Blog | Feb 01, 2019

Cymon says: how threat intelligence aggregator enhances visibility

eSentire has over a decade of experience in effective Security Operations Centers (SOC). As a company who delivers security-as-a-service, we’ve always viewed the people and processes that comprise our SOC as tantamount to how we keep our clients, their reputations, assets and businesses safe everyday. That means we’re continuously looking for new ways to optimize processes, enhance tools and ultimately, improve the speed, efficacy and outcomes of the countless real-time forensic investigations. Not unlike other SOCs, our tooling and processes have been built both organically by our talented in-house developers and analysts, and through commercially-available tools. One tool in particular, our own IP reputation script, historically played a critical role in most, if not all investigations, and last year we realized that this was an area that required increased attention.

While this idea was brewing, Threat Intel sharing also very quickly become an increasingly important topic in many security circles and the InfoSec community as a whole. From our perspective, the need for better threat intel sharing was a common need that extended across both internal and external jurisdictions. This common need provided a great opportunity for us to simultaneously help our SOC analysts as well as the broader infosec community of researchers, developers, vendors and organizations, through a cloud-based, open threat intelligence sharing community.

And so Cymon was born.

Cymon was created and modelled on the real-world needs of eSentire’s SOC staff. Our analysts needed a live, regularly-updated reputation database to help give context and color to customer incidents as they dealt with them.

The first version of Cymon was built on the assumption that our Security Operations Center analysts needed a mechanism to perform automated testing. They needed the ability to retrieve data from multiple sources when an IP was entered. Cymon would in turn query various APIs and look up the requested information on-the-fly in current feeds.

The problem was that if an IP or domain was removed just prior to the request, no results would be returned, which is legitimate for most investigations, however, we quickly realized there’s value in recording and evaluating historical reports as well. For this reason, we decided to pivot and started ingesting every security report from the feeds and APIs that we were using.

From that point on, Cymon’s database started growing very rapidly. We also began tracking URLs and binary hashes, when available from the sources we were using. When possible, Cymon tried to create relationships between the different reports. URLs to Domains, Domains to IPs, and even which malware hash was reported on a certain IP, domain or URL.

Today, Cymon lists about 7 million unique IPs and over 35 million events in its database. We are thrilled to see how well Cymon is serving the community. It’s being integrated into the business processes of various organizations across the globe and to our delight, is also being integrated into competing vendor products; this is the best kind of validation for a new product, even if it is given away for free. In addition, the integration of Cymon into our SOC has helped us reduce the time it takes to accurately validate and confirm a threat during a real-time investigation.

At eSentire we are immersed in the cyber threat-scape every day, and like every other security professional we realize the invaluable benefit that comes through intelligence sharing. Every tool that helps us broaden our knowledge set serves to help combat threats. And as is the case with Cymon, knowledge IS power.

Roy Firestein

Roy Firestein

Research Lead

Roy Firestein is the lead researcher at eSentire. He’s a seasoned hacker and strategist, specializing in cybersecurity innovation development.