Nowadays, it is common for SOC teams to collect threat information from multiple sources. However, not all information gathered is equally significant.
Intel gathered from a reliable source can be much more effective in identifying high-priority threats than noisy and vague information collected from multiple sources. Moreover, organizations in certain sectors are often targeted via tailored threats that need to be highlighted.
While each Intel alert is crucial, analysts also need a quick reference to understand which of them require timely action. This is where Cyware Confidence Score comes into play.
How does it work?
Cyware Confidence Score denotes how relevant a threat is, based on a set of customizable parameters. During Intel collection, Threat Investigation, and collaboration, this score gives a fine-grained view of the relevance of different threats, within the context of the specific organization. Members can customize how the Cyware Confidence Score is calculated by setting different weights for various parameters. These parameters include the source of the information, the number of threat sightings, relations with other threats, traffic light protocol (TLP) rating, geography, organization sector, and file types. Adjusting these parameters according to the needs of the member organization generates the Cyware Confidence Score in a percentage format. Moreover, the Cyware Confidence Score is weighted and it is calculated based on the criteria selected by the admin.
For example, a certain organization operating in the North America region may want to focus on Indicators which have been sighted more than 10 times in their region with red or amber TLP rating, and which have been shared by their trusted source. The Cyware Confidence Score allows full management of this or other complex scenarios with ease.
Focusing on what matters more
The ‘Threat Data’ section in CTIX now displays the Cyware Confidence Score alongside for every indicator. Additionally, the Cyware Confidence Score Calculator is added on the Indicator page so that the user can vary the score for a specific indicator with custom weight values, without changing the main configuration.
Since CTIX provides a hub-and-spoke model, the Cyware Confidence Score will change dynamically based on the information exchange between the CTIX Hub and the Spokes.
For example, if a certain Indicator is shared by one of the spokes, it will be assigned a score based on the criteria set by the Admin. Now, if another spoke is also affected by the same Indicator and shares it with the Hub, the score corresponding to the Indicator will be automatically updated to reflect the increased occurrence of that Indicator. Thus, analysts get a real-time view of the significance of each alert.
With this new feature, analysts can now filter through the ocean of information from various sources and focus their attention on the relevant threats. Having limited time and resources on their hands, the security teams can make a greater impact by leveraging this feature.
Posted on: March 01, 2019