New feature: Live threat reports

The background

With constantly evolving cybersecurity threats, businesses are forced to adapt and improve their security stacks in an effort to prevent exploitation. A key piece of remaining a step ahead comes from cybersecurity threat reports, which aim to share valuable threat information across the industry to help protect against cybercrime.

Threat reports come from many different sources, some more reputable than others, some are free, and some require paid subscriptions. One thing security practitioners can agree on is that there is no shortage of threat information, and each organization needs to determine which set of threat reports is most applicable to their own business. It’s fantastic to have access to all of these threat reports, but the real difficulty lies in operationalizing this intelligence effectively.

The problem

Knowing if you’ve been impacted by a threat outlined in a report can take hours, days, or even weeks. Often, you need to import all indicators of compromise (IOCs) from a threat report into a SIEM, look for logs that match any of the indicators, and try to take all the necessary remediation steps if needed. It’s a lot of work, and this approach has quite a few flaws.

For starters, you deal with uncertainty over complete log visibility and need to piece together logs to respond. And then, after you spent all that time trying to find out if you’ve been impacted by the contents outlined in the report, you still can’t expand the aperture beyond the documented indicators. What if there’s a new variant that hasn’t yet been found? You have to wait for a new report to start the process all over again.

The solution

We’ve made a long process a whole lot shorter. With the live threat reports feature in the Stairwell platform, you can understand the extent of the impact of a threat report in minutes – not hours, days, or weeks. And, you can look beyond the documented IOCs from the report. The Stairwell platform will automatically search through your environment for hidden – and potentially unknown – variants, keeping you covered beyond the indicators from the report.

Stairwell recognizes the importance of complementing other security tools and intelligence, making this information actionable and real-time. With the new live threat report feature, the Stairwell platform provides an ongoing organizational health check from known and novel malware families.

Having a copy of an organization’s files allows for a health check with unrivaled certainty and a straightforward remediation path. This allows our users to answer the question: have I ever been affected by [name your malware], am I today, and can I be alerted if I ever am in the future?

The Stairwell platform comes with a curated feed of threat reports, automatically extracts the IOCs, and alerts the user on any matches from the past, present, and into the future. Users can also add their own report sources to ensure reports are tailored to specific organizational needs.

Additionally, Stairwell begins to automate threat hunting by using a number of proprietary techniques to expand the list of known IOCs, to include important variants. Since most new malware is a variant of an existing malware family, this can turn the all-important health check into a proactive check for novel threats. Stairwell is a living repository for files and threat intelligence, so all threat reports remain in Stairwell forever.

The point

Staiwell’s approach to making threat reports actionable all but eliminates common faults with approaches used in the past. When a threat report is uploaded, results are available in near real-time. This eliminates costly time delays in the event a breach occurs. By maintaining a copy of the actual files with unbounded retention, there is never a question around potential blind spots. Expanding intel on known malware families to include variants offers organizations the opportunity to identify novel threats before they are known.