Block Malicious Threat Indicators on Blue Coat
Category: Network Security, Case/Ticket Management
Cyware Products Used:
Intel Exchange
Orchestrate
Third-Party Integrations Used:
Symantec Bluecoat ProxySG: Network Security tool to block malicious indicators.
ServiceNow ITSM: To create ITSM tickets to track the activities on the IOCs.
Problem Statement
Security analysts ingest threat intelligence data from various sources, correlate them together for analysis, make the intel relevant, and forward the findings to block the threat proactively in their network. In reality, analyzing many intel feeds received from internal and external sources becomes challenging for analysts.
Additionally, when evaluating the ever-widening threats and the time consumed by human analysts on threat hunting tasks, the need for automated analysis of threat data becomes the need of the hour.
Solution
Intel Exchange and Orchestrate applications work together to help your analyst perform continuous analysis of threat data and take necessary action to defend against malicious indicators. This section describes how to automate the detection and response workflow for analysts.
How do we solve this problem?
A playbook workflow assists security teams in automatically detecting indicators and blocking them on the Symantec Blue Coat ProxySG tool.
Threat Intelligence Ingestion: Intel Exchange retrieves threat intelligence data from various internal and external sources. After ingesting intel, Intel Exchange processes, and stores this information for filtering.
Indicator Filtering: The Intel Exchange Rule engine automatically extracts malicious indicators based on the Intel Exchange confidence score or any other configured conditions. The confidence score is calculated by a weighted average of the parameters namely Source Sightings, Threat Relations, Enrichment Policy, and Source Confidence. An individual score is calculated for each parameter and the overall confidence score is the combined weighted sum of these four scores. The weightage of every score depends on the significance of the parameter and the availability of data.
Intel Processing: The playbook retrieves all the indicators identified as malicious from the Intel Exchange application and maps them appropriately with the indicator type such as IP address, URL, and Domain.
Intel Actioning: The playbook blocks the malicious indicators on the Symantec BlueCoat ProxySG tool.
Response and Remediation: After blocking the malicious indicator, the playbook performs the following actions.
Updates the respective indicators on the Intel Exchange application using the Blocked on Blue Coat tag. Notes are also added to indicators to provide more information to the analysts. Threat intel analysts get to know that the indicator is malicious and is already blocked on the Blue Coat application.
Creates ITSM tickets to contain a record of all the identified malicious indicators. Once the indicator is blocked on Blue Coat, the ServiceNow ticket is updated and closed to ensure synchronization.
Benefits
Accelerated Incident Response
The solution expedites incident response processes with automated playbooks enabling security teams to focus on other important tasks that need human analysis and decision-making.
Reduced MTTD and MTTR
The solution helps organizations to reduce both Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) by validating and remediating security alerts within minutes.