Cybersixgill and Microsoft Azure Sentinel: Take a TAXII to Better Threat Intelligence
Cybersixgill is thrilled to announce that Cybersixgill Darkfeed is now available to Microsoft Azure Sentinel users. Using TAXII Data Connector, Azure Sentinel users can now rely on Cybersixgill’s exclusive feed of actionable indicators of compromise (IOCs). This allows security teams to enrich the intel they receive through Azure Sentinel with contextual data in real-time in order to get essential explanations of threats before an attack.
The Cybersixgill-Azure Sentinel integration enhances threat hunting for malicious IOCs in corporate networks and allows for better understanding of malware TTPs and trends.
The Threat Intelligence – TAXII data connector enables a built-in TAXII client in Azure Sentinel to import threat intelligence from the Cybersixgill TAXII Server. That’s great news for Azure Sentinel users as it buys valuable time in a super-evolving threat environment where every millisecond matters.
This new integration is not just another logo to boast about, but rather signals its status as the source of truth in the threat intelligence market. Since Darkfeed was released in March, we’ve announced more than half a dozen integrations, and we have more in the pipeline.
So, what makes Darkfeed different and why is it receiving so much attention in the marketplace?
Three words: real. time. collection.
The dark web itself is atomized into disparate networks, some of which aren’t accessible with a normal web browser. The sites aren’t indexed. These are just a few of the many reasons that make dark web surveillance a technical challenge.
The deep and dark web is quite large. In fact, it’s four times bigger than the clear web, where most of us work and play. It acts as a kind of social network for malicious individuals, or threat actors. They trade tips, tactics, and techniques. Opinions are shared, fake and real news are posted, and underground commodities (as well as a lot of money) change hands.
Traditionally, these threat actors were only discovered through various sensors and honeypots that detect attacks in progress. But, by then, it’s too late.
Capturing the dark web chatter can give companies a head start on attacks. Darkfeed automatically gathers indicators of compromise (IOCs) – such as malicious hashes, or URLs and malware variants that threat actors are talking about. It systematically categorizes it into actionable intelligence and “pushes” this directly into various security tools like the Azure Sentinel platform. The IOCs are automatically delivered with context such as extended details and scoring so security teams can enhance their understanding of threats. Armed with this understanding, they can then take steps to prioritize their actions; deciding which threats to block, prevent, or preempt first.
Speed, however, isn’t the only advantage of Darkfeed. Typically, we see that the threat intelligence networks and honeypots that alert companies to attacks are operated by anti-virus vendors.
In order to illustrate the Darkfeed advantage, we did some research to show just how different Darkfeed’s data is from these honeypot networks. We compared the IOCs that Darkfeed identified with those from ten of the leading anti-virus software applications. What we found was that no antivirus software identified more than 34 percent of the IOCs that Darkfeed found.
For users of the Azure Sentinel, we’re excited to bring industry leading intelligence to help them accelerate and elevate threat detection and response.
Azure users can consume Darkfeed in one of two ways: integrate Darkfeed into Azure Sentinel or automatically enrich IOCs from Azure Sentinel, gaining unparalleled context with essential explanations of Azure Sentinel’s IOCs.