A screenshot of a Jigsaw customer utilizing threat intelligence with open source PiHole
One of the most often asked questions we get is how do we validate information sent into our threat intelligence system. This is a great questions because we want to ensure that the quality of data that we receive, store and publish is valid, accurate and useful to our users. Many of you know that we provide free access to our platform to anyone, this level of service provides access to data that is publicly available and we pull different sources of OSINT threat intelligence into this tier of our services. This free data is available and you can pull that information from anywhere. The next question we get is what about your commercial data.
Our commercial data is data that is vetted through automation in our cloud platforms. In order for information to be forwarded when we receive it the data must be present in at least 3 additional sources. We check the standard sources such as Virus Total, but in short we don't public data unless we have observed it in 3 separate locations to ensure that it is a real threat. We won't disclose what sources we use to validate the data but they are all publicly available in most cases. This level of checking ensures that the consensus in the community is that the host, domain, hash or other data point is in fact malicious. As a final check, somebody has to review the entries and publish them before they go out in automated feeds.
Data Sharing - More eyes on the problem
One of the best things about information is that when put in a machine readable format, it can be used over and over to protect customers, partners and vendors. Our vendors, customers and sharing partners all have access to our data sources and can also alert us to issues that may be a threat to others. This is the equivalent of having 20 teams working on threat intelligence management for you. Strategic partnerships with other vendors allows us to ensure that the data we provide is accurate, formatted properly and available to those that need to drop malicious traffic on their networks.
All of this data is provided in a fully automated manner with human review several times a day from our team of experts.
How can you use the data?
In short we support many different vendors file ingest formats (too many to list here) and the output is generated in a fully automated manner. The 2 most common methods of using Jigsaw data is in PiHole (freeware and open source) or in DNS servers (Bind, Microsoft, etc.) that support RPZ sinkholing of malicious domains and hostname. In short we also provide text, STIX, STIX2, CSV, JSON and many other file formations that can be used in thousands of security products.
The key here is being able to use your threat intelligence. Many companies spend thousands upon thousands of dollars annually for information that they can't actually use to protect themselves. What makes us different is that the data in our library can be used to actually defeat and prevent threat actors from being able to get into your network in the first place regardless of what products you choose to defend your network. Let us know if you have any questions and most of all, stay safe.