Explore

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Security Center (TISC)

    The Threat Intelligence Security Center (TISC) is a comprehensive ServiceNow application designed to empower security teams by facilitating collaboration, collection, analysis, and sharing of threat intelligence. It supports various threat feeds and provides a dedicated workspace optimized for threat intelligence tasks, enabling organizations to enhance their threat detection and response capabilities efficiently.

    Show full answer Show less

    Key Features

    • Curated Catalog of OSINT Threat Feeds: Access to a wide range of popular open-source threat intelligence feeds ensures broad threat coverage.
    • Premium Feed Integration: Integration with premium feeds enhances the quality and relevance of threat intelligence data.
    • Automated Observable Extraction: Automatically extracts commonly used observable types from uploaded files, streamlining ingestion.
    • Diverse Data Aggregation: Supports multiple formats such as STIX, MISP, and JSON for seamless feed consolidation.
    • Enrichment and Validation: Removes false positives, assigns confidence scores, validates indicators, and adds context to improve data quality. Integrates with Threat Lookup, Sighting Search, and Observable Enrichment tools.
    • Security Tool Integrations: Supports orchestration with SIEMs, EDR (including CrowdStrike Falcon with real-time alerting), and firewalls.
    • Correlation Rules Engine: Automatically links intelligence records to reveal threat patterns and relationships.
    • Customizable Threat Scoring: Allows fine-tuning of threat scores for precise threat assessment.
    • Internal Intelligence Integration: Connects with internal sources like Vulnerability Response, Security Incident Response, and CMDB for comprehensive intelligence.
    • User-Specific Dashboards and Graphical Visualization: Tailors visualizations by role with interactive graphs and investigation canvases for clearer data analysis.
    • Dedicated Analyst Workspace: Streamlined environment for threat analysts to focus on investigations with minimal distractions.
    • Threat Case Management: Supports investigative workflows, task tracking, and case handling, integrating with MITRE ATT&CK for enhanced kill chain analysis.
    • Seamless Security Incident Response Integration: Enables smooth data migration and interoperability between SIR and TISC applications.
    • Notification and Alert Rules: Configurable triggers to notify teams based on evolving threat intelligence.
    • Data Retention and Cleanup Policies: Helps maintain application performance and compliance through data management rules.
    • Reporting and Collaboration: Produces comprehensive reports and investigation summaries with customizable templates and rich-text editing.
    • Domain Separation for MSSPs: Supports multitenant environments for secure segregation of customer data.
    • Extensive API Integration: Provides APIs for seamless connectivity with other security tools and platforms.

    Typical Users

    • Administrators: Handle configuration, administration, and maintenance of TISC, including data source setup and intelligence settings management.
    • Threat Intelligence Analysts: Perform analysis and research tasks, import ad hoc intelligence, and leverage TISC’s tools for collaboration and managing the intelligence library.

    Key Terminology and Workspace

    The TISC home page acts as a centralized dashboard summarizing feed overviews, trending threats, and intelligence sharing. This workspace enhances visibility and interaction with threat data, supporting effective threat intelligence operations.

    Threat Intelligence Security Center (TISC) enables you to collaborate with the threat intelligence teams and has multiple capabilities to collect and process various threat intelligence feeds and a workspace to analyze, collaborate, action, and share the necessary information.

    Watch an overview about the Threat Intelligence Security Center application.

    Threat Intelligence Security Center is enhanced with capabilities to manage data collection, data processing such as DE-duplication, normalization and aggregation, analysis of threat intelligence, dissemination of threat intelligence, and also workspace that provides the administration tasks.

    Key features

    The following are the Threat Intelligence Security Center (TISC) key features that are explained in detail in the further sections:
    • Curated Catalog of OSINT Threat Feeds: Provides access to a broad selection of popular open-source threat intelligence feeds, confirming wide coverage.
    • Premium Feed Integration: Enhances the quality of threat intelligence by integrating premium feeds.
    • Automated Observable Extraction: Automatically identifies and extracts the commonly used observable types from uploaded files, streamlining the threat data ingestion process.
    • Diverse Data Aggregation: Supports multiple data formats including STIX, MISP, JSON, and others, enabling seamless feed consolidation.
    • Enrichment Capabilities & Validation: Provides enrichment and validation capabilities by removing false positives, assigning confidence scores, validating indicators, and adding contextual information to improve data quality.
      The TISC integration capabilities:
      • Enrichment integrations includes Threat Lookup, Sighting Search and Observable Enrichment.
        • Enriches observables with threat intelligence, performs sighting searches and threat look ups to determine maliciousness of an observable.
        • Supports CrowdStrike Falcon EDR with continuous monitoring and real-time alerting.
      • Security Tool integrations for orchestration such as SIEMs, EDR and Firewalls.
    • Correlation Rules Engine: Automatically establishes relationships between intelligence records, enabling deeper insight into threat patterns.
    • Customizable Threat Scoring: Enables fine-tuning of threat scores for more nuanced and accurate threat assessment.
    • Internal Intelligence integration: Enables integration of internal intelligence sources, including Vulnerability Response (VR), Security Incident Response (SIR), and Configuration Management Database (CMDB).
    • User-Specific Dashboards: Tailors visualizations and data views according to Threat Intelligence personas, improving user experience and relevance.
    • Graphical Visualization Tools: Facilitates understanding of complex threat intelligence data through intuitive graphical visualizations such as relationship graphs and interactive investigation canvases to simplify threat intelligence analysis.
    • Dedicated Analyst Workspace: Provides a dedicated, streamlined Threat Intelligence Analyst workspace that enables threat intelligence analysts to focus on investigation and analysis with minimal distractions.
    • Threat Case Management: Supports investigative workflows with task tracking and case handling.
    • MITRE ATT&CK Integration: Enables users to link case records with MITRE ATT&CK framework data for enhanced kill chain analysis.
    • Seamless SIR Integration: Ensures smooth data migration and interoperability between Security Incident Response and Threat Intelligence Security Center applications.
    • Notification & Alert Rules: Establishes trigger alerts to notify teams based on evolving threat intelligence.
    • Data Retention & Cleanup Policies: Enables organizations to define data management rules to maintain application performance and compliance.
    • Reporting & Collaboration: Generates comprehensive status reports and investigation summaries using rich-text editors and customizable templates.
    • Domain Separation for MSSPs: Supports multitenant environments, enabling Managed Security Service Providers (MSSPs) to segregate customer data securely.
    • Extensive API integration: Offers TISC API for seamless connectivity with other security tools and platforms.

    Threat Intelligence Security Center users

    User Description
    Administrator Administers and configures the initial setup and ongoing maintenance of the Threat Intelligence Security Center, including configuring data sources and managing intelligence settings.
    Analyst Threat Intelligence Analysts are responsible for conducting analysis and research tasks requested by the team. They can import ad hoc intelligence to support their work and use the system’s tools for analysis, collaboration, and managing the intelligence library.