Highlighted
Trusted Contributor.
Trusted Contributor.
461 views

IBM Xforce or HP Threat central?

Dear Forum members,

How to add threat intel  with ArcSight ESM 6.8?

Has any body tried with IBM Xforce or HP Threat central?

A early response will be highly appreciable. Thank you

Labels (1)
0 Likes
4 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: IBM Xforce or HP Threat central?

See:

~ Ofer

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: IBM Xforce or HP Threat central?

Thank you.
I am trying to find a link to download ArcMC software. Is there any link available?
To know more about ArcSight Architecture- and propose/ evaluate existing architecture- any suggestion of materials please?

Looking forward to your response. Thank you for your help and your enthusiasms to helping us is very inspiring.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: IBM Xforce or HP Threat central?

Just to answer your question directly though - a few things to consider:

1) Threat intelligence is an indicator, its not the proof - build a strategy based on identifying what the indicators are for an attack, but do not rely on threat intelligence as just the sole provider of this. Its an indicator at best, a false alert at worst. Be considerate, careful and understand what your use cases before you jump for a particular threat intelligence vendor.

2) There are other threat feeds available - following on from the situation points above, think about what vendor best fits your requirement. For example, if you have a major malware issue, maybe a malware focused threat intel list is better? Or maybe you have a locked down environment (users are actually banned from accessing suspicious sites totally), this will steer your selection and where to look. There are also consolidation and aggregation providers too - so take a look at them too! More doesnt always mean better either, look for quality, consistency and predictability over time. Threat intel is like AV vendors from a few years ago - some will claim 2 million entries, others will claim 20 million, largely its duplicated data and meaningless anyway. Quality is key.

3) Think about threat intelligence sharing - are there other companies, similar or competing companies or even an industry body that provides threat intel? Finance sectors have this, governments provide it and even larger ISP's will provide region specific data too. While I am not claiming its better, but it might be a bit more focused and targeted.

4) Collaboration is key - threat intel on its own is pretty meaningless. Look for a service where there is a platform to use to follow up, score, discuss and partner with others. RepSM is just the data feed from ArcSight, but Threat Central is the data and the community - take a look at this Cyber Threat Intelligence Analysis and Sharing Services | Hewlett Packard Enterprise.. IBM also has a community too, but look at what fits best.

5) Frequency of updates - this follows on from the volume point above, but how frequently is the data refreshed, updated and checked? AWS is frequently used (or at least was) for launching attacks and as a result, many threat intelligence providers let their automated systems list Amazon.com as a bad site. While there are bad sites on there, its not the whole service! This needs manual investigation as well as frequent updates. Many providers that are cheap dont update regularly and dont share the updates either. So check frequency, consistency and what is checked manually.

6) Content - getting the data in is one question, making it do something is another. RepSM (and Threat Central) does come with content that you can make use of out of the box. Other threat intel providers also provide content too (such as Anomali for an example) and some of it is actually really advanced. IBM is a competitor and hence they dont provide content. So its worth looking into and seeing what you can do. Because there is no content in ESM to drive it doesnt mean its bad though - just means you need to factor in how to use it. And as always, consider Activate as a platform for making use of the indicators involved.

My choice, and would always be, ArcSight RepSM as a minimum, but look at Threat Central for a more complete platform. But also look at others and see if a premium service works for you.

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: IBM Xforce or HP Threat central?

Is there any list of all threat intel available here in the community? ArcSight RepSM is it free?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.