How You Can Increase the Productivity of Security Analysts

The cybersecurity skills shortage has many organizations scrambling to find more talent and to find ways to make their analysts more productive.  In an effort to provide some insight into one possible solution to help alleviate this problem, we spoke with Caitlin Huey, senior threat analyst for EclecticIQ Fusion Center.

Caitlin Huey, senior threat analyst for EclecticIQ Fusion Center

Caitlin has been working as an intelligence analyst since 2013 focusing on critical infrastructure, darknet activity, and malware-as-a-service platforms. After receiving a Master’s Degree at the University of Pittsburgh in Security Studies and Intelligence, she started working for the National Cyber-Forensics and Training Alliance (NCFTA), a cybersecurity non-profit organization in Pittsburgh. With the NCFTA, she supported industry and law enforcement in identifying and mitigating various cyber-enabled threats. In 2017, she joined EclecticIQ as a threat intelligence analyst supporting EclecticIQ Fusion Center.

EclecticIQ is a technology provider. They deliver a threat intelligence platform. They are not, in the traditional sense, an intelligence provider. Rather, they provide the platform needed to boost the effectiveness of their customer’s security teams. Traditional sources for Cyber Threat Intelligence (CTI) could, conceivably, be multiple suppliers and providers of threat intelligence. In addition to their platform, the company’s EclecticIQ Fusion Center delivers thematic intelligence bundles, which provide a curated single source of relevant cyber threat intelligence from leading suppliers.

The problem is, of course, that it is nearly impossible to manually comb through thousands of daily alerts and understand which are the most important. The EclecticIQ platform is built specifically with analyst teams in mind. The platform empowers analysts to effectively create a picture of the threat landscape for their organization. They do this by streamlining consumption of threat intelligence coming from various internal or external sources.

Enter EclecticIQ Fusion Center – EclecticIQ Fusion Center delivers thematic intelligence bundles which provide their customers with a single curated source of relevant Cyber Threat Intelligence (CTI) from leading global suppliers. Using the very same platform that they provide to their customers, the fusion center delivers a fully fused STIX-compatible intelligence stream that is customized for each customer. It is qualified, clustered, and categorized, which allows their customers to quickly apply their own priority and relevance. EclecticIQ Fusion Center gives analysts what they need to focus on for the highest priority tasks for their organization.

What of STIX and TAXII? – EclecticIQ believes in giving back to the communities they serve with open-source software, namely, OpenTAXII – an open-source Trusted Automated eXchange of Indicator Information (TAXII) server – and Cabby – an open-source TAXII client. To complement these, they offer a couple of free services where people can make use of the free TAXII services for testing as well as to utilize open-source intelligent feeds.

Both Structured Threat Information eXpression (STIX) and TAXII are standards which are governed by the Oasis non-profit consortium. This consortium drives development convergence and adoption of open standards for the global information society. EclecticIQ is an active contributor, not only to the STIX and TAXII standards but to other Oasis committees as well.

STIX is a way of formalizing how a cyber adversary can be described and how they use their tools and work together. It also describes their targets. On the other end of the spectrum, it also provides a method for describing how to defend against these threats. This standard enables teams to be more effective in sharing this intelligence within their communities.

To make this sharing more productive and more standardized, TAXII was invented. This is a standard set of services and message exchanges which enable people to communicate this information.

These two standards are a large part of the EclecticIQ platform in that they use the STIX data model as a basis in providing knowledge around threats. At the core is the power of the graph for communicating information. Graphs allow for the visualization of large amounts of data and make sense of it without having to dig through lists of information.

We asked Caitlin to explain to us what makes EclecticIQ unique among other Threat Intelligence Platforms (TPI). She told us that “from the get-go we base our data model on STIX, as we are a strong believer of this language. We develop and send out intelligence using the same platform our customers use. We curate multiple sources within the intelligence community.”

She helped us to understand that increasing productivity of analysts is the key. “Our intelligence specialists format, categorize, tag and manually review different intelligence sources for priority and relevance so our customers don’t have to. All their chosen intelligence feeds are cleaned and aggregated before they’re delivered to them in a single unified feed of machine and human readable intelligence. This multiple source correlation enables them to demonstrate the value of their intelligence investment to their organization. The curated intelligence allows analysts to spend less time on data ingestion and more time on detection, prevention, and threat hunting, as well as executing appropriate counter-measures.”

Founded and headquartered in Amsterdam, they have offices in Herdon, Virginia, London and Chisinau.

By: Steven Bowcut, CPP, PSP, Brilliance Security Magazine Editor-in-Chief