Announcing HP Threat Central security intelligence platform

collaborative defense.pngToday’s IT Security comes with far more sophisticated challenges than in the past. Attacks are more complex, and with those attacks, we need faster and more effective responses. Today, enterprises spend an exorbitant amount of time and effort on repeat attacks, using information models that are manual/slow, and produce intel that is simply not actionable. So how can we fix the problem? This is all possible with real-time, scalable, comprehensive and trustworthy threat-information sharing.

 

With these goals in mind, HP has developed HP Threat Central (HPTC), a platform for organizations to share threat intelligence securely, confidentially and in real-time. The advantages of HPTC are:

  • Harnesses the power of community
  • Quickly and precisely shares threat intel to identify and mitigate advanced attacks
  • Disseminates detection indicators and mitigating actions
  • Provides a global view of the threat landscape by combining and analyzing data from varied sources

Automated collaboration helps detect attacks faster and more accurately. Additional context is revealed that was not possible before which helps customers prioritize their resources and security budget. A recent study was done where an attack was researched without HPTC and with HPTC. The findings were impressive. In both processes, the user receives a suspicious email, forwards it to the SOC for investigation, and the SOC Analyst creates an incident and begins the investigation.  Next:

Without HPTC, 14 steps are required:

  1. SOC Analysts inspects the headers of the e-mail and finds suspicious artifacts
  2. SOC Analyst inspects the body of the e-mail and finds additional artifacts
  3. The SOC Analyst utilizes URLquery to do an initial remote inspection of the referenced file download location
  4. The URL query report shows the website by itself is not malicious
  5. The SOC Analyst downloads the zip file via a secure Linux based sandbox
  6. The SOC Analyst does an MD5 Sum of the zip archive.
  7. The SOC Analyst unpacks the ZIP file and receives a .scr file
  8. The SOC Analyst does an MD5 and SSdeep of the scr.file
  9. Not having dedicated tools, the SOC Analyst uploads the SCR file to designated websites. The returned reports are not conclusive.
  10. Virus Total reports that the file in question is detected by 10 out of 46 antivirus products
  11. The SOC Analyst then downloads the packet capture and the dropped files
  12. The SOC Analyst advises the proxy team to block the known hosts
  13. The SOC Analyst creates support tickets with the existing AV vendor to create antivirus patterns for this instance and continues the investigation into the dropped files and the recommended mitigation
  14. Eventually AV pattern are released and the SOC Analyst can brief the User and afterwards close the specific case

 

With HP Threat Central, a third of the steps are required:

  1. SOC Analysts inspects the headers of the e-mail and finds suspicious artifacts
  2. The SOC Analyst queries HPTC  for the MD5 sum of the archive or the file and, in return, receives the following information:
  • Malware report from open source connections

  • Domains and IP addresses in question

  • Related MD5 sums

  • Antivirus reports

  • Related IPS filters

  • Suggested correlation rules

3.     The SOC  Analyst queries for an IP address or DNS entry from the malicious email and receives the following results:

  • Known reputation entries for the IP address and DNS

  • Related IPS filters

  • Malware report references

  • Correlation to related threat intelligence (such as known actors and TTPs)

4.     The analyst implements the appropriate block rules to mitigate the threat (such as reputation blocking, IPS filters, firewall rules) and adds a new watch list – all from automated actions on the HPTC console.

5.     The analyst closes the ticket.

 

As shown, HP Threat Central offers crucial advantages that include a single dashboard for global and local threat intelligence, improved response times, and vetted, actionable information.  By collaborating via HPTC, a more complete picture of the attack can be quickly surfaced and the threat remediated.

 

For an in-depth look at the case for a collaborative approach, read the Collaborative Defense business white paper.  And stay abreast of latest developments at hp.com/go/hpsr.

 

HP_Protect_V2_600x60_Static.jpg

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation