9 minute read time

CyberRes Galaxy GTAP+ is the Threat Intelligence Your Kingdom Needs

by Micro Focus Employee in CyberRes

For want of “Right and Actionable Intelligence” – the Kingdom was Lost!

Famously quoted by Benjamin Franklin, the age-old proverb “For Want of a Nail” reads “For want of a shoe, the horse was lost. For want of a horse, the rider was lost. For want of a rider, the battle was lost. For want of a battle, the kingdom was lost, and all for the want of a horseshoe nail.” 

This short proverb sets the tone highlighting the importance of agility of information and the little things that matters to save the kingdom. We all belong to a variety of kingdoms – one’s home, office, an organization, and a country as such; it could not have been more apt in today’s information technology context-of hyperscalers, connected and interacting ecosystems, digitalization of information and its dissemination and relevance across all hemispheres of Life. Day to day odd decisions made by an individual, enterprises are always on their toes for new product launch, retaining customers and bringing value to their clients and staying ahead of the competition and governments need to act in to live up to the expectations of its people. As Clive Humby has said, “information is the new oil” and it actively feeds to the decision-making process ever so swiftly and efficiently and the associated risks it brings to the table. 

Enterprises at large continue to generate and consume high volumes of data - CyberSecurity is at the forefront and at the core to help protect enterprise’s crown jewels, defend across ever evolving threats, secure applications and the overall infrastructure from bad actors who continue to innovate causing more harm. Cyber Threat Intelligence is one key aspect for mature enterprises to proactively identify and predict, mitigate and respond, safeguarding themselves from a potential breach. The highlight that further extends to information is beyond the time dimension of not only being agile, but must be accurate, actionable, actively maintained, focused, diverse, all while filtering out the noise to proactively handle threats and help achieve cyber resilience. 

Cyber Threat Intelligence – The Nucleus That Equips an Enterprise for the Battle That Continues

Cyber Threat intelligence – also referred to as CTI is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Threat intelligence is evidence-based information about criminal activity that targets an organization’s networks, devices, applications, and data. It gives businesses a better understanding of past, current, and future cyber dangers. It includes mechanisms, context, implications, indicators, and action-oriented advice about emerging or existing hazards to information assets. 

Threat intelligence information can guide enterprises in determining which of their cyber assets are at greatest risk of attack, and where attack impact would be most significant. It gives organizations the knowledge they need to know what information assets to protect, the best means of protecting them, and the most appropriate mitigating tools. 

CTI is classified in three broad categories:

Strategic

Broad or long-term trends or issues, often the preserve of high level, non-technical audiences such as C-suite executives. It provides a bird’s eye view of the capabilities and intents of threats, which allows for informed decision-making and prompt warnings.

Tactical

Gives structure to the procedures, techniques, and tactics of threat actors by tackling the indicators of compromise through day-to-day intelligence events and operations

Operational

It is very specialized and highly technical and deals with specific attacks, malware, tools, or campaigns and the underlying TTP’s deployed.

However, the adoption of threat intelligence in an enterprise is constrained by the sheer volume of threat feeds and the noise it brings to the table - often the analysts on the ground become overwhelmed, sifting through the Galaxy of threats, prioritizing and filtering the critical and important ones that may actually be a real threat to the enterprise. Furthermore, the need of the hour is to have genuinely actionable content which is both customized and curated by experts, diminishing the noise and the fluff and making it easier for an enterprise to use it effectively in its own business context. 

CTI is the nucleus for an organizations Security Operations Centre (SOC) and using it effectively can prove to be a beneficial investment for an enterprise. There’s a plethora of security tools available today, cyber security teams are overwhelmed with threat information. Threat intelligence is the nucleus behind the scenes which provides the agile context needed for accurate, relevant, actionable and informed decision making to mitigate them. 

And here arrives CyberRes … to save the Kingdom! 

It continues to be difficult to manage the cybersecurity talent war, analyst fatigue, providing relevant insights for all the stakeholders from boardroom to war-room and eventually staying ahead of the bad actors, all while protecting the enterprise. Mature organizations do not rely only on one threat intelligence feed but leverage multiple threat intelligence sources, to make sure they do not miss out on any threats. Small and medium enterprises need to be efficient with their resources and should have a very focused approach to prioritize their defenses on known threats targeting their industry. Navigating through the swarm of false positives continues to be a challenge for any analyst. 

