WEBVTT 1 00:00:00.090 --> 00:00:01.440 In this lesson, 2 00:00:01.440 --> 00:00:04.920 we will learn about threat intelligence platforms. 3 00:00:04.920 --> 00:00:07.560 Threat intelligence platforms are tools 4 00:00:07.560 --> 00:00:11.340 that gather, analyze, and distribute threat data 5 00:00:11.340 --> 00:00:16.340 to help organizations detect and respond to security risks. 6 00:00:16.470 --> 00:00:18.870 These platforms pull intelligence 7 00:00:18.870 --> 00:00:21.390 from various third-party vendors 8 00:00:21.390 --> 00:00:24.030 who offer comprehensive threat feeds 9 00:00:24.030 --> 00:00:27.780 with information on emerging threats, vulnerabilities, 10 00:00:27.780 --> 00:00:29.550 and attacker tactics. 11 00:00:29.550 --> 00:00:32.850 Additionally, threat intelligence platforms allow 12 00:00:32.850 --> 00:00:37.200 organizations to cross-reference external intelligence 13 00:00:37.200 --> 00:00:41.460 with internal logs and data to enhance their ability 14 00:00:41.460 --> 00:00:44.790 to identify and respond to threats. 15 00:00:44.790 --> 00:00:48.360 Threat intelligence platforms aggregate, analyze 16 00:00:48.360 --> 00:00:50.610 and disseminate threat information, 17 00:00:50.610 --> 00:00:53.220 helping organizations stay ahead 18 00:00:53.220 --> 00:00:55.680 of potential security risks. 19 00:00:55.680 --> 00:00:56.820 A key feature 20 00:00:56.820 --> 00:00:59.820 of threat intelligence platforms is their ability 21 00:00:59.820 --> 00:01:02.970 to collect data from third-party vendors, 22 00:01:02.970 --> 00:01:07.020 such as Recorded Future, FireEye and CrowdStrike. 23 00:01:07.020 --> 00:01:10.500 These vendors provide critical insights on new 24 00:01:10.500 --> 00:01:13.710 and emerging threats, including vulnerabilities 25 00:01:13.710 --> 00:01:15.540 and attacker tactics. 26 00:01:15.540 --> 00:01:18.780 Organizations can then combine the data 27 00:01:18.780 --> 00:01:21.360 from their threat intelligence platforms 28 00:01:21.360 --> 00:01:23.520 with internal security data, 29 00:01:23.520 --> 00:01:27.600 such as logs and alerts to detect, respond to, 30 00:01:27.600 --> 00:01:30.540 and mitigate threats more effectively. 31 00:01:30.540 --> 00:01:33.720 When integrating third party threat intelligence 32 00:01:33.720 --> 00:01:37.170 with internal systems, it's important to have a system 33 00:01:37.170 --> 00:01:40.440 that can align and enrich internal data 34 00:01:40.440 --> 00:01:41.850 with the threat data. 35 00:01:41.850 --> 00:01:45.510 For example, a threat intelligence platform might collect 36 00:01:45.510 --> 00:01:49.650 data from FireEye about a new malware strain targeting 37 00:01:49.650 --> 00:01:51.300 specific industries. 38 00:01:51.300 --> 00:01:55.650 Then if a company's internal logs show unusual activity 39 00:01:55.650 --> 00:01:57.240 in their email system, 40 00:01:57.240 --> 00:02:00.600 the threat intelligence platform can cross-reference 41 00:02:00.600 --> 00:02:03.420 these logs with FireEye data. 42 00:02:03.420 --> 00:02:07.560 By doing so, the threat intelligence platform can identify 43 00:02:07.560 --> 00:02:11.280 if the organization is being targeted by this malware 44 00:02:11.280 --> 00:02:15.330 and provide actionable insights to the security team. 45 00:02:15.330 --> 00:02:18.750 This combination of assessing internal alerts 46 00:02:18.750 --> 00:02:22.980 with external threat data allows for more precise detection 47 00:02:22.980 --> 00:02:26.100 and faster response to potential breaches. 48 00:02:26.100 --> 00:02:30.450 So the real power of threat intelligence platforms lies 49 00:02:30.450 --> 00:02:33.030 in their ability to integrate smoothly 50 00:02:33.030 --> 00:02:35.400 into enterprise networks. 