Triage Alerts With CyCraft’s CyberTotal ArcSight Integration

For years, ArcSight has consistently appeared on multiple Top SIEM Software lists, including Gartner’s Magic Quadrant. Security professionals leveraging ArcSight are further empowered by its multiple partner integrations, which now includes CyberTotal — developed by CyCraft, a leading cybersecurity firm in Asia.

CyberTotal Integrates with ArcSight

CyberTotal is a cloud-based threat intelligence service that is uniquely suited to aid SIEM SOC analysts by seamlessly integrating multiple diverse CTI sources, open-source intel, our proprietary threat intelligence international threat actors, their behavior profiles, and much more.

Employing the CyberTotal platform helps security teams quickly verify alerts and triage threats appropriately via automated correlation analysis and knowledge base optimization.

The intuitive CyberTotal Dashboard allows security teams to effortlessly access large amounts of artifacts, each enriched with contextual threat information and, at the same time, improves your team’s efficiency and accuracy by automatically prioritizing indicators of compromise (IoC).

Your team will be able to focus on the most critical and urgent alerts and have a head start via the contextual information provided by the platform.

Faster Alert Validation, Triage, and Investigations

Security teams spend much of the day on validating alerts and triage. CyberTotal saves human capital and increases productivity by automating the necessary research required with validation and triage.

By aggregating multiple cyber threat intelligence sources from around the world, CyberTotal can automatically provide security teams with contextual threat intelligence on indicators such as reputation, severity, confidence, threat score, OSINT, whois, passive DNS, component analysis, vulnerability evaluation, and more.

Using CyberTotal, SOC analysts can rapidly validate alerts by looking at the severity and confidence of the associated indicators. In addition to removing the time-consuming task of removing false positives, analysts can also triage alerts by examining the confidence and severity scores of indicators associated with alerts.

You can further query the Cybertotal API to validate, enrich, or gain context on suspicious indicators or use the dashboard to drill down via our graph database of threat intel to find out if something is malicious or not, or associated with other malicious indicators during investigations.

Figure 2: Drill down on threat intel in the IoC Report View of the CyberTotal Dashboard.

Threat Hunting

CyberTotal not only aggregates multiple international cyber threat intelligence sources but also enriches your threat intelligence with a host of contextual information of network, file, vulnerability, and actor related data.

If your organization’s firewall or proxy logs are collected in ArcSight, CyberTotal can inspect each target IP, Domain, and URL and pinpoint the high-risk artifacts. Correlation reports, such as high-risk endpoints and indicators, can be highlighted in either the dashboard (see Figure 4) or daily/weekly statistical report (see Figure 3) to speed sec ops workflow.

Figure 3: CyberTotal provides daily / weekly statistical reports to speed SOC workflow.

You can even call CyberTotal’s API to get the latest blacklist data on malicious domains, URLs, IP addresses, and hashes, which you can use to hunt out threats in your organization, or plug into your EDR solution.

Other CyberTotal Features.

  • Helps large organizations organize and share disparately structured threat intel sources across multiple geographical locations and formats via the latest TAXII and STIX
  • Supports both Snort and Yara formats
  • Publishes blacklists for file hashes, domains, URLs, and IP addresses of severe malicious activity
  • Provides reputation checks on your potential business partners and provides the confidence and severity of threat intel related to that entity

Minimum Requirements

  • ArcSight ESM 7.0.0.2436.1 or higher
  • ArcSight SmartConnector 7.14 installed on CentOS version 7 Linux server
  • Network access to CyberTotal (https://cybertotal.cycraft.com)

Intuitive Dashboard Design and Support

The intuitive and straightforward design of the CyberTotal dashboard and the CyCraft customer support team help reduce the typically high-learning curve associated with software integration, so SOC analysts can spend more time doing what matters most — protecting their organization.

“CyCraft’s customer support provided excellent communication, incident reports, and response times, leaving us feeling confident and at ease with our security situation.”
-One security analyst for one of the top three telecommunication companies in Taiwan
Figure 4: The customizable CyberTotal Dashboard provides 24-hour system-wide status checks.

Our CyberTotal Team

Our cyber intelligence team of security professionals tracks the most sophisticated forms of intrusion techniques and provides historical and up-to-date information on APT groups.

Our team is composed of DEFCON CTF finalists and former members of the Taiwan Ministry of Defense, the Taiwan Criminal Investigation Bureau, and the premiere Taiwan social hacker group, CHROOT.

Industry Recognition

  • Joined MITRE ATT&CK Evaluations round two against APT29 and round three against CARBANAK and FIN7
  • Member of FIRSTthe premier incident response organization
  • Winner of multiple Gold Cybersecurity Excellence Awards, including MDR, Forensics, Incident Response, and Artificial Intelligence as well as a Best Cybersecurity Company Gold Award

Learn More

For more information on our platform, how we defeat APTs in the wild or the latest in CyCraft security news, follow us on Twitter, LinkedIn, Medium, and our website at CyCraft.com.

Join the CyCraft Community

When you join CyCraft, you will be in good company. CyCraft secures government agencies, Fortune Global 500 firms, top banks and financial institutions in Asia, critical infrastructure, airlines, telecommunications, hi-tech firms, and SMEs in several APAC countries, including Taiwan, Singapore, Japan, Vietnam, and Thailand.

We power SOCs with our proprietary and award-winning AI-driven MDR (managed detection and response), SOC (security operations center) operations software, TI (threat intelligence), Health Check, automated forensics, and IR (incident response), and Secure From Home services.

Additional Resources

Article Link: https://medium.com/@cycraft_corp/triage-alerts-with-cycrafts-cybertotal-arcsight-integration-ce9e6bbfd685?source=rss-2eb56b81d7e4------2