Threat Intelligence Standard

Overview

Threat Intelligence Standard is built into the core Secure60 platform.

Built-in Threat Intelligence

Our Built-in Threat Intelligence leverages a combination of open-source and private data sources to provide a robust foundation of threat information. This includes:

• Open Source Data Sources: Leveraging publicly available threat intelligence feeds, we apply filtering to ensure accuracy and freshness which ensures accurate and up-to-date information on emerging threats.
• Private Data Sources: Utilizing proprietary data sources to enhance threat detection and enrich the overall intelligence.

Features

• Comprehensive Coverage: Aggregates data from multiple open source and private sources.
• Real-time Updates: Continuously updated to reflect the latest threat landscape.
• Smart Analytics: Remove false positives through automated analysis of packet sizes, protocol types and more
• Customizable: Allows for tailored threat intelligence based on your specific requirements.

Getting Started

To start using Threat Intelligence in Secure60, follow these steps:

1. Enable Built-in Threat Intelligence:

   • Threat Intelligence is enabled on each Project by default
   • To managed settings, Navigate to the Threat Intelligence settings in the Secure60 portal (Project Settings page under “Modules”)
   • You can tune features such as score of Threats detected, Adding items to Allow Lists and more

2. System Behaviour

   • The platform will look at the ip_src_address and ip_dst_address fields in incoming data and match against IP intelligence lists
   • When a match is found an Entity is created with the IP address in question with a score of 100
   • Entity based rules detect an Entity with a high score and will create a threat object (and run appropriate Response actions)
   • When a detection is made for a specific Entity. We add that entity to a supression list for 24hrs to avoid floods of alerts for a specifc Entity Object

Configuration Options

Fields that are available to configure:

• Whitelist - This configuration option allows you to exclude specific IP addresses from triggering the Entity / Threat creation process
  • Add New List - Creates a new List that can have items added to it
  • Add New Item to List - Adds a new IP address to the whitelist
• Score - (Optional) Allows configuration of the score of the Entity object that is created
• Entity Fieldname - (Optional) Allows configuration of the Entity object that is created. By default the entity is aligned to the field that the Threat is detected in (eg ip_src_address)
• Minimum Bytes - We exclude network traffic with bytes < 64 by default because this is often failed connections from scanning IP addresses. You can raise or lower this limit via this field
• Port Configuration - The system is configured with sensible port defaults to reduce noise and only highlight critical Threat situations. Examples where we exclude Threat detections can be when we see known Bad IPs exhibiting scanning behaviour. This would be generate high volumes of low value threats (can be opted into if full visibility is desired)
  • unsafe - These ports are not considered safe to be exposed to public internet traffic (Eg Database ports or other critical services)
  • ignore - The system should ignore these ports from considering in Threat Intelligence processing
  • service - These ports are considered standard for services (generally < 1024>) which would be such as 443 for web browsing
  • unknown - All ports that do not fall into a different category, fall into this category

The solution comes configured with smart settings by default to avoid noise and overload. Example configurations built in:

• Analysis of packet count and protocol size to not alert on connections that are not successful
• Protocol type analysis to prevent common scanning setting off alerts