Correlating events across diverse network, database and security platforms

The Promise and Pitfalls of Threat Intelligence

Correlating events across diverse network, database and security platforms is one of ArcSight’s greatest strengths. But such correlation is only part of the answer. ArcSight is fantastic software, but to get the maximum benefits from your ArcSight ESM you have to customize it for your environment, and constantly monitor, then triage, the deluge of alerts into actionable items.

Most companies have limited internal resources and lack the time to track the Security Information and Event Management (SIEM) feeds, as well as follow the Advanced Persistent Threat (APT) blogs. Even fewer have the personnel to then review, compare and triage events using the threat feed information.

The problem is that there is too much data. Public sources often contain old information, no longer relevant to today’s threat landscape, which can result in false positives. Many proprietary sources contain overly broad criteria, resulting in harmless internet traffic, which triggers security alerts. In addition, each threat intelligence source classifies its data differently, making prioritization in ArcSight inconsistent. Although annoying, adware and click fraud are only a nuisance, and your threat intelligence must classify such traffic very differently from beaconing activity to known bad command and control sites. With so many sources of malicious data to choose from, how will you select the most valuable of them and then normalize, import, classify, obsolesce and use them appropriately?

SEMplicity ThreatCast: Leveraging the ArcSight Activate Framework

Most IT security teams have very individualized approaches to ingesting threat intel feeds into ArcSight— typically combining commercially available subscription services, open source sites, homegrown intelligence derived from internal events, limited-access government sources, or industry-specific intelligence shared with certain verticals.

This creates a problem for security professionals: in order to standardize and share this content, they have to manage the data—deploying complex FlexConnectors and ESM content for each company, each industry, and each individual threat feed. This distraction takes up time and resources that would be better spent on threat detection and response.

Stop Reinventing the Wheel

SEMplicity ThreatCast leverages the Collective Intelligence Framework (CIF), a trusted, active, open source project that handles all formats and protocols from up to 75 open-source intel sources (i.e., malicious indicator csv files, bad IPv4s, bad IPv6s, bad URLs, bad emails, bad userIDs and filehashes) and validates, consolidates and normalizes them into properly configured feeds. ThreatCast then integrates these feeds with your own custom threat intel sources into 20+ standard fields in ArcSight Activate Threat Intel Schema.

Benefits of SEMplicity ThreatCast

  • Powerful and automated. By combining and aggregating the broadest array of threat intel data feeds available, ThreatCast can help you identify the most relevant threats to your business reputation, customers, or intellectual property — without you ever having to touch that part of your security infrastructure.
  • Seamless. Designed by ArcSight engineers, for ArcSight engineers, ThreatCast instantly and seamlessly integrates content and add-ons with ArcSight Activate “out of the box.” No customization required.
  • Community-based. Founded on the CIF project, ThreatCast enables development, collaboration and analysis of emerging threats among your trusted peers.
  • Professionally managed. Our experienced, 100% ArcSight focused engineers maintain and manage the ThreatCast platform, so you can devote more time and energy to detecting and responding to real threats, and less to managing the data.

How to Install ThreatCast

In most cases, all you need to install SEMplicity ThreatCast is a connector in the DMZ to forward threat intelligence to ArcSight ESM.