Prototyping CIFv4 - Engineering a Realtime Intelligence Platform

Prototyping CIFv4 - Engineering a Realtime Intelligence Platform

The main focus of the last ~60 hours has been APIs, feeds and real-time streaming. This includes the HTTP REST API the realtime ZeroMQ streaming API and to some extent, WebHooks…

If you're looking to build and deploy your own #ThreatIntel platform, these are the things you should be thinking about.. It should take months, not years.. and you should learn from our mistakes, not just your own.

Hunting alone does NOT protect the network

Hunting alone does NOT protect the network

Just about every single "TIPS" platform I come across solves one problem; getting users into their ecosystem where they can hunt for things in the past. These platforms are designed to FIND breaches, thwarting them seems to be an afterthought, if at-all. I can bring vulnerability data and passive dns data into my view to see that i've been owned, if I figured that out- why can't that logic just go into my network and keep me from getting owned in the first place?

Hunting for Threats Like a Quant.

Hunting for Threats Like a Quant.

If we are to succeed at making YOUR Internet a better place, we need that information to federate out among our peers. We need each of our models to be predictably influenced by our friends to help protect ourselves against threats we do not yet know about. Those models need to be transparent in order for us to gain confidence in them...

Prototyping CIFv4: Part 1.

Prototyping CIFv4: Part 1.

I've spent about a year thinking about v4 and about 12 hours writing it (most of which has been re-factoring older code and wondering how drunk I was when I wrote it). If you look at the repo today, most of it looks and feeds like v3 but with most of the complexity removed (eg: lots of refactoring for performance and readability). Last night, I was able to get "pings" flowing back and forth between the client and the storage thread, which is good sign...