Augmented Intelligence

IT security specialists, Airbus Cybersecurity (https://airbus-cyber-security.com/) has strengthened its Threat Intelligence with ThreatQuotient (https://www.threatq.com/) to enrich the threat intelligence service it had been offering its customers since 2011 with additional contextual information at scale.

"Since 2011, our threat intelligence service has worked very closely with our incident response teams. Among other things, this has allowed us to be very relevant and responsive when it comes to tracking attackers,” explains Julien Menissez, Product Manager for Managed Services in Europe at Airbus Cybersecurity.

MISP (Malware Information Sharing Platform) is a must in the world of threat intelligence.  Available as a free solution, MISP facilitates the sharing of IoCs between researchers.  But before IoCs can be shared, they must be acquired and consolidated.  This is where things get complicated.  Julien recalls, “MISP is very good for dissemination, but ingestion is not simple.  We were forced to use many other open source tools in parallel, requiring a lot of scripting and manual operations before delivering the information to our customers, while remaining within the timeframes allowed by our SLAs.”

“In 2015, we decided to create a dissemination offering that would allow customers operating their own SOC to benefit from this increased information.  We first worked with flat files, and then we deployed MISP interfaces for our customers,” continues Menissez.

The dissemination service became so successful, that the load on the Airbus Threat Intelligence team increased dramatically.  As customers demanded more and more context and richer information, beyond what MISP can do with its tagging and commenting functionalities, it quickly became clear that a manual approach could not be scaled up.

The Airbus Cybersecurity team then decided to research a new ‘cyber-intelligence back office’ – a tool capable of natively managing concepts such as the freshness of information, reliability, context, and related data.

The deployment of ThreatQ allows Airbus Cybersecurity to meet its goals.  They both shared the same vocabulary (coming from the defence sector), and the ThreatQ platform met Airbus Cybersecurity’s criteria, while Airbus Cybersecurity found the technical level of the ThreatQuotient subject matter experts excellent.

“We can now deliver the same service and the same knowledge, with the same quality as before, but much more quickly and with far fewer technical manipulations,” says Menissez.  “Obviously, it’s our customers who benefit.  Airbus has gone from weekly information delivery to continuous information delivery.  ThreatQ allows us to offer a richer threat intelligence service, with more context, but also faster.  We are now able to continuously deliver cyber intelligence flows tailored to the needs of our customers.”