The Information Sharing and Analysis Organization Standards Organization (ISAO SO) hosted its second ISAO Ecosystem Spotlight webinar on May 23 on the topic of how to “Optimize ISAO Intelligence Into Your Security Workflow” with Tommy McDowell, senior director at the Retail Cyber Intelligence Center (R-CISC), and Patrick Coughlin, co-founder and COO of TruSTAR. To listen to a recording of the May 23rd Technical Spotlight, please CLICK HERE.
Together, they discussed how R-CISC has overcome challenges in setting up their threat intelligence exchange by operationalizing ISAO threat intelligence feeds so that analysts can spend less time working on data entry and more time investigating threats with the aid of third party platforms such as TruSTAR.
McDowell and Coughlin began the webinar by discussing common challenges found within organizations, noting that the most valuable security data is often locked with a company. To overcome this challenge, the goal is to breakdown internal barriers and find the “golden nuggets” of information or data that cannot be seen yet. Executives need to look beyond intelligence exchanges as being an aspirational aspect of business and move to processes that encourage an external exchange of workflow data.
Companies may also discover several operational challenges that their security teams are working to overcome including analyst burnout, unorganized data, and non-interoperable technology. By using a third-party platform, such as TruSTAR, analysts will find their workflow cycles streamlined. These intelligence platforms can extract threat indicators from email ingest and cross correlate with closed sources, for example, and help pull enclave data into products such as Splunk to show direct correlation to logs. This automated system will help analysts spend more time researching threats and less time on tedious tasks such as data entry.
McDowell continued to discuss how R-CISC works with TruSTAR to give their members options to engage with other information sharing organizations and sources such as STIX/TAXII, REST APO, native workflow apps, email and others. For instance, the TruSTAR platform provides R-CISC the capability of connecting their members into one platform where they can extract common indicators, develop connections, and work with their analysts to determine possible threat actors to continue the conversation.
Coughlin also discussed three ways to optimize intelligence for enterprise security questions. This included capitalizing on the intelligence value of event data, operationalizing ISAO relationships and other sources into security operations workflow, and engaging growing an intelligence ecosystem. McDowell then wrapped up the webinar by sharing personal examples of how R-CISC reports correlate to OSINT data in addition to best practices for exchanging threat intelligence information.
Jeremy West, an advisor to Work Groups with the ISAO SO, began the webinar by highlighting a few updates from the ISAO SO, including information about early bird registration ending soon for the International Information Sharing Conference on Sept. 11-12, 2018 and a reminder that the ISAO SO is reaching out to the information sharing community to continue to optimize their listings on ISAO.org.
The May ISAO Ecosystem Spotlight webinar is part of a new bi-monthly webinar series that launched in March 2018 to engage the greater information sharing community and provide alternating topics of interest, from Hot Topics to Technical Spotlights. The webinars are open to the entire information sharing community and registration for the webinars are free.
Slides and recordings will be available in the Past Events section of ISAO.org. Questions regarding the presentation can be directed to McDowell at firstname.lastname@example.org or Coughlin at email@example.com.
The next webinar will be held on July 25, 2018 and provide a Hot Topic Spotlight on the GDPR from Norma Krayem, senior policy advisor with Holland & Knight, and a Vendor Spotlight presentation from Wapack Labs.