Anomali: Threat detection, investigation and response

In this Help Net Security podcast recorded at RSA Conference 2019, Nicholas Hayden, Senior Director of Threat Intelligence at Anomali, talks about how Anomali arms security teams with highly optimized threat intelligence, powered by machine learning.

anomali threat detection

Here’s a transcript of the podcast for your convenience.

Hello, my name is Nicholas Hayden. I’m the Senior Director of Threat Intelligence for Anomali. Today on Help Net Security we will be talking about Anomali’s community edition products in addition to our premium products.

To start off, we’ll talk about the community addition of threat intelligence platform, which we call STAXX. It’s a free product that you can download and the great thing about it is that it’s STIX and TAXII 1.x and 2.x compatible.

anomali threat detection

It allows you to go in and browse the IOC, the information that’s being passed down, and then it also allows you to push that information down to end products. What we’re doing is seeing a lot of community people developing add-ons to it or integrations to it. Think about it as this collection database where it’s pulling all this information in, it’s normalizing it and allowing you to push that to where you want it to be. That’s typically how we’re seeing people utilize the Anomali STAXX product.

anomali threat detection

When you move to the paid version or the enterprise version, which is ThreatStream, you get a lot more with it. You have custom integrations, custom enrichments, we have pre-built intelligence feeds where we partner with intelligence providers out there (CrowdStrike, Intel 471). They create the data and it automatically ingests into our platform. You can assign for a paid subscription with them.

In addition to that, we have the ability to do indicator expansion. If you add an IOC or a piece of data point into the platform, you can then pivot off it to determine whether or not it’s malicious or not. The real bread and butter of ThreatStream is the ability to take all this massive amount of data that’s coming in, potentially millions and millions of indicators of compromise coming in on daily basis, that goes into our automated intelligence that’s built into it, to go through and automatically score it.

When you want to get the data out of the platform, using something we called integrator, to push down to your end points in order to block those malicious endpoints from coming at you, you can then setup a filter. Let’s say you only want to block something that has a confidence of 90 or higher. Because we have that machine learning in there that allows you to filter that data out, normalize it and push down to your end points, a smaller data set, as opposed to trying to block the entire Internet all at once.

anomali threat detection

Those are just a couple of the main differentiators. With the community addition, we give you the ability to start off, to get the data into a product that you can then massage and push out to your end points. It takes a little bit of work, because the integrations aren’t pre-built in, but the options are there, utilizing the STIX and TAXII framework.

With Anomali ThreatStream we’ve done a lot of that legwork for you, we have a lot of the intelligence feeds already coming in for you. I believe we’re up to over 200+ community feeds that are generated, that you have access to immediately upon coming into the platform. We’ve also already done a lot of the custom integrations down to your end point.

Let’s say you have Splunk, let’s say you have ArcSight, we’ve already done those custom integrations, so you don’t have to do that. You get more, but the design of ThreatStream is really for people who have the ability, who have a little bit more of a mature threat intelligence program, to get the most out of the data that they’re collecting.

If you’d like to get your hands on the free community edition, just go to anomali.com/staxx.