How Airbus CyberSecurity is Scaling and Enriching Threat Intelligence with ThreatQPOSTED BY LIZ BUSH
Mention the name “Airbus” and many people think of aircraft, particularly the iconic A380 – the first full, double-deck jet airliner. But there are many facets to this Global 500 aerospace and defense leader, including Airbus CyberSecurity, a cybersecurity division that is more than 900 people strong and includes a thriving Managed Security Services business.
Consistent with its commitment to innovating with products and people-centric services, nearly a decade ago Airbus Cybersecurity identified and tapped into a growing need for threat intelligence services. As they investigated cyber attacks for clients, they used threat intelligence to provide contextualized alerts that went beyond lists of IP addresses and other indicators of compromise (IoCs). Enriching alerts with relevant, contextual information turns them into powerful, decision-making tools that allow security analysts to answer questions about the attacker’s targets and campaigns and whether they are relevant to a particular organization.
Airbus CyberSecurity’s belief that “threat intelligence is at the heart of the SOC’s capacity to react” was validated every day by their analysts and their clients. Within a few years, their threat intelligence capability became so popular that they decided to offer it as a service to clients who operated their own SOC. First sharing flat files and then disseminating information through a MISP (Malware Information Sharing Platform). While the MISP was a leap forward in efficiency and effectiveness for sharing threat intelligence, acquiring and consolidating threat data into the MISP wasn’t easy. The Airbus team had to use a variety of open source tools that required scripting and manual processes. When demand started to outpace the team’s ability to scale, they turned to the ThreatQ platform.
With ThreatQ, they were able to take the service to new heights in terms of freshness of information, reliability, context and related data. Soon they were able to transition from weekly delivery to a continuous flow of information with personalized, relevant threat intelligence. Clients can add or change threat intelligence feeds and sources any time and even those that don’t have their own internal SOC can keep a log of incidents and investigation reports locally for use by their incident response teams.