The Problem
Newly established national cyber threat monitoring services with lots of data and little insight
A major western country was establishing a national cyber monitoring service to help protect critical national infrastructure. This was a major challenge in establishing a service quickly as foreign cyber attacks had become more and more of an issue. There was lots of data available, lots of technology in existing areas of government but it was incredibly hard for them to generate insights that were useful and actionable in organizations that they supported.
The Solution
Siren with big data correlations across all these cyber threat feeds
The client was already an Elasticsearch user and had maintained a large cluster for storing feeds for search purposes. The Siren system was easily implemented by installing the Siren Federate plugin into the existing cluster. This allowed the client to configure a simple data model in Siren to enable cross index joins in their Elasticsearch cluster. This allowed the client to implement the Mitre Att&ck ontology and alerting feed, among others. The client is able to use Siren dataspaces to run multiple parallel, securely partitioned investigations on the same dataset at the same time.
The Outcome
A coherent investigative tool for cyber analysts
The cyber analysts in the agency now have a single desktop in Siren to search, investigate and run graph analytics to identify key threats to critical infrastructure. Multiple data feeds are now fused together with the Siren data model. There is now a consistent investigative process in dealing with threats, how they are detected, alerted on and creation of intelligence reports.