This is the most important feature of a solid platform and resilient ecosystem….
The main focus of the last ~60 hours has been APIs, feeds and real-time streaming. This includes the HTTP REST API the realtime ZeroMQ streaming API and to some extent, WebHooks…
If you're looking to build and deploy your own #ThreatIntel platform, these are the things you should be thinking about.. It should take months, not years.. and you should learn from our mistakes, not just your own.
The less noise your hunters have to weed through, the more focused they become. The more focused they are, the more likely they'll find that needle. Often times, as is the case with most breaches, enough positive edge is all it takes….
The problem wasn't trying to manage and automate the code deployment, as much as it became managing the playbooks that deployed the application(s). We could have kept those playbooks in with the core code, but that's more over-head in the repo and more people touching the core code that didn't need to....
...without ANY machine learning or NLTK magic, you have a very basic and generalized pattern (or "algo" in hipster speak) that can parse and normalize, most types of feeds.
Applied research, content and tools to help you solve real problems.
Did you learn something new? How much is that worth to you?