ThreatConnect’s new version of CAL provides intel about an organization’s threats and indicators
ThreatConnect, provider of the industry’s only intelligence-driven security operations platform, announces its latest version of CAL (Collective Analytics Layer), its cloud-based analytics engine which offers immediate insight into the relevance and pervasiveness of threats and indicators of compromise.
With billions of data points being provided by thousands of participating users and hundreds of other sources, CAL offers global context that has never before been available.
Drew Gidwani, Sr. Director of Research and Analytics said, “We launched CAL to solve the dynamic problems of indicator of compromise reputation, classification, as well as threat tactic and technique correlation, and recommendations for defensive action against them.”
First released more than two years ago, CAL provides anonymized, crowdsourced intel about an organization’s threats and indicators. CAL leverages the collective insight of the thousands of analysts who use the ThreatConnect Platform worldwide, to provide an enhanced framework regarding indicators and threats.
Gidwani continued, “Today, CAL has billions of data points that it can bring to bear to power its analytics—and we’re adding more every day. Built into the Platform is an analytics engine powered by our collective insight to answer questions our users have about threat intelligence; at times, prior to them even knowing to ask the questions.”
Since its initial iteration, CAL has offered a means to determine indicator reputation with scoring, the ability to apply Classifiers to indicators to enable faster decision-making, a continuously updated indicator status to decrease the amount of time spent on false positives, and the evaluation of data feed performance.
With the newest release, ThreatConnect adds improved functionality
Pulling in approximately 100,000 newly registered domains daily, which serve as a rich hunting ground. While not inherently malicious, being relatively new makes them interesting. When combined with ThreatConnect’s reputation analytics and correlated with open source and proprietary datasets, the identity of malicious hosts can be found — sometimes before they’re reported by paid or OSINT feeds.
Better tracking of well-known, benign IP ranges. ThreatConnect dynamically tracks over a thousand IP ranges, which better determines indicator status for thousands of IP addresses. This provides less distraction in the Platform for CAL participants, and a demonstrable reduction in disruption in SIEM alerts.
These IPs generated 3.5 million benign observations which saved thousands of analyst hours in one month alone, and CAL is silencing these disruptions moving forward.
TLD validation to identify over 450k hosts that were adding noise to analyst workflows. Rather than rely on regular expressions to control for proper hostname identification, CAL can remove the clutter by using the latest TLD listings. Removing these junk “indicators” from investigations and alerts helps to make analysts more efficient and less fatigued.
Improved tracking of Dynamic DNS domains, allowing the Platform to better pinpoint hosts and URLs that are using one of thousands of dynamic DNS providers. ThreatConnect’s improved tracking has identified more than 500k hosts using these providers, allowing analysts to better tailor their infrastructure investigations to accommodate this volatile infrastructure technique.