August 30, 2018 • Zane Pokorny
In a recent webinar hosted by Recorded Future, Technology Advocate Chris Pace and guest speaker Rodrigo Bijou spoke at length about the ways Recorded Future’s new threat intelligence platform, Fusion, helps him overcome the myriad cybersecurity challenges he faces as the senior manager at the Gap Cyber Defense Center, which covers Gap and its subsidiaries, including Old Navy, Banana Republic, and Athleta.
With nearly 3,600 stores and over 135,000 employees worldwide across its various brands, Gap’s security challenges cover the gamut of loss prevention, fraud, corporate security, the need to keep its customers’ personally identifiable information private, and more. To say the least, the global retailer’s cybersecurity needs are complex.
In Bijou’s role as senior manager, he coordinates the flow of intelligence between the Cyber Defense Center’s red and blue teams. For the red team, that means using threat intelligence to look across open web and dark web sources for attacks targeting vulnerabilities similar to the ones in his organization’s systems, giving the team proven concepts to try exploiting. And for the blue team, Bijou strives to develop a shared understanding of threats across the different parts of the team — some deal with monitoring and incident response, some with vulnerability management, some with network security, and so on.
To facilitate the flow of intelligence across such a diverse group, Bijou and his team decided to implement Fusion, a critical component of the all-in-one threat intelligence solution from Recorded Future. Oriented toward centralization and customization, Fusion lets users incorporate proprietary data feeds, create customized risk lists, and develop a centralized repository of notes, keeping everyone on the same page.
Although they’re all operating in the same environment, each team uses Fusion in slightly different ways, said Bijou. For the monitoring and incident response team, for example, that means “disseminating indicators and being able to go hunt in our environment together,” while the vulnerability management group focuses on “providing the high-quality intelligence and assessments for the platforms that they manage.”
Across the board, though, the teams at Gap use Fusion to automate their data collection and display it in one place, in a format that’s easy to work with. For example, some of the threat intelligence they receive comes as unstructured data in emails, or in PDF reports that aren’t easily integrated into their deeper pools of data. In addition, they also receive weekly reports that include thousands of domains, hashes, URLs, and IP addresses.
The team needs a way of bringing it all together and sorting out the bad data — something that Fusion provides. “It’s having a well-structured process that’s critical for both having up-to-date defenses and getting that [quick] return on analyst times,” Bijou said. “If we’re persistently alerting on some indicators, we have fewer false positives for analysts to waste time clearing out.”
Before incorporating new threat intelligence into their already existing SIEM, Bijou’s team demands that it be highly accurate (he calls it “high confidence”), highly contextual, and come out in a flexible, easy-to-use format.
To have high confidence, Bijou’s teams use pre-built blacklists and whitelists that help them increase the quality and fidelity of the data they see and reduce false positives. They draw on both Recorded Future data and lists from their other third-party partners, providing context and increasing the signal-to-noise ratio enough that they don’t have to buy other tools or look for more data outside of the Fusion platform.
As to why it needs to be highly contextual, Bijou said that “if we’re delivering it to another team, we need to explain why we care.” Custom risk rules, internal metadata like tags and descriptions, and easy handling and export functions help inform the decisions his teams make so that they don’t, for example, block access to a business partner trying to reach legitimate services.
Gap’s teams also use rules, such as how long a particular exploit kit has been in use, to differentiate between targeted attacks and commodity malware. Different rules can tell the team whether the indicators of compromise they’re looking at might be common and widely distributed or custom built and rare. Other rules can show historical links to previous attacks, making timelines easier to conceptualize.
When using Fusion, Bijou explains, “you’ll have these indicators and then the [work]flow is simply a programmatic thing you construct to run against the indicator,” making it easier to build into their existing workflows. “It can take in different rules, it can take different lists, and it can also run on a daily or weekly basis.”
One of the biggest improvements that the team at Gap has found with their new workflows is that they “can do it all in one place.” Fusion provides a tool where “we can put all those [indicators of compromise] in one place to analyze at the same time, so we don’t just have to analyze an attacker infrastructure or network infrastructure, as opposed to their malware.”
Using the product has shown a clear return on investment to Bijou’s team at Gap in terms of allowing his analysts to use their time more efficiently. “They’re spending less [time] a month on these kinds of indicators that were low quality,” he said. “We’re saving money.”
But the biggest return on investment that he has seen — and the biggest advantage to managing their threat intelligence through an all-in-one platform — is better relationships across not only the different cybersecurity teams he manages, but also with other departments in the organization at large.