The Importance Of Threat Intelligence Sharing Through TAXII And STIX

Threat intelligence has been a very important asset to cybersecurity- knowing in advance some properties of malicious actors is key for preventing security incidents. Most typically these properties are IP addresses, domains, emails and file hashes, and being able to compare them to what’s happening in your infrastructure allows for quick response and prevention.

How does threat intelligence sharing work?

But how to benefit from threat intelligence and contribute to the process? It’s a complicated process of assessing a lot of data (e.g. coming from real-world alerts) and reporting malicious indicators). Different threat feeds work with different methodologies so it’s not easy to explain it in one sentence. But to put it simply, organizations and individuals compile these feeds and publish them, for free or for a fee, for others to consume.

When you get targeted by a malicious actor and are able to block the attack after being alerted by your SIEM, you can choose to publish the information about the threat (at least that’s what we allow with LogSentinel SIEM). That way you are forming your own threat feed and the information can either be consumed by others or pushed to a centralized repository.

How is cyber threat intelligence shared? (In Accordance to TAXII And STIX)

Unfortunately, there are a lot of ways that threat intelligence is shared – through custom formats, RSS feeds, plaintext files and even email lists and chat rooms. SIEM products have to support all of these variations in order to improve visibility on the current threats.

But there is also a standard way to exchange threat intelligence. And recently around the world, there have been new regulations that require support for that particular standard for consuming threat information as well as sharing it with a central feed (typically managed by a government or central bank).

That standard is TAXII 2.0/2.1. It defines a formal way for the above processes – consuming and publishing threat data. TAXII relies on another standard, STIX, to describe the threat information. That’s why both have a shared homepage, which we recommend going through. It tries to capture all the complexities of threat intelligence, and is therefore not trivial at first (e.g. compared to “one IP address per line” feeds), but if your SIEM supports it, it allows for much richer data to be consumed.

In short, TAXII is about how parties communicate to exchange threat intelligence and STIX is about describing that threat intelligence in a structured way.

Why should you care?

Cyber threat intelligence sharing is important for organizations for several reasons. First, threat detection and prevention. By tapping into the experience of others, we are all better protected. One of the things we learned from Solorigate is that we may not be sharing threat intelligence enough.

Second, for compliance reasons. If a standard or regulation requires threat sharing, it’s most likely that TAXII and STIX are required. So you must get your security tools to support those standards.

And third, because it’s the right thing to do. We are all in this digital world together and an attack against our partner can become an attack against us tomorrow. And vice versa.

That’s why threat intelligence sharing is built-in our product; we consume many open-source feeds and allow our customers to add any custom feed. But we also allow publishing any threats detected by our SIEM – to our own TAXII 2 feeds, or to a central entity.

How can LogSentinel SIEM help with TAXII and STIX?

Simplifying Security and Compliance

With Logsentinel SIEM, you will make the audits, required by STIX and TAXII, easier. LogSentinel SIEM provides flexible compliance reports, allowing you to add more reports related to threat detection. Furthermore, LogSentinel SIEM allows read-only access for auditors and can be integrated with third parties, so you can share the reports as required, without having to worry about sharing too much data.

  • Reports Overview –you can share general statistics and charts for all monitored systems and threats
  • Saved searches – you can report all records that match criteria for a certain reporting period, e.g. all threats or anomalies detected
  • Group by reports – you can share aggregation reports, grouped by one or several fields, for a better overall visualisation
Activity overview STIX TAXII

Advanced Threat Detection Capabilities

Threat detection and response STIX TAXII

The most important functionality of SIEM is not log aggregation and search, but detecting malicious behaviour in a large volume of data. We leverage rule-based and machine learning-based anomaly detection on multiple data sources to detect threats. Thanks to that,  you will be able to easily detect threats against your infrastructure. By using advanced AI technology, you will be able to analyze user behaviour and risk profile to prevent insider threats, based on data accumulated from all integrated systems. Your security team will get alerts every time when a security incident needs an immediate response. Alerts can be sent via email, SMS, or trigger other activities, as outlined in the next section.

Thanks to all that, you will gain a complete overview of your systems, and you will be able to detect and respond to threats in real-time.

Simple Deployment

Implementation is the hardest part of getting value out of a SIEM. It often involves a chaotic onboarding process, approvals from multiple departments, back-and-forth communication about permissions and integrations. LogSentinel SIEM provides templated implementation to streamline the process. Our zero-setup cloud SIEM and our open-source collector and agent can handle every system and every setup, even in complex organizations.

Are you looking for a solution to simplify TAXII and STIX compliance? Request a demo today, and see how LogSentinel SIEM can help you to cover threat intelligence sharing requirements.


Like this article? Share it with your network!