What is Threatsift
Threatsift, is an unified system designed for enhanced investigation. In brief, the system is capable of automating the overall process of detection/block, analysis, respond, and management to eliminate advanced/persistent threats and defective work process.
SIEM concentrates mainly on log-based information-collection, detection, alert through deployed appliances, and are inadequate to correlate the incidents due to the absence of threat resources and attack history management.
In short, separated/alienated analysis and response lead to discrepancy between detection, analysis, response and management.
Main Features of Threatsift
- The quality and time required to analyze malicious codes generated in large numbers through automatic analysis of encroachment resources are normalized.
- Analyze the association of collected information, apply the validation techniques and know-how of the introduction to visualization
- Optimized Deployment for Infringement Characteristics and Operating Environment
- Based on the analysis of asset management and related accident knowledge for encroachment through automatic analysis and collectivization of collected information
- Enables protocol analysis, file extraction, ThreatFlow calculation, and detection of abnormal traffic from a single platform
Chaos of Analyst
- Fragmented Information Management
- Unextractable Linkage Information
- Ineffective Response Planning
Harmony of Threatsift
- Comprehensive Information Management
- Extractable Static/Dynamic Analysis
- Effective Response Planning
Definition for Threat Normalization
Threat Normalization [θret nɔ́:rməlizéiʃən]
Process of optimization for unified storage & analysis to meet the requirements to secure the process management quality(real-time, accuracy, efficiency, etc.) on various and atypical threat information(malware, network resources, communication channels, reputation Information, threat level, etc.) collected for decisive threat response.
The Power of Threat Normalization
Without Threat Normalization
- Unclear Criterion of Integrated Information
- Absence of Association Key
- Inevitable Manual Collection
With Threat Normalization
- Definite Criterion of Integrated Information
- Existence of Association Key
- Manual Collection Eliminated
The Type of Threat Normalization
- Domain : Ownership / DNS Records / Malicious History
- IP : ISP / Class Info / Malicious History / Base10
- Binary(PE/APK) : HASH / API Sequence / C2 Connection
- EML : Session / Body / Attachment
- Event Log : Timestamp(UTC) / Schema / Value Type
- Collection Channel : Resolution / Rotation / Reliability
- Threat Level / Whitelist / Blacklist / Reputations
- Malicious Activity Categorization