Hello and welcome to Ma Jo three of the Advanced Cyber Threat Intelligence. Course this manager. We're going to talk about how information
can be shared within your C. T. I program
and as part of that discussion will be looking at
of several different tools in some websites.
And this will give the the analyst a little bit of a better overview
on some of the different ways in different methodologies that are
popular these days with doing cyber threat analysis. One of the big challenges for any kind of
delivery of this type of information is trying to make sure that you understand your audience.
There are producers of SETI I, and there are consumers of SETI I
and we as a producer, you want to make sure that what you're creating is an acceptable format
and is a consistent and its look and feel so that people doing the consumption of the intelligence haven't easier go of it.
also critical to make sure that any kind of standard or 10 plates that are already in use within the organization are utilized.
You don't wanna have
reporting or other kinds of information sharing that that is in a different format from what is expected. It's always a good idea to, you know, do that little bit of research ahead of time to make sure that you're going to be consistent with what's already been done previously. So as we'll see, we've got several tools coming up that will
give the analyst a little bit of a better overview.
What's what's out there in the marketplace? Also, spend a little bit of time looking into what Yara rules are. What what sticks does as well aside, box in taxi.
Is there all complementary technologies which can help by being able to be integrated into the use with other tools?
And as we'll see there are rub
lots of different ways to use this, these various technologies to help the analyst with their with their goals and lastly, with we'll spend some time
touching on different reporting methods
and some different aspects of using this mechanism to get the right information in front of someone who's making a risk based decision. So were the big challenges these days is trying to decide whether or not the solution
four c g I should be hosted on premises
or using a cloud based solutions. There are certainly benefits to both.
For instance, the cloud based solution is certainly more flexible
because the analyst and others who need
this information can get to it from anywhere. There's an Internet connection. The vendor that that provides a solution is obviously taking care of all of the infrastructure on their end,
and that relieves that burden from from the organization. The downside, of course, might be some concerns about accessing the environment securely
and whether or not there are
vulnerabilities in your browser that might be exploited and so on. There are certainly some cyber security concerns that would be
I need to be addressed
in order for a typical love high security organization to feel comfortable with the club. A solution here. On the other hand,
the tools on premises
gives more complete control over all security aspect because you're
using it within your security perimeter. Overall, this is also another reason why you might have,
you know, higher performance and Maur usability. If everything has hosted locally since you're not going over the Internet, that could be some small performance factors to consider their another advantage of on premises hosting is that
the people who are maintained, the infrastructure
doing in a holistic fashion. The assets that are being studied and analyzed by the C T I tools are right there in the same dead it data center as the
as the tools themselves. The downside, of course, would be having to maintain the infrastructure, which adds
some expect to the organization's bottom line, since you have to deal with staffing,
support contracts, buying hardware and software and so on. So they're a little bit of extra expense associated with on premises. But
the upside is that you get full control over it.
All right, So first, let's have a look at
They have their ah Falcon platform that is pretty popular
tool that can be integrated into your environment.
Cloud based solution, as we see here,
and it can be integrated with your SIM device and so on.
They have an agent that goes on your your systems,
and you get anti virus
manage threat, hunting, threat, intelligence and some other capabilities.
If you do request a demo from Crowdstrike, they will contact you when you have to set that up with them.
see a demo that's hosted twice a week.
There's a self guided product tour,
so you can join the weekly demo
or look at the product tour
and just kind of scroll through. All the leader faces and settings
tells you basically what the product does.
Using machine learning. Thio do some of its actions.
It can detect and block the malware and then, of course,
uh, doing other things like blocking exploits and
trying to maintain containment,
search capabilities and reporting capabilities. You get the basic idea here,
so there's definitely some things to look into
for a crowd strike. And if you get yourself a demo, uh,
you know, you have 30 days or so to play with that
and find out if it's a good fit for your organization.
Then we have alien vault.
they're us and anywhere, and USM appliance
U S M anywhere is intended
Their cloud based solution
and then the appliance
is the locally hosted version of their tools.
So United Unified security management. That's what U. S M stands for.
And you cannot see an online demo. We're just kind of interesting, so we'll have a look at that here in a moment.
Crowdstrike, they have some
reasonably interactive information on their website to show you what the interface looks like. Show you some of the different capabilities that they have,
like integration with your SIM device.
Let's go ahead. Look at the demo.
When you register for the demo, you automatically get logged in,
and they also give you the credentials if you want to return to look at it a little bit later.
Now this is the U. S M anywhere demo. You could also demo the
on premises appliance,
and they're both pretty useful. They look kind of similar and you get the typical kinds of dashboard friend events that you'd expect to see.
Looking at my different data sources, my different assets,
different numbers of vulnerabilities that have been discovered.
I can drill down and look at some of these things in more detail
is also a guided tour
that you can select if you want to dig in a little bit in a more directed way.
using the online demos great way to to see what
the product can do and what kinds of information in it
provide your organization.
I can look at all of my different events,
seeing what kind of activities are going on in my organization,
and we get some pretty typical type of listings here.
Clicking on an item gives me more detail about it, of course,
so this is really useful.
And since the demo is free, you can poke around to your heart's content.
Looking at my listing of assets
we can see is there's ways to do some filtering
and several different
ways of generating. Reports believe the interface is restricted for the
the demo because the normal there'll be more reports here
available to the to the analyst
anyway. So that's a quick overview of Crowdstrike, an alien vault. I hope that that's at least piqued your interest a little bit into perhaps trying to demo of these products on your own and, uh, see what you can do with them.