Computing with Threat Intelligence Data
SPEAKER
Dr. Morton Swimmer, Trend Micro
ABSTRACT
For a strong, collective defense in the digital domain that can scale through automation, we need data that is actionable. Recent initiatives like Mitre ATT&CK and CTI exchange formats like OASIS STIX are helpful, but do not describe the data that SOC operators work with. The data that we work with is often found in various proprietary forms that require a human to interpret.
This talk will cover some of the initial results in alleviating the problem by defining a strict data model and an ontology of the data. The data model has been implemented in the ACT platform by Mnemonics in Norway under the guidance of Dr. Siri Bromander and the ontology was developed in parallel by the author. We shall see how an ontology can be used to describe and then reason on threat intelligence data.
As this is still research in progress, we will also look into the future to what more needs to be done to be able to address computer security incidents with automation.