Winning Through Automated Sharing of Threat Information

Summary:

This document presents a roadmap for HP's future operations, product development, capabilities, and availability dates at Hewlett-Packard (HP). It includes forward-looking statements subject to uncertainties and changes without prior notification. The information is confidential unless legally disclosed under a Confidential Disclosure Agreement (CDA) or specific terms. The document addresses the challenges of sophisticated cyber attacks and proposes Threat Central as a platform for real-time, scalable, comprehensive, and trustworthy threat intelligence sharing among organizations. It aims to combat these attacks through automated collaboration in detecting threats and faster response times. HP's ArcSight and HP-technology based Threat Central utilize standardized formats (CEF) for information sharing and advanced threat intelligence capabilities. Key features of Hewlett-Packard's Threat Central (TC) Server include comprehensive data collection, integration with DV Labs, RepDV, and HP Security Research for threat intelligence, utilization of ArcSight ESM Technology, workflow steps for incident handling and mitigation sharing, deployment in different communities with specific data handling capabilities, support for open standards like STIX and IODEF, and use cases such as malware analysis. In summary, Threat Central (TC) Server from HP aims to provide robust data collection and sharing functionalities across various sectors, utilizing advanced threat intelligence tools and supporting open standards for interoperability in the cybersecurity ecosystem.

Details:

This document outlines a roadmap for future operations, product development, capabilities, and availability dates at Hewlett-Packard (HP). It includes forward-looking statements that are subject to substantial uncertainties and changes without prior notification. The information contained within is considered HP confidential unless legally disclosed under a valid Confidential Disclosure Agreement (CDA) or under specific terms outlined for non-CDA holders. The document discusses the increasing sophistication of cyber attacks, which pose significant challenges for enterprises. Current methods of sharing threat information are manual, slow, and suffer from limited participation, making them less effective in defending against such sophisticated attacks. The solution proposed is Threat Central, a platform designed for real-time, scalable, comprehensive, and trustworthy threat intelligence sharing among organizations. Threat Central aims to leverage the power of a community by securely, confidentially, and in real-time sharing threat intelligence to identify, mitigate, and prevent advanced attacks. It also includes disseminating detection rules and mitigating actions while providing a global view of the threat landscape through data analysis from varied sources. The use of automated collaboration in detecting threats is emphasized as it helps in faster response times and more accurate prioritization of security measures. HP's advantage with its ArcSight and HP-technology based Threat Central includes standardized formats for sharing information (CEF), which facilitates collaborative anomaly detection and enhances the overall effectiveness against cyber threats. The document outlines the features and capabilities of Hewlett-Packard's Threat Central (TC) Server, designed to facilitate sharing data with other systems. Key points include: 1. Comprehensive Data Collection: TC Server can collect data from multiple sensors, enabling it to work across various industries such as Financial Services (FSI), Digital Insurance Brokers (DIB), and Public Sector. This broad market penetration allows for quick adoption and scalability. 2. Threat Intelligence Expertise: The TC Server integrates expertise from DV Labs, RepDV, and HP Security Research, providing advanced threat intelligence capabilities to its users. 3. Utilization of ArcSight ESM Technology: TC Server can leverage existing technologies like ArcSight Extended Management Suite (ESM) for producing and consuming threat intelligence. 4. Workflow within TC Server: The workflow includes steps such as recording a malicious event, analyzing the incident, taking mitigating actions, and sharing the mitigation details among multiple organizations. 5. Deployment of TC Server in different communities with specific data handling capabilities like white lists, blacklists, statistical analysis, query support, confidentiality protection, and policy-driven sharing mechanisms. 6. Support for Open Standards: The document mentions that Threat Central (TC) Server supports open standards such as STIX (Structured Threat Information eXpression) and IODEF (Incident Object Description Exchange Format). This enables interoperability with non-ArcSight clients by allowing them to participate in the TC community effectively. 7. Use Cases: One use case discussed is malware analysis, where querying a malware database for suspicious artifacts and collaborating on potential threats are highlighted as key capabilities of TC Server. In summary, Threat Central (TC) Server from Hewlett-Packard aims to provide robust data collection and sharing functionalities across various sectors, utilizing advanced threat intelligence tools and supporting open standards for interoperability in the cybersecurity ecosystem. This document discusses how HP (Hewlett-Packard) develops a privacy-preserving method called Malware Threat Intel TC Server, which helps companies and communities collaborate on analyzing malware threats. By using this system, members can query a malware database, share anonymous information about suspicious activities, and identify appropriate mitigations for malicious artifacts. The document also presents three use cases: one for dealing with DDOS attacks (Defense Against Online Threats), another for detecting spearphishing emails that are often used in advanced persistent threats (APTs), and the third for identifying malware by analyzing hashes and other characteristics from community-submitted email samples. These methods help to automatically share threat intelligence, which allows for more accurate and faster response to potential cyber threats, while also providing global insights into specific types of attacks based on shared data. The document concludes that as adversaries become increasingly interconnected, so too must the industry in terms of sharing information and utilizing automated tools like this TC Server to better defend against evolving cyber threats.