STIX and TAXII: Enabler for Successful Cyber Security Ecosystem
Recently, I had the opportunity to speak with the cyber security group of a Fortune 500 company embarking on the journey of improving its security posture. They are leveraging Infoblox’s DNS security capabilities to enhance protection and threat response. During my conversation the topic of threat intelligence sharing came up. I was surprised and relieved by one statement from the security team:
"We are investing in technologies that have security ecosystem concept and leveraging STIX/TAXII as much as possible to facilitate threat information sharing and analysis for faster detection and response."
Having spent almost a decade in the security industry closely monitoring an always evolving threat landscape and working with hundreds of customers, it was clear to me that security products operating in silos can only be moderately successful in defending against cyber threats.
It is not that the customers didn’t realize the importance of threat intelligence sharing-- in fact, many tried but often found it difficult and almost impossible to operationalize it. Emails, spreadsheets and phone calls are not efficient mechanisms for analyzing and responding to adversaries especially when speed, accuracy and context are critical in defending against these adversaries. STIX and TAXII standards will certainly help customers in this regard since they are developed to automate and structure operational cybersecurity information sharing techniques across the globe. These standards have matured since inception in 2012 and we are already seeing adoption in both public and private sector organizations.
We at Infoblox have always believed in the concept of security ecosystem. We have made significant investment in our REST API which facilities integration with third-party security products. Last year, we announced support for pxGrid which enables exchange of threat information with an ecosystem of security and compliance solutions such as Cisco’s NAC product, Cisco ISE, and other third-party products that support pxGrid. I am happy announce that with our latest NIOS software release, 7.3, we now support STIX and TAXII. This will allow even more customers to share threat information with Infoblox and take action on it.
When I initially started working on implementation of STIX and TAXII at Infoblox, I approached it from the viewpoint of our customers. DNS gives you control to allow, disallow or redirect traffic which can be used to enforce policy throughout the network. Infoblox is the first vendor to offer a DNS server with built-in behavioral analytics and cloud-based threat intelligence service to address DNS-based threats ranging from malware and phishing attempts to more advanced attacks that leverage DNS to communicate with a command and control (C&C) server. In addition to these detection capabilities, Infoblox Grid can now ingest third-party threat intelligence in STIX format using our fully integrated TAXII server.
This allows customers to automatically create a blacklist of domains and IP addresses in Infoblox, enabling them to respond to threats faster using their local threat intelligence.
Security and threat intelligence sharing are indisputably top of mind for private and public organizations, including the US federal government. STIX and TAXII specifications are important as the need to share threat intelligence in real-time continues to increase. On December 18, 2015, President Obama signed into law a $1.1 trillion omnibus spending bill that contained the Cybersecurity Act of 2015 (the “Act”). The Act creates a voluntary cybersecurity information sharing process designed to encourage public and private sector entities to share cyber threat information. The intention of this is for private organizations and government agencies to gather and share as much relevant and timely intelligence about new or ongoing cyberattacks and threats as possible to avoid major breaches -- or at the least, to minimize the damage from an attack.
I recognize that cultural changes are required in some companies to enable sharing of threat information but I believe it is an important element for more effectively securing their environment. Infoblox is committed to working with both our customers and technology partners to share and analyze threat intelligence sources through the use of STIX and TAXII.