The real question is: what should I do to resolve the conundrum on these threat alerts? Should I “Block”, “No-Block” or “Auto Block”? Furthermore, over the years there has been a complete assimilation of SOAR and UEBA solutions in the overall SIEM ecosystem, and leveraging these capabilities helps handle threats both automatically and manually. GTAP+, which is our threat intelligence solution component of the CyberRes Galaxy platform, does exactly that by populating the active lists that automatically enables "watching" for threats in real time. When a suspicious or confirmed bad-connection is made to a "bad reputation" e.g., site/URL/file execution, etc., the regular ESM correlation alerts are generated for all threat level Indicator of Compromise (IoCs). For medium/low threats levels, manual triage is further conducted for these incidents to help decide whether the action should be a “Block” or “No-Block”. For urgent/critical threats, they are “Auto-Blocked” by ArcSight SOAR thereby adopting a proactive approach, innately utilizing the capabilities of the SIEM platform for greater efficiency and faster response. 

CyberRes, a Micro Focus line of business, provides a one-stop solution with its Galaxy product portfolio which is comprised of:  

 Galaxy Online

Galaxy Online
Customizable threat landscapes, threat briefings, reports, available to everyone without charge

 GTAP Basic

Galaxy Threat Acceleration Program - Basic
Basic threat intelligence feed offered to ArcSight customers without charge

 GTAP+

Galaxy Threat Acceleration Program - Plus
Premium threat intelligence feed available to ArcSight customers, paid service only

 To delve deeper on GTAP+ specifically: it magnifies and provides clarity while traversing through the Galaxy of threat intelligence which is bespoke, manually curated by our in-house experts, and provides high-fidelity and actionable threat alerts from Day 1.

Everything about GTAP+ (Galaxy) is designed to help reduce analyst alert fatigue and to help filter out the noise and focus on what really matters.

GTAP+ provides always-on, real-time, high-fidelity detection and response without compromise.

GTAP+ content has the context from over 45 field sets for a threat providing exhaustive coverage for a potential threat.

In the event there is a high number of threat feeds being shared, we do an internal validation to check if they are relevant.

GTAP by default is embedded into the out-of-the-box ESM 7.x content. GTAP+ subscription populates the active lists that then automatically enables "watching" for threats in real time.

Furthermore, ArcSight Platform’s SOAR capabilities can also be leveraged, and an incident is auto-generated only for the urgent and critical priority alerts, and it automatically blocks it as a proactive measure.

Upon further investigation if the “Auto Block” performed by ArcSight SOAR is a false positive, roll-back is simply a click away.

There is absolutely no change in the deployment architecture and GTAP+ making it is easier to configure for exiting ArcSight customers. Also, customers using different SIEM solutions can easily ingest GTAP+ feeds.

The purpose of GTAP+ is to go beyond the capabilities of the currently commoditized threat intelligence platform solutions; addressing the tangible challenges that exists, maintain, and provide enhanced coverage and context to a threat and unleash the real value for everyone. Some of the key differentiators are:

  • Business Oriented: Tracking threats by annualized loss expectancy (ALE), which captures the business impact and applicable industries, that's applicable not only to the executives and SOC Managers, but even down to the analysts, it helps them understand what to focus on first, and what's threatening them.
  • Cross-Portfolio: Enhanced cross-portfolio not limited to SecOps, but spanning across IT Operations, Auditing, AppSec, Data Privacy, and beyond.
  • Proactive Resiliency: Not limiting to just threat information, we include the guidance on what to do about it for resiliency against future threats.
  • Verticalized: Secure industry-specific digital value chains with focused defense strategies with the industry context and business functions for better impact visibility.
  • Smart Dashboards: Easy to configure and smart dashboards on overall threat landscape with the data visualizations and the ability to hone-in on what's important enhancing business performance. 

Cyber threat intelligence is a business-critical investment for SOC teams. In addition to providing the intelligence needed to make well-informed security decisions, CTI also provides the benefits to further reduce costs by allowing SOCs to use the overall ecosystem and resources more efficiently; lower the degree of risk by focusing on immediate and active threats in your industry; enhance threat hunting capabilities by hunting for the latest threats; maximize staff efficiency; fill in the gaps in defense; enrich visibility; receive up-to-date global threat intelligence; and ultimately, reduce the risk of data exfiltration. 

CyberRes Galaxy solutions continue to deliver on Micro Focus belief to “Run and transform the business at the same time”. Additionally, a newer version of GTAP+ is on the anvil - unlocking even better capabilities. Please use the Galaxy contact us form to reach out to us if you would like to participate in Beta Releases and Demos to understand unlocking GTAP+ value to your organization. Interested in a free trial of GTAP+? Reach out to your CyberRes sales rep to learn more. 

More Resources:

Join our Galaxy Community. Have technical questions about Galaxy’s threat intelligence? Visit the Galaxy User Discussion Forum. Keep up with the latest Tips and Info. Do you have an idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below. 

Labels:

Security Operations