Airbus Cybersecurity has strengthened its threat intelligence with ThreatQuotient. We hear how ThreatQ has allowed the company to offer a richer threat intelligence service that has more context and is faster – with the result that it is now able to continuously deliver cyber intelligence flows tailored to the needs of its customers. Frédéric Julhes, Director of Airbus Cybersecurity France, tells us more.
How do you improve an already mature and reliable offering? For Airbus Cybersecurity, the answer was to enrich the threat intelligence service it had been offering customers since 2011 with contextual information at scale.
“Since 2011, our threat intelligence service has worked very closely with our incident response teams. Among other things, this has allowed us to be very relevant and responsive when it comes to tracking attackers,” said Julien Menissez, Product Manager for Managed Services in Europe at Airbus Cybersecurity.
This proximity has paid off, enabling the service to better contextualise alerts that would otherwise remain purely technical, such as lists of IP addresses and other indicators of compromise (IoCs).
Technical alerts are effective in blocking specific attacks, often in an automated way. However, when they are enriched with relevant, contextual information they can become real decision-making tools allowing security analysts to answer questions, such as: What do we know about the attacker’s current targets and campaigns? Are we a potential target for this group in particular?
In theory this is attractive, but to deliver this in practice Airbus Cybersecurity needed to be equipped to offer a robust, industry-ready service.
“In 2015, we decided to create a dissemination offering that would allow customers operating their own SOC to benefit from this increased information. We first worked with flat files, and then we deployed MISP interfaces for our customers,” said Julien Menissez.
Difficulty scaling up
MISP (Malware Information Sharing Platform) is a must in the world of threat intelligence. Available as a free solution, MISP facilitates the sharing of IoCs between researchers. But before IoCs can be shared, they must be acquired and consolidated.
This is where things get complicated. Julien Menissez recalls: “MISP is very good for dissemination, but ingestion is not simple! We were forced to use many other open source tools in parallel, requiring a lot of scripting and manual operations before delivering the information to our customers, while remaining within the timeframes allowed by our SLAs.”
The dissemination service became so successful, that the load on the Airbus Threat Intelligence team increased dramatically. As customers demanded more and more context and richer information, beyond what MISP can do with its tagging and commenting functionalities, it quickly became clear that a manual approach could not be scaled up.
The Airbus Cybersecurity team then decided to research a new ‘cyber-intelligence back office’ – a tool capable of natively managing concepts such as the freshness of information, reliability, context and related data.
“We quickly saw in ThreatQuotient the vendor best suited to our needs. We shared the same vocabulary (coming from the defence sector). The ThreatQ platform met our criteria, and the technical level of the ThreatQuotient subject matter experts was excellent,” said Julien Menissez.
From weekly delivery to continuous information
The deployment of ThreatQ allows Airbus Cybersecurity to meet their goals.
“We can now deliver the same service and the same knowledge, with the same quality as before, but much more quickly and with far fewer technical manipulations,” said Julien Menissez. “And, obviously, it’s our customers who benefit. Airbus has gone from weekly information delivery to continuous information delivery.”
Better still, for slightly more mature customers, who do not yet operate their own SOC, but still have an internal CSIRT team, the Airbus team can now offer an optional tool capable of helping them capitalise on their knowledge. The knowledge acquired during the customer’s internal investigations is seamlessly integrated into the ThreatQ platform to enrich the information delivered back to the customer via the Airbus service.
The ThreatQ platform is completely complementary to an existing MISP solution, allowing the customer to build up their own knowledge base adapted with their context. Customers also have the freedom to change their threat intelligence feeds and sources at any time, since they will keep all of their data within the ThreatQ Threat Library and therefore all the knowledge acquired by their CSIRT.
Better responsiveness in times of crisis
The ThreatQuotient solution allows Airbus Cybersecurity analysts to respond better and faster to customer requests.
“Most SOCs work with a workflow system to investigate IoCs collected during an incident. It is often a manual process but since the ThreatQ platform can be integrated with a SIEM to do the research and automatically identify patterns and linkages and how to pivot from a given IoC, we have even been able to reduce our response time to our customers,” said Julien Menissez. “And obviously, in an incident, quickly identifying the pivots and monitoring malicious activities as closely as possible is a major advantage.”
Personalised information
Finally, the choice of the ThreatQuotient solution allowed Airbus Cybersecurity to refine the information delivered to customers in order to better manage their security posture. The ThreatQ platform makes it possible to automatically ‘package’ the most relevant flows according to the exposure of the client to specific risks and thus take a strategic approach to mitigate risk.
Julien Menissez, Product Manager for Managed Services in Europe at Airbus Cybersecurity, said: “ThreatQ allows us to offer a richer threat intelligence service, with more context, but also faster. We are now able to continuously deliver cyber intelligence flows tailored to the needs of our customers.”
We spoke to Frédéric Julhes, Director of Airbus Cybersecurity France, who discusses the company’s threat intelligence posture and the driving factors behind the implementation.
Can you describe your role at the company and what this looks like day to day?
In addition to being responsible for our presence in France, I am leading what we call the Programmes business operations. This means that I am managing tailored design and integration projects which are a very large part of our business in France, UK and Germany. Day to day this involves a lot of coordination between departments and sites, reviewing the status of the different programmes, including some very advanced defence projects, make efficiencies and improve service levels.
What was the driver behind wanting to improve an already mature and reliable offering?
The cyber business is evolving fast and we wanted to improve the quality of deliverables as well as our productivity. Concretely, this means delivering well rated Cyber Threat Intelligence (CTI) information to customer analysts. On our side we were looking for more efficient ways to set up CTI tools.
What technical manipulations were you experiencing before implementing the solution and how did these impact productivity?
As we originally worked with open source tools and flat files, a lot of time was spent on the set up and scripting. When a customer asked for a ramp up of our capability, the workload for the CTI team increased dramatically.
How have customers benefitted from the deployment of ThreatQ?
As we deployed ThreatQ, our customers benefitted from a better technical feed because the CTI team could focus more on qualifying and ranking information rather than spending time on less value-added tasks such as Linux administration. There was a jump in productivity and customers received more CTI reports and information than before.
How would you now describe your threat intelligence posture?
Historically in Airbus Cybersecurity, the CTI activity was oriented only on the investigation side, delivering model analyses of cyberattackers and interacting with CSIRTs (the Computer Security Incident Response Teams) in various organisations. Later, in 2015, we developed a dissemination offering that would allow customers operating their own Security Operations Centre to also benefit from this highly specialised information.
Now with ThreatQ, we provide full cyberdetection that supports good incident management and we have maintained our ability to tailor our solutions for more complex customers, notably critical national infrastructure.