Cybersecurity challenges
Cybersecurity is a major concern for all companies, and early threat detection is essential to prevent incidents and protect assets. Defants, a specialist in threat investigation solutions, has taken a strategic step by integrating Sekoia.io’s Cyber Threat Intelligence (CTI) into its AIR platform.
In this article, we explore the reasons for this integration, how it works, and the benefits it brings.
Sekoia.io: What is it?
Sekoia.io is a CTI (Cyber Threat Intelligence) platform known for its ability to provide in-depth and contextualized information on cyber threats.
Here are its key features:
- In-depth threat understanding: Sekoia.io collects and analyzes information from multiple sources to identify threat trends and patterns. This capability allows companies to understand current and emerging threats.
- Threat contextualization: The platform links indicators of compromise (IoCs) to specific malicious actors, campaigns, and employed techniques. This helps analysts understand not only what is happening but also why and how an attack might occur.
- Continuous monitoring: Sekoia.io provides continuous threat monitoring, enabling companies to stay informed about developments and prepare against future attacks.
Defants AIR: What Is It?
Defants AIR is a threat investigation platform designed to help companies effectively respond to security incidents.
Its key features include:
Knowledge graph:
- The graph model is a visual representation of relationships between entities (e.g., users, machines, domains, files) in an IT environment.
- In Defants AIR, this model links information collected during an investigation.
For example, if a user opens a malicious file, the graph will show connections to other users, involved machines, and associated IoCs.
- Analysts can explore these relationships to understand how the incident spread and identify other potentially affected network areas.
Collaborative timeline:
- Timelines are essential for understanding the sequence of events during an incident.
- The collaborative timeline allows multiple analysts to work together on the same timeline. They can add events, notes, and comments in real-time.
For instance, one analyst might note that a user opened a phishing email at 10:00 AM, and another might add that the same user visited a malicious site at 10:30 AM.
- This real-time collaboration facilitates coordination and mutual understanding among team members.
Automation of repetitive tasks:
- Investigations often involve repetitive tasks, such as log checking, searching for indicators of compromise, and event correlation. Defants AIR automates these tasks to save time and reduce human error.
For example, when an analyst identifies a suspicious IoC, the system can automatically search for all occurrences of this IoC in logs and reports. This allows analysts to focus on in-depth analysis rather than tedious manual tasks.
In summary, Defants AIR offers powerful tools for conducting thorough investigations, collaborating effectively, and accelerating threat detection.
How does Sekoia.io integrate with Defants AIR?
The integration of Sekoia.io into Defants AIR is seamless and effective, combining the strengths of both platforms to offer a robust security solution.
Here are the main aspects of this integration:
- Data ingestion: Sekoia.io feeds Defants AIR with up-to-date threat information. This data ingestion occurs in real-time, ensuring that the information used for investigations is always current.
- Alert enrichment: When an alert is generated in Defants AIR, it is immediately enriched with contextual data from Sekoia.io. This includes information on IoCs, attacker tactics, techniques, and procedures (TTPs), as well as links to detailed threat reports.
- Investigation automation: The enriched data enables analysts to conduct investigations more quickly and efficiently. Investigation processes can be automated using playbooks that incorporate Sekoia.io information, reducing the time needed to identify and mitigate threats.
The integration of Sekoia.io into Defants AIR brings several significant benefits:
- Increased acuracy in threat detection: Alerts enriched with contextual information are more accurate, reducing the number of false positives and allowing analysts to focus on real threats.
- Faster incident response: The contextual information provided by Sekoia.io enables analysts to quickly understand the nature and scope of threats, speeding up the response process.
- Enriched investigation data: Detailed profiles of threat actors, information on campaigns, and used techniques give analysts a deep understanding of threats, improving the quality of investigations.
- Reduced manual load for analysts: Automating repetitive tasks and enriching data allow analysts to focus on higher-value tasks, improving the overall efficiency of the security team.
Future Perspectives
The integration of Sekoia.io into Defants AIR is just the beginning.
In the future, we aim to further enhance this integration by:
- Leveraging threat scores: We plan to incorporate Sekoia.io’s threat scores to more accurately assess the criticality of incidents and prioritize responses accordingly.
- Integrating advanced machine learning features: By utilizing machine learning techniques, we could improve threat detection and provide more effective responses based on predictive models.
- Developing automated response capabilities: Future integration might include automated response capabilities, where systems can take proactive measures to neutralize threats without human intervention.
The strength of the collective
The integration of Sekoia.io’s CTI into Defants AIR significantly enhances the platform’s threat detection and response capabilities. By combining the strengths of these two tools, companies benefit from improved accuracy in threat identification, faster incident response, and a reduced workload for analysts. This promising collaboration paves the way for future improvements, further strengthening the security posture of businesses.
