maintained sources that require some commercial relationship with the provider or membership in a group, such as an ISAC/ISAO. The providers of these sources are intelligence specialists who curate and disseminate valuable enriched intelligence.
- Open Sources: Public data that is available to everyone, including blogs, RSS feeds, and Open APIs. These sources are generally less curated and provide less valuable labels (such as scores).
- Internal Intelligence: Your organization’s curated data from incidents and investigations. This can include Internally generated reports, closed cases and associated tags. This is actually the most useful source for your security workflow because it contains the most relevant and vetted context compared to external sources.
Your organization’s historical events can provide context for evaluating Observables and Events in raw data sources and so help you decide how to prioritize future such events in the future.