COVER STORY
benefit from this increased information.
We first worked with flat files and then
we deployed MISP interfaces for our
customers,” said Menissez.
Difficulty scaling up
MISP (Malware Information Sharing
Platform) is a must in the world of threat
intelligence. Available as a free solution,
MISP facilitates the sharing of IoCs
between researchers. But before IoCs
can be shared, they must be acquired
and consolidated.
This is where things get complicated.
Menissez said: “MISP is very good
for dissemination, but ingestion is not
simple! We were forced to use many
other open source tools in parallel,
requiring a lot of scripting and manual
operations before delivering the
information to our customers, while
remaining within the timeframes allowed
by our SLAs.”
The dissemination service became so
successful that the load on the Airbus
Threat Intelligence team increased
dramatically. As customers demanded
more and more context and richer
information, beyond what MISP can
do with its tagging and commenting
functionalities, it quickly became clear
that a manual approach could not be
scaled up.
The Airbus Cybersecurity team
then decided to research a new
‘cyberintelligence back office’ – a tool
capable of natively managing concepts
such as the freshness of information,
reliability, context and related data.
“We quickly saw in ThreatQuotient the
vendor best suited to our needs. We
shared the same vocabulary (coming
from the defence sector). The ThreatQ
platform met our criteria and the
technical level of the ThreatQuotient
subject matter experts was excellent,”
said Menissez.
From weekly delivery to
continuous information
The deployment of ThreatQ allows
Airbus Cybersecurity to meet its goals.
“We can now deliver the same service
and the same knowledge with the
same quality as before, but much more
quickly and with far fewer technical
manipulations,” said Menissez. “And,
obviously, it’s our customers who
benefit. Airbus has gone from weekly
information delivery to continuous
information delivery.”
Better still, for slightly more mature
customers who do not yet operate their
own SOC but still have an internal CSIRT
team, the Airbus team can now offer an
optional tool capable of helping them
capitalise on their knowledge.
The knowledge acquired during the
customer’s internal investigations is
seamlessly integrated into the ThreatQ
platform to enrich the information
delivered back to the customer via the
Airbus service.
The ThreatQ platform is completely
complementary to an existing MISP
solution, allowing the customer to build
up their own knowledge base adapted
with their context. Customers also have
the freedom to change their threat
intelligence feeds and sources at any
time, since they will keep all of their data
within the ThreatQ Threat Library and
therefore all the knowledge acquired by
their CSIRT.
52 Issue 26 | www.intelligentciso.com