How has the Structured Threat Information eXpression (STIX) security framework changed over the past two years,...
and how is it being used to improve threat intelligence?
Threat intelligence started being shared informally, and even publicly between enterprises and information security professionals. But as attackers started to monitor the public information, and as organizations began to better understand the value of this information, more formal relationships and organizations were set up to improve the safety of it.
Information sharing has become critical to security success. Many Snort intrusion detection system rules have been shared as part of starting threat exchanges.
Information Sharing and Analysis Centers, or ISACs, are now organized around certain industries, such as financial services, maritime security and information technology, among others. In an individual ISAC, organizations can share information to improve threat intelligence among their peers.
What information should be shared and how to share it are still issues under development. There are several different threat sharing frameworks available today, including STIX, Open Threat Exchange and the Security Event System and Collective Intelligence Framework, among others. And as threat sharing gains more attention, more vendors will likely create their own frameworks, which could potentially cause issues.
How it works
The STIX security framework is a language for sharing data, but the sharing of the actual data is separate from the framework. This improves threat intelligence because data is easier to share if it is in a common format, and it provides the structure of how to share this data. Even internal tools -- such as firewalls, security information and event management systems, and intrusion detection systems -- can utilize this framework for exchanging data and to ensure the most up-to-date intelligence is incorporated into the tool.
Vendors such as RSA Security and ThreatConnect use the STIX security framework for their respective threat intelligence and security analytics services. In addition, the U.S. Department of Homeland Security leverages STIX for its free Automated Indicator Sharing service.
The STIX security framework has included updates in architecture, a new visualization tool and tools for common use cases in recent updates.
The updated architecture contains improvements that help incorporate it into other tools and systems, and the new visualization tool helps with identifying patterns for further analysis. The tools for common use cases might be the most important update because it lists out scenarios in which enterprises can use the STIX threat intelligence framework for cyberthreat management.
Find out what global threat intelligence services can and can't do
Read more on why monitoring the dark web can help enterprises
Dig Deeper on Threat intelligence sharing and services
Related Q&A from Nick Lewis
Enterprises have many options for email security best practices, ranging from deploying email security protocols to educating end users on the ... Continue Reading
Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems. Learn how they work ... Continue Reading
Monitoring process memory is one way to combat fileless malware attacks. Here's what you can do to protect your network against these campaigns. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.