New Gov

How to Operationalize Cyber Threat Intelligence for Government and Achieve Collective Defense

Tom Stockmeyer
Tom Stockmeyer

Managing Director, Government and Critical Infrastructure, Cyware

Most government organizations are not suffering from a lack of threat data, they’re just struggling to make threat data useful.  

At Cyware, we’ve seen that the root causes of making threat intelligence useful aligns with being able to integrate threat intelligence with disparate tools, automate threat intelligence processes, and share intelligence via threat sharing avenues that work in real-time. 

Through our Carahsoft partnership and other critical infrastructure public sector partnerships in the energy, maritime, aviation, rail, health and education sectors, we’ve been able to work extensively on how to best operationalize threat intelligence.  

We’ve used our unique vantage point in the public sector to uncover the process, technology and workflow roadblocks that get in the way of achieving collective defense. And, we’ve incorporated those learnings into our platform design to remove those roadblocks - thus helping SLTT organizations make threat data more useful. 

SecOps Challenges Facing Government Today 

The issues that we see time again revolve around operationalizing the vast amounts of threat intelligence public entities already have at their fingertips.  For example, Cyware is working with a large US state that thought they had the best of everything – top-of-the-line EDR, SIEM, firewall, sandboxing and more. The state was 3 years into what was marketed as the industry-leading threat intelligence platform but still couldn’t get the platform to connect to anything via STIX/TAXII.  

After 60 minutes of testing the Cyware Threat Intelligence Exchange Platform for STIX/TAXII connections with MS-ISAC and 4-5 of their internal tools, the state proved how easy it was to connect via STIX/TAXII using the Cyware platform and decided to move forward with more rigorous testing

Another problem the state had was operationalizing phishing intelligence. (We frequently see similar phishing use case challenges across public sector organizations) The state needed a way to automate the process of ingesting an email, sandboxing it, gleaning threat intel, and disseminating that intelligence. Again, their industry-leading sandboxing tool just wasn’t cutting it. Cyware sandboxing solved the state's phishing automation challenge.

"Thanks for the amazing work on this. You've been able to do in a couple of weeks what another company that only does sandboxing could not achieve. The other company wasted one year and $120,000 of state taxpayer dollars wasn’t able to do what Cyware already achieved." State - Director of Threat Intel Operations

What I’m hoping to illustrate by these real-world case studies is that many of the SecOps challenges that public sector organizations face are:

  • Real-time threat intel integration 
  • Automation of incident response 
  • Cross-agency collaboration and collective defense 
  • Improving SIEM/SOAR effectiveness 

Where the Breakdown Is Happening 

It’s easy to see that other threat intelligence solutions are not doing the job that SLTT agencies need. Other platforms bring in threat data, yes, but still leave teams with too much to do themselves and do not make it any easier to take action. 

As we like to say, a threat intelligence platform is just a “big bucket of useless data?” unless you take it a step further. How are you going to act on that data? How do you integrate with existing tools?  

And that’s where today’s other threat intelligence tools make things tough. Other tools place much of the value add legwork on SOC teams, who are already overworked:  

  • Take something like a PDF, CSV, or piece of text and convert it to STIX. 
  • Parse it out and create an investigation report. 
  • Disseminate the data to all the agencies that depend on the SOC for threat intelligence. 

This less than desired process takes time, creates burnout, increases turnover, and makes the job altogether less enjoyable, resulting in a less productive staff with poorer output. This is the unfortunate position most agencies find themselves in when they contact Cyware. They know how to do it—they just wish there were an easier way. 

There is.  

How Cyware and Carahsoft Automate and Operationalize Threat Intelligence 

Let’s drill down into the specifics of how Cyware is able to help SLTT agencies do what other solutions can’t. This is how Cyware takes the problems previously illustrated and provides government agencies with what they are looking for:  

  • Bidirectional threat intelligence sharing: STIX/TAXII support
  • Automated and integrated end-to-end processes 
  • The ability to do all this at scale with the team the agency already has. 

STIX/TAXII Support 

Cyware, in partnership with Carahsoft, brings itself closer to public sector teams interested in improving threat intelligence actioning. When we engage, we don’t leave until SLTT organizations are able to receive and disseminate threat intelligence via easy and automated STIX/TAXII standards. 

  • Cyware supports all versions of STIX (1,2,2.1): We know that organizations and their internal tools are going to be between maturity levels where STIX is concerned, and Cyware’s STIX translator is designed to accommodate all STIX versions. We ingest all data types, perform any authentication necessary to map data to STIX, so that the data can interact smoothly with other agency internal tools.
  • Easy out with TAXII support: If an agency team is responsible for sharing threat intelligence with other agencies, Cyware makes this easy for both parties. Just add the other agencies as STIX subscribers in Cyware, and the other stakeholder agency teams can access the Cyware TAXII server with a username and password. Your team can decide what threat intelligence other stakeholders get by automatically placing different data sets in differently curated STIX collections. Cyware makes things easier with a set-and-forget threat sharing format.  

As one of our public-sector clients quotes,  

“We were able to connect the Cyware platform with external intelligence exchanges and our own internal tools via STIX/TAXII in one hour. We accomplished more in one hour than we did with our previous TIP provider in one year.” 

Automated and Integrated End-to-End Threat Intelligence 

Cyware’s platform can automatically ingest, normalize, configure, corroborate, enrich, and disseminate threat data—so government workers don’t have too.  

Much of what we are able to accomplish is due to our 400 integrations. To showcase just a few: 

  • ServiceNow: 37 out-of-box actions supported
  • CrowdStrike: 72 out-of-box actions supported
  • Splunk: 20 out-of-box actions supported 

Operationalized Threat Intel at Scale 

Cyware automates what is typically a long and time-consuming manual process, giving cycles back to the public sector teams that need it the most. Nearly every agency is dealing with skilled workforce shortages; Cyware’s platform puts government teams back on track, empowering them to do what they need to do in order to protect critical infrastructure and provide uninterrupted critical services.  

Cyware also acts as an extension to client teams by assigning a client success manager to each agency to ensure that one-on-one or online training takes place and enhanced support is readily available.  

“We did a major version upgrade and were extremely happy with Cyware’s open communication about expectations and rapid response to resolve a couple of issues,” said one key practitioner on the cyber threat team. “Our former TIP vendor never did this.”

Conclusion 

Cyware’s platform responds to one of the most pressing cybersecurity problems in the public sector; the need to make threat intelligence useful.  

By automating the threat intelligence lifecycle and removing the burden of STIX/TAXII alignment, integrations, and intelligence dissemination, Cyware is operationalizing threat intelligence for government entities that need real data, in real time, in order to take necessary actions to protect critical infrastructure and provide uninterrupted critical services.  

If you want to learn how to operationalize threat intelligence and achieve collective defense, make sure to listen to this webinar hosted by CarahSoft and Cyware. 

Need more insight? This is how governments and the public sector can strengthen their cyber defenses with Cyware.