51 00:02:35.400 --> 00:02:39.510 But third-party intelligence can be either open-source 52 00:02:39.510 --> 00:02:40.860 or proprietary. 53 00:02:40.860 --> 00:02:44.610 In either case, threat intelligence platforms are designed 54 00:02:44.610 --> 00:02:46.680 to integrate directly with 55 00:02:46.680 --> 00:02:49.650 and existing security infrastructure. 56 00:02:49.650 --> 00:02:53.340 Open-source platforms often offer flexibility 57 00:02:53.340 --> 00:02:55.200 in terms of customization 58 00:02:55.200 --> 00:02:57.720 and community driven threat feeds, 59 00:02:57.720 --> 00:03:01.080 while proprietary platforms provide premium, 60 00:03:01.080 --> 00:03:02.970 curated threat intelligence 61 00:03:02.970 --> 00:03:05.910 and advanced integration capabilities. 62 00:03:05.910 --> 00:03:10.230 For instance, an enterprise using CrowdStrike's proprietary 63 00:03:10.230 --> 00:03:12.450 intelligence can directly feed 64 00:03:12.450 --> 00:03:15.840 that data into their security information 65 00:03:15.840 --> 00:03:18.540 and event management or sim platform. 66 00:03:18.540 --> 00:03:23.190 The SIM in turn can then analyze this external intelligence 67 00:03:23.190 --> 00:03:26.580 alongside the organization's internal data 68 00:03:26.580 --> 00:03:30.660 to provide more accurate and contextual threat alerts. 69 00:03:30.660 --> 00:03:32.340 A practical example of 70 00:03:32.340 --> 00:03:35.370 how threat intelligence platforms function is 71 00:03:35.370 --> 00:03:38.250 the integration of phishing intelligence 72 00:03:38.250 --> 00:03:41.940 into an enterprise's email security system. 73 00:03:41.940 --> 00:03:46.530 Let's say FireEye identifies a new phishing campaign 74 00:03:46.530 --> 00:03:49.350 that uses compromised email accounts 75 00:03:49.350 --> 00:03:51.960 to distribute malicious attachments. 76 00:03:51.960 --> 00:03:55.770 A threat intelligence platform can pull this intelligence 77 00:03:55.770 --> 00:03:58.470 into the organization's network 78 00:03:58.470 --> 00:04:02.580 and crosscheck it against internal email traffic. 79 00:04:02.580 --> 00:04:05.250 If the platform detects any matches 80 00:04:05.250 --> 00:04:08.040 with known malicious email addresses 81 00:04:08.040 --> 00:04:12.390 or attachment hashes in the organization's email logs, 82 00:04:12.390 --> 00:04:15.990 it can immediately block these emails preventing them 83 00:04:15.990 --> 00:04:17.430 from reaching users. 84 00:04:17.430 --> 00:04:21.390 This proactive defense mechanism drastically reduces 85 00:04:21.390 --> 00:04:24.210 the chances of a phishing attack succeeding 86 00:04:24.210 --> 00:04:26.160 in enterprise environments. 87 00:04:26.160 --> 00:04:30.210 Threat intelligence from third party vendors can also help 88 00:04:30.210 --> 00:04:33.630 detect sophisticated long-term attacks. 89 00:04:33.630 --> 00:04:37.680 For example, Recorded Future might provide intelligence 90 00:04:37.680 --> 00:04:40.500 about advanced persistent threat groups 91 00:04:40.500 --> 00:04:43.740 that are known to target specific industries. 92 00:04:43.740 --> 00:04:45.960 A threat intelligence platform 93 00:04:45.960 --> 00:04:50.160 that integrates this data could monitor the organization's 94 00:04:50.160 --> 00:04:54.450 network for any signs of these advanced persistent threat 95 00:04:54.450 --> 00:04:58.320 or APT tactics, such as lateral movement 96 00:04:58.320 --> 00:05:00.690 or data exfiltration patterns. 