The Open Cybersecurity Alliance (OCA), an OASIS Open Project has accepted IBM’s contribution of Kestrel, an open-source threat hunting programming language used by SOC analysts and other cybersecurity experts. Kestrel simplifies cyber reasoning and threat detection, allowing analysts to finish the process faster and more effectively.
Threat hunting is a proactive method of detecting hidden risks in an organisation prior to an assault. This technique follows the scientific process of forming a hypothesis for risks that are likely to be discovered, then developing detection algorithms to validate or deny the threat’s existence, allowing security experts to respond to indications of compromise more quickly.
While threat hunting has been successful as a technique, its success unfortunately has been limited due to the high human bandwidth required. Existing threat hunting approaches are primarily manually driven and require deep technical skills that are in short supply. Instead of benefiting from the threat hunting community’s collective knowledge and sharing code, threat hunters often end up working in isolation rewriting the same programs following each attack.
Kestrel was created collaboratively by IBM Research and IBM Security to allow threat hunters to express hunts in an open, composable threat hunting language. Kestrel uses automation to complete time-consuming hunting duties, enabling threat hunters to concentrate on more important activities.
Its combination of human ingenuity coupled with machine-based automation helps accelerate threat hunting. The reusability of best practises is enabled by the composable hunting processes, which reduces the time it takes to design new hunts. Threat hunters all around the world may now cooperate, share, and use the information collected by threat hunters utilising Kestrel thanks to IBM Security’s open-sourcing of the project.
This contribution from IBM marks a major milestone in OCA’s mission to drive greater interoperability across the security industry. The work of the OCA connects the fragmented cybersecurity landscape and enables disparate security products to freely exchange information, out of the box, using mutually agreed upon technologies, standards, and procedures that make it possible for companies to “integrate once, reuse everywhere.”
This contribution by IBM is a significant step forward in OCA’s aim to improve security industry interoperability. The OCA’s effort unifies the cybersecurity environment by allowing different security solutions to easily share information out of the box, utilising mutually agreed-upon technology, standards, and procedures that allow businesses to “integrate once, reuse everywhere.”
“Kestrel is designed to take advantage of the collective learned experience of the threat hunting community – and enable that to be combined with the power of machine learning and automation to speed response to threats,” said Jason Keirstead, CTO of Threat Management for IBM Security and Co-Chair – Open Cybersecurity Alliance. “By sharing new threat hunting patterns as they emerge via code that can be easily customized, Kestrel lets threat hunters devote more time to figuring out what to hunt, as opposed to how to hunt.”
Mark Mastrangeli, Lead Architect, McAfee, and Co-Chair – Open Cybersecurity Alliance, said, “This is a really exciting contribution from IBM, a founding member of the Open Cybersecurity Alliance. Kestrel is a fully open-source threat hunting language that leverages the federated data service capabilities of STIX Shifter which were previously contributed to the OCA by IBM. I cannot wait to see how OCA member organizations and the community of like-minded people, pursuing open interoperability of security solutions, leverage these tools to further enhance their security operations across heterogeneous solutions.”
“ThreatQuotient is pleased to continue its partnership with the Open Cybersecurity Alliance to help drive standards to encourage interoperability between security vendors to benefit network defenders,” said Haig Colter, Director of Alliances. “Our continued participation in the OCA demonstrates our commitment to follow established standards that encourage the communication of security information in ways that benefit a broader audience.”
The OCA is headed by organisations dedicated to resolving the costly problem of siloed cyber tools and technologies, that create integration nightmares for cybersecurity experts in all environments. CyberNB, Rapid7, SafeBreach, and Tenable have recently joined the governing board working alongside Center for Internet Security (CIS), Cybereason, Cydarm, Cyware, EclecticIQ, EPRI, F5, IBM Security, McAfee, NewContext, S-Fractal Consulting, SAIC, ThreatQuotient, Tripwire, and TruSTAR.
OCA technologies work along to deliver additional price and improve product ability across security tools and groups – for instance, Kestrel utilizes STIX-Shifter to unify threat searching expertise across totally different security tools.