TI | THREAT INTELLIGENCE

WHAT IS THREAT INTELLIGENCE?

While threat intelligence feeds and platforms introduce new data into a SIEM, EDR solution, or other technical controls, without the expertise to correctly operationalize the data, this new information is simply excess noise. When you purchase a third-party feed or platform, you are purchasing additional contextual information about potential activity in your network.

To be truly effective, you must take that contextual information and successfully implement it into a platform. To put it to work, you will need to build alarms and rules around the ingested threat intelligence, and properly tune the rules.

RedLegg’s Threat Intelligence Service not only provides your organization with a threat intelligence platform that supplies valuable threat research to your SIEM and other controls, but also brings a team of subject matter experts to operationalize that data within your enterprise.

SIEM-Pillar-Banner

Pretty much everything you'd need to know about co-managed SIEM. 

LEARN MORE

FEED INFORMATION

RedLegg’s Threat Intelligence Service implements a custom-curated threat intelligence platform to augment your current SIEM deployment, providing up-to-date, high-confidence intelligence. Unlike most threat intelligence feeds and platforms, which are singularly focused on threat research, RedLegg collects data from the following sources:

CORRELATED DATA

Unique to RedLegg’s Threat Intelligence Platform, RedLegg extracts IOCs and observables from confirmed cases across our customer base, providing actual attack data to the platform.

PREMIUM

This is threat research performed by various third parties and distributed in various premium feeds that are ingested into the RedLegg Threat Intelligence Platform.

ORIGINAL RESEARCH

This is threat research conducted by RedLegg and provided through honeypots, malware reverse engineering, and threat hunting.

OPEN-SOURCE

This is threat research provided by various organization and made available to the public.

THREAT INTELLIGENCE SERVICES AND PRODUCTS

Threat Intelligence provides important enhancements to the correlated logs generated by the SIEM. However, that data can hold little value if it is not operationalized effectively. As part of operationalization, RedLegg reviews the various IOCs and observables in the threat feed, compares them to the monitored log sources, and creates rules and alarms based on this information, helping to detect and respond to threats and attacks quickly.

RedLegg’s Threat Intelligence Service differentiates itself from typical threat intelligence feeds and platforms.

OPERATIONAL

RedLegg operationalizes your threat intelligence by creating, implementing, and tuning new alarms and alerts.

INSTALLATION

RedLegg installs only those alarms and alerts that are necessary to the customer environment, creating a more reliable SIEM.

REVIEW

RedLegg consistently reviews and curates the intelligence to ensure its continued relevance.

PLATFORM

RedLegg Threat Intelligence Platform supplies valuable threat research to your SIEm and other controls.

CORRELATION

Correlated attack data gathered across all RedLegg TI customers.

FEEDS

RedLegg implements a custom-curated threat intelligence platform and collects data from customer correlation as well as the following:

  • Third-party premium threat intelligence feed
  • Original threat research
  • Third-party, open-source threat intelligence feeds
  • OPERATIONAL
  • OPERATIONAL

    RedLegg operationalizes your threat intelligence by creating, implementing, and tuning new alarms and alerts.
  • INSTALLATION
  • INSTALLATION

    RedLegg installs only those alarms and alerts that are necessary to the customer environment, creating a more reliable SIEM.
  • REVIEW
  • REVIEW

    RedLegg consistently reviews and curates the intelligence to ensure its continued relevance.
  • PLATFORM
  • PLATFORM

    RedLegg Threat Intelligence Platform supplies valuable threat research to your SIEm and other controls.
  • CORRELATION
  • CORRELATION

    Correlated attack data gathered across all RedLegg TI customers.
  • FEEDS
  • FEEDS

    RedLegg implements a custom-curated threat intelligence platform and collects data from customer correlation as well as the following:

    • Third-party premium threat intelligence feed
    • Original threat research
    • Third-party, open-source threat intelligence feeds

INTELLIGENCE COLLECTION FEATURES

RedLegg aggregates this collected data and assigns reliability scores based on threat and presence. Data is de-duplicated to maintain performance and efficiency. The data set contains potential threat actors and domains that have achieved a low reputation due to detected and reported activity, as well as malicious hosts, URLs, IPs, file hashes, and other observables identified by the RedLegg Managed Security Services team; these items are added to the Intelligence Feed as well.

  • HIGH CONFIDENCE
  • UP-TO-DATE
  • CATEGORIZED

HIGH CONFIDENCE

Objects collected for the RedLegg Threat Intelligence Service have been actively observed participating in malicious behavior and have been correlated to reduce the possibility of false positives. Hosts that have not demonstrated bad activity after a period of time will have their risk ratings lowered, but not removed altogether.

UP-TO-DATE

It is important to always use current data, as new bad actors appear daily. To stay ahead of the game, RedLegg utilizes data that is updated multiple times per day to ensure that lists contain the most currently identified risks.

CATEGORIZED

Understanding the type of activity that a bad host or site represents is key to understanding the potential threats within a network. To this extent, the RedLegg Threat Intelligence Service contains entries in many categories, allowing constant vigilance of bad actors. This setup grants RedLegg the ability to assist you with keeping control of the areas containing the highest levels of risk to an organization’s network.

  • HIGH CONFIDENCE
  • Objects collected for the RedLegg Threat Intelligence Service have been actively observed participating in malicious behavior and have been correlated to reduce the possibility of false positives. Hosts that have not demonstrated bad activity after a period of time will have their risk ratings lowered, but not removed altogether.

  • UP-TO-DATE
  • It is important to always use current data, as new bad actors appear daily. To stay ahead of the game, RedLegg utilizes data that is updated multiple times per day to ensure that lists contain the most currently identified risks.

  • CATEGORIZED
  • Understanding the type of activity that a bad host or site represents is key to understanding the potential threats within a network. To this extent, the RedLegg Threat Intelligence Service contains entries in many categories, allowing constant vigilance of bad actors. This setup grants RedLegg the ability to assist you with keeping control of the areas containing the highest levels of risk to an organization’s network.

OUR APPROACH

RedLegg is an innovative, global security firm that delivers managed cybersecurity solutions and peace of mind to its clients.

RedLegg’s approach to information security protects the confidentiality, integrity, and availability of critical data based on a sound risk management framework. This approach allows organizations to engage business owners in defining acceptable levels of risk and to participate in the process for evaluating threats.

RedLegg’s ARMEE (Assess, Remediate, Monitor, Educate, Enforce) methodology institutes a lifecycle that allows for an ongoing process to continuously improve the security posture of the organization. This methodology is designed to be portable to all business, legal, regulatory, and security requirements of the organization. It is flexible enough to account for the constant flux in the market place, attack vectors, and protection mechanisms.

The final step in RedLegg’s ARMEE methodology is to implement solutions that enforce security measures needed to protect against threats that may affect an organization’s core business.

ARMEElogo-1

Resources

     
MSS-Monthly-Sample-Report

 

MSS-Slick-3D

 

Case Study_SIEM-International-Law-Firm-SOC-3D-1

 

SIEM-Architecture-Review

 

MSS Monthly Report Sample Managed Security Info Sheet Managed Security Case Studies SIEM Architecture Review

 

BETTER YOUR VISIBILITY.

Better defend your network.

REACH OUT