97 00:05:00.690 --> 00:05:03.480 If suspicious activity is detected 98 00:05:03.480 --> 00:05:06.810 the threat intelligence platform cross-referencing 99 00:05:06.810 --> 00:05:08.400 the internal network data 100 00:05:08.400 --> 00:05:12.960 with the external APT intelligence allows the organization 101 00:05:12.960 --> 00:05:15.630 to identify the threat earlier 102 00:05:15.630 --> 00:05:19.590 and respond faster than if it were relying solely 103 00:05:19.590 --> 00:05:23.580 on internal data without external context. 104 00:05:23.580 --> 00:05:26.430 To use this capability effectively, 105 00:05:26.430 --> 00:05:29.850 the integration of threat intelligence platforms 106 00:05:29.850 --> 00:05:33.570 into enterprise networks should be automated. 107 00:05:33.570 --> 00:05:37.920 Security teams should set up threat intelligence platforms 108 00:05:37.920 --> 00:05:40.860 to automatically update firewalls, 109 00:05:40.860 --> 00:05:42.870 endpoint detection systems, 110 00:05:42.870 --> 00:05:46.920 and email security gateways with the latest indicators 111 00:05:46.920 --> 00:05:50.160 of compromise from third-party vendors. 112 00:05:50.160 --> 00:05:54.150 This ensures that defenses are always up-to-date, 113 00:05:54.150 --> 00:05:58.860 and that threat detection is both timely and proactive. 114 00:05:58.860 --> 00:06:01.770 Finally, another significant benefit 115 00:06:01.770 --> 00:06:05.670 of using external threat intelligence is the ability 116 00:06:05.670 --> 00:06:07.560 to prioritize threats. 117 00:06:07.560 --> 00:06:08.820 This is important 118 00:06:08.820 --> 00:06:11.850 because not all threats are equally dangerous 119 00:06:11.850 --> 00:06:13.620 to every organization, 120 00:06:13.620 --> 00:06:17.310 and threat intelligence platforms can help security teams 121 00:06:17.310 --> 00:06:20.190 focus on the most relevant risks. 122 00:06:20.190 --> 00:06:24.390 For instance, if a third-party vendor provides intelligence 123 00:06:24.390 --> 00:06:27.660 about an exploit affecting healthcare systems, 124 00:06:27.660 --> 00:06:31.830 an organization in the healthcare sector will prioritize 125 00:06:31.830 --> 00:06:35.820 this over other less relevant threats for them. 126 00:06:35.820 --> 00:06:39.180 This prioritization allows security teams 127 00:06:39.180 --> 00:06:42.180 to allocate resources more effectively 128 00:06:42.180 --> 00:06:46.350 and respond to their most critical threats first. 129 00:06:46.350 --> 00:06:48.300 So remember, 130 00:06:48.300 --> 00:06:52.380 threat intelligence platforms help organizations detect 131 00:06:52.380 --> 00:06:56.550 and respond to security risks by collecting 132 00:06:56.550 --> 00:07:00.450 and analyzing threat data from various sources. 133 00:07:00.450 --> 00:07:03.660 Threat intelligence platforms pull information 134 00:07:03.660 --> 00:07:06.870 from third-party vendors who provide insights 135 00:07:06.870 --> 00:07:11.760 on emerging threats, vulnerabilities, and attacker tactics. 136 00:07:11.760 --> 00:07:16.140 Threat intelligence platforms then enable organizations 137 00:07:16.140 --> 00:07:19.260 to combine this external intelligence 138 00:07:19.260 --> 00:07:21.750 with their own internal data 139 00:07:21.750 --> 00:07:25.200 to improve threat detection and response. 140 00:07:25.200 --> 00:07:28.530 So whether the data comes from open-source 141 00:07:28.530 --> 00:07:30.810 or proprietary vendors, 142 00:07:30.810 --> 00:07:34.440 threat intelligence platforms integrate seamlessly 143 00:07:34.440 --> 00:07:37.050 into existing security systems, 144 00:07:37.050 --> 00:07:40.170 helping organizations prioritize threats 145 00:07:40.170 --> 00:07:44.583 and allowing them to focus on their most critical risks.