Threat Intelligence Platform
Increase the effectiveness of threat analysis
Palo Alto Networks, the world’s leading cyber security company, has released the second version of its Threat Intelligence Management (TIM) module. It helps organizations get more out of the threat analysis available to them.
The real strength of a threat intelligence platform is to understand how to make information actionable, and to do so before it’s too late. This includes automatically mapping threat information to incidents on the network and quickly understanding the connections between threat actors and attack techniques previously unknown in the environment.
Cortex XSOAR TIM 2.0 unlocks the power of Threat Intelligence resources. The Mission Control platform provides complete intelligence lifecycle management with unmatched visibility into the global threat landscape. The platform links threat intelligence to incidents in real time and automates the distribution of threat intelligence on a large scale.
Central Threat Intelligence library for enterprises
Palo Alto Networks bundles the threat data from its Unit 42 threat research team, giving customers access to a vast repository of highly reliable Palo Alto Networks threat data in addition to their own collection of open source threat data feeds.
Native correlation between indicators, incidents and information
Companies not only see in detail all the indicators related to their incidents, but also receive enriched strategic information. IT teams gain additional insight into threat actors and attack techniques.
Easily discover and add new threat intelligence sources from the Marketplace
Since TIM launched last year, Palo Alto Networks has added 165 threat-specific integrations. With a single click, customers can instantly add a new feed integration and subscription.
Organizations using TIM 2.0 gain instant access to reliable threat data from the industry’s largest sources of network, endpoint, and cloud information. Every day, millions of malware samples and firewall sessions are collected and analyzed. This information is enriched by the context of the threat researchers of Unit 42 at Palo Alto Networks.
Self-service via the Cortex XSOAR Marketplace
With over 650 content packages in the Cortex XSOAR Marketplace, users can take advantage of threat intelligence feed automation packages and thousands of pre-built automation scripts for common and unique use cases of security incident response. If customers feel their feeds don’t cover enough threat areas, they can easily view and add threat data subscriptions directly from the marketplace. The ecosystem of over 100 threat data and enrichment partners includes launch partners VirusTotal, Flashpoint and Intel471. Other key partners include AlienVault, APIvoid, Cisco Umbrella, Cofense, Crowdstrike Falcon, Cybersixgill, DHS, Domaintools, IPInfo, Recorded Future, RiskIQ, SafeBreach, UrlScan, FireEye Threat Intelligence and many more.
Centralized Threat Intelligence Management
With Cortex TIM 2.0, customers now have a central threat intelligence repository to store and manage tactical threat information (indicators of compromise) and strategic information about actors and attack techniques. The ability to correlate these different third-party information sources with internal incidents now opens up a variety of threat cases previously unknown to customer security teams.
Threat Intel now supports structured relationships that enable better alerts and context for SOC/IR. Analysts are able to model their external threat landscape. The layout of indicators has been redesigned by Palo Alto Networks. Updates to popular threat intelligence integrations leverage the advanced data that STIX 2 objects contain, such as threat actors, tools, reports, malware, attack patterns, campaigns, courses of action, infrastructure, and intrusion sets.
Combination of TIP and SOAR
While current threat intelligence platforms (TIPs) are capable of aggregating, correlating, and even sharing or distributing threat data, they do not cover a critical part of the threat intelligence management cycle. Linking TIP to SOAR (Security Orchestration, Automation and Response) extends workflow automation and case management capabilities to the threat data management process. More importantly, customers now have a central repository for their threat data (also known as indicators) and incidents, for the correlation between external threats and what’s happening on their network. It is this combination that makes it possible to enrich incidents with information about threat actors and attack campaigns in order to gain a better understanding of the impact. In this way, we can fine-tune the defensive measures in order to deliver the right response at the right time.