Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can the STIX framework improve security threat intelligence?

Expert Nick Lewis breaks down the evolution of the STIX framework and how it can be used to improve security threat intelligence.

How has the Structured Threat Information eXpression (STIX) framework changed over the past two years, and how...

is it being used to improve threat intelligence?

Sharing threat information is developing into one of the most important activities an enterprise can incorporate into its information security program.

Threat information, or threat intelligence, started being shared informally and even publicly between enterprises and information security professionals. But as attackers started to monitor the public information, and as organizations began to better understand the value of this sharing, more formal relationships and organizations were set up to improve the safety of it.

Information sharing has become critical to security success. Many Snort intrusion detection system rules have been shared as part of starting threat exchanges. Information Sharing Analysis Centers, or ISACs, are now organized around certain industries such as financial services, maritime security and information technology, among others. In the individual ISAC, organizations can share information to improve threat intelligence among their peers.

What information should be shared and how to share it are still issues under development. There are several different threat-sharing frameworks available today including Structured Threat information eXpression, Open Threat Exchange and Security Event System and Collective Intelligence Framework, among others. And as threat sharing gains more attention, more vendors will likely create their own frameworks, which could potentially cause issues.

STIX is a language and framework for sharing data, but the sharing of the actual data is separate from the framework. This improves threat intelligence because data is easier to share if it is in a common format and provides the structure of how to share this data. Even internal tools -- such as firewalls, security information and event management systems, or intrusion detection systems -- can utilize this framework for exchanging data and to ensure the most up-to-date intelligence is incorporated in the tool.

STIX has included updates in architecture, a new visualization tool and tools for common use cases in recent updates. The updated architecture contains improvements that help incorporate it into other tools and systems; the new visualization tool helps with identifying patterns for further analysis. The tools for common use cases might be the most important update because it lists out scenarios in which enterprises can use STIX for cyberthreat management.

Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)

Next Steps

Learn more about STIX and other emerging threat intelligence tools.

This was last published in March 2015

Dig Deeper on SIEM, log management and big data security analytics



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which security threat intelligence framework does your enterprise use? Why?
We use Splunk App for Enterprise Security. We like it because it monitors and mines data on a real-time basis. We don't have to wait for the vendor to issue an update in order for the malicious software to be detected. The software also uses specialized algorithms that are individualized to each company with general information from wider cyber attacks added in.
To be honest, I don't know that STIX provides a huge differentiation over other frameworks like VERIS, and wonder about it's long term usefulness.