Elemendar’s READ. uses machine learning techniques to add structure to unstructured data in a STIX format. Given how much of the world’s Cyber Threat Intelligence (CTI) data is stored in an unstructured format, the strategic design rationale behind the READ. tool is obvious; however, we have found that some of our clients can find it challenging to integrate READ. into their established analyst workflows. This blog is intended to address this topic whilst suggesting ideas on how READ. can fit into your analyst workflow.
There are effectively two main use cases for the READ. platform:
- As an integration into an established Threat Intelligence Platform (TIP)
- As a stand-alone tool for an analyst
Taking the above use cases into consideration, although READ. performs the same in each instance, for example, adding structure to unstructured data, the workflow for each of these use cases is slightly different. To address each in turn:
Use case No. 1: READ. TIP integration
In this case READ. sits between the data feed and the TIP, often working autonomously or with minimal supervision by a human analyst. Scale and speed is the name of the game in this use case as READ. crunches through large volumes of RSS feeds to pass structured data into the TIP for further analysis. In this model upcoming features such custom rules and canonical entities allow a CTI team using READ. in this way to populate their TIP with large volumes of structured data drawn from either open source or proprietary data sets.
Use case No.2: READ. as a stand-alone tool
On a smaller but no less important scale, is READ. being used by individual analysts as part of the wider research projects that they are working on. Within this context features such as the graph and multi document view are the features of READ. that will most likely be used. Individual or teams of human analyst can unlock insights hidden away in the various source documents using the extraction mechanisms within READ. and engage “team play” features that are coming soon such as document allocation across team members and entity extraction by type (i.e., Identity, Tool, Malware etc) to refine their search.
To conclude, READ. is a tool that can be applied within two distinct contexts – one as a strategic addition to an established TIP based workflow, or two, as a tactical addition to an individual or small team of analyst’s workflow. The key thing is that, at the core of both of these use cases is the central concept that drives READ. forward and that is structuring unstructured data, further enhancing the analyst mission.
Elemendar is the world leader in developing AI (Machine Learning) to process human-authored cyber threat intelligence into machine-readable, actionable data, to enable cyber analysts to better protect their organisations against cyber threats.
Stewart Bertram is Elemendar’s Head of CTI with more than 15 years experience in Intelligence and Cyber Threat Intelligence in both public sector and private roles.