API 2.0: TruSTAR Operationalizes Data Orchestration and Normalization for a New Era in Intelligence Management

Share:

By Mikala Vidal July 16, 2021

Today we released API 2.0, the latest version of TruSTAR's API-First Intelligence Management Platform. This new version continues our commitment to simplify and streamline intelligence for automation in enterprise security intelligence management, and breaks through long-standing industry limitations around operationalizing data orchestration and normalization.

TruSTAR was created on the principle of being API-First, with a data-centric approach to transforming cyber intelligence to make it actionable. TruSTAR API 2.0 delivers on that promise with the addition of TruSTAR Intel Workflows and Safelist Libraries. These new features, combined with TruSTAR's already robust platform, create a unified, all-source intelligence picture without the flood of false positives or manual data-wrangling.

'Historically, security approaches have focused on layers of defense, which resulted in massive walls around data. But, enterprise security leaders are breaking down silos and demanding visibility and sovereignty over the data workflows required for orchestration and automation in detection and response. We look at sectors like financial services, sales, and marketing and we see that our peers in other departments in the enterprise have stepped to these challenges by combining unified APIs with data-centric architectures. We can learn from this as we enter a new era where integration and automation is a top priority for all enterprise security leaders.'
- Patrick Coughlin, CEO of TruSTAR
TruSTAR Intel Workflows

A game-changing addition to API 2.0 is TruSTAR Intel Workflows, which provide no-code set-up of data processing and transformations using established sources to cross-validate and curate intelligence. Traditionally, security leaders have had to rely on teams of trained analysts spending many hours a day doing the data janitor work or investing in large, multiyear data engineering projects.

Now, TruSTAR users can easily select intelligence sources, including open source, premium intel providers and collections of historical events and alerts, apply priority scores, Safelists and filtering based on indicator types or attributes and submit prepared data into vetted Enclaves or a suite of enterprise workflow applications.

Benefits include:

• One tool to manage intelligence data including collection, preparation, and output into workflow tools
• Set-up and manage multiple intelligence workflows tailored for a team's specific use case, intel source profile and a variety of destinations and integrations
• Automated data preparation, normalization and scoring for multiple internal and external sources.
• Cross-source validation and Indicator Prioritization
• Normalized score and context make teams faster and more effective at making security decisions
• Customizable source weights that influence indicator priority scores
  

TruSTAR Intel Workflows allow users to get normalized scores on observables and events based on individual source profiles, reduce false positives in detection sets by normalizing indicators across multiple sources, and filter by priority score and relevant indicator type. TruSTAR's Unified Intel API provides a single point of integration through TruSTAR's fully RESTful API, TAXII infrastructure and Python SDK, supporting all standard data structures and use-case oriented endpoints.

Safelist Libraries

TruSTAR offers Safelists and Blocklists as a replacement Whitelists and Blacklists. Words matter, and we prefer to use more actionable language with the added benefit of replacing language with racial connotations. TruSTAR's new Safelist libraries allow users to create and maintain a set of observables that can be considered benign from being used for threat intelligence correlations. This can produce false positive alerts, wasting analyst time and lowering business productivity.

Now users can programmatically apply multiple workflow-level Safelists, source weights and filtering before delivery into TruSTAR Intel Workflow destinations. As any security analyst will tell you, no one Safelist library can be used for all use-cases, workflows and security controls. Breaking Safelists into multiple libraries allows users to fine tune and operationalize intelligence using only the applicable set of Safelists based on use cases and the security controls, thereby reducing false positives.