Threat Intelligence

Sopra Steria automated threat intelligence with Feedly AI — and customer support tickets “were significantly reduced”

This CTI team sends automated newsletters to keep customers up to date, improve situational awareness, and reduce ticketing noise. Here’s how they did it:

Annie Bacheron Sep 19, 2023

For us, this is the way to handle open source collection and dissemination via newsletters. I haven't seen anything that comes remotely close to what we’ve been able to do with Feedly"

Per Kroghrud, CTI Team Lead, Sopra Steria Scandinavia

The short version

The customer: Sopra Steria is a leading European consulting firm in digital services, software development, and cybersecurity, with over 45,000 employees around the world. They offer cybersecurity services through the managed security service provider (MSSP) model for customers in IT decision making and cybersecurity. Per Kroghrud, CTI Team Lead, directs intelligence efforts for Sopra Steria Scandinavia.

The challenge: Ad hoc process made it hard to know if they were catching everything. On-call security analysts used to monitor the threat landscape manually, in an unstructured way. They needed a source of truth and a tool to help scale open-source intelligence collection and analysis.

The solution: Using Feedly Threat Intelligence to streamline collection and analysis of intelligence, and create automated newsletters to share. Sopra Steria integrated Feedly AI into their tech stack to ingest indicators of compromise (IoCs) into their Malware Information Sharing Platform (MISP) instance and share directly to customers. Automated newsletters get sent out to 150+ recipients daily and weekly.

The results: Scalable sharing and reduced ticketing. Now that manual intelligence collection is no longer a bottleneck, daily and weekly newsletters keep customers informed and drastically reduced inbound tickets and requests for information from customers.

To stay ahead of the threat landscape, Per and the CTI team rely on Feedly Threat Intelligence. Start a trial of Feedly or keep reading to learn how Sopra Steria Scandinavia is automating the intelligence process.

THE CHALLENGE
The CTI team needed a way to disseminate intelligence efficiently, automatically, and at scale

Analysts know the feeling: when a customer or internal stakeholder reads about the latest trending vulnerability on BleepingComputer and sends over a quick email or chat message “just to see if you were aware of this.” Or worse, when a stakeholder or customer finds out about an incident before the CTI team does.

When analysts are more proactive in their communications, customers don’t clog their inboxes with news articles. Instead of spending their time reactively assuring customers that everything is under control, proactive communicators can simply get on with the focused work (because their customers trust them).

Per knew that if the CTI team could improve the situational awareness of Sopra Steria’s MSSP customers — let them know what’s going on — they could reduce this busy work.

Before: An ad hoc, unstructured manual intelligence process made it hard to know if they were catching everything

The CTI team used to have a security analyst on-call who was tasked with monitoring the current landscape for situational awareness. They collected intelligence, but the process was inconsistent, rendering the CTI team vulnerable to blind spots.

Per Kroghrud, CTI Team Lead, says, “Each analyst had their preferred sources. So some analysts went to BleepingComputer, Hacker News, others checked Twitter and Reddit to see what kind of news was posted there. It was very ad hoc, not very structured, and hard to tell if we caught everything.”

It wasn’t viable to manually extract IoCs

Once the analysts found relevant information, manually extracting IoCs was a tedious process. Per remembers, “Often we’d get a PDF with a table with a bunch of hashes and IPs. You have to manually copy and paste from a PDF, which is annoying. Then you put it in a file. And then if you want to ingest it right into Microsoft products, it has to be formatted in a very special way. And then you have to add context.”

It was exhausting. “Processing a single article and getting the text on IoCs took 45 minutes, give or take. It became so time consuming that some of the analysts chose not to spend the time.”

The team needed to find a tool that could help them streamline and scale their process:

  • A source of truth and structured process for intelligence gathering 24/7
  • An automated, intelligent way to collect and extract IoCs with added context
  • A proactive way to share intelligence with customers to improve their situational awareness

Some analysts already used Feedly’s free version for personal use, and when they discovered Feedly Threat Intelligence, and the AI and collaborative capabilities it offers, they decided to try it as a team.

THE SOLUTION
Feedly AI acts like an analyst to extract IoCs and vulnerabilities, and then distribute intel through automated newsletters

Once the team got up to speed in Feedly, it became the team’s central hub for collecting, analyzing, and sharing cyber threat intelligence.

The CTI team created customized AI Feeds to collect targeted intelligence. Now, Feedly AI acts like an analyst to gather intelligence based on their requirements, which in this case were:

  • IoCs related to customer needs
  • Vulnerabilities related to customer tech stacks
  • Trending vulnerabilities
  • Threat actors and their tactics, techniques, and procedures (TTPs)
  • Monitoring cyber attacks and the threat landscape affecting their customers
The Sopra Steria Scandinavia CTI team combines the Proof of Exploit AI model with vendors used by their customers so they can quickly flag vulnerabilities being actively exploited

Per explains, “We spend a lot of time handling and advising on vulnerabilities for our customer base. So the ability to combine the Proof of Exploit and Vulnerability AI Models with customer tech stacks in an AI Feed is really important for us to be able to quickly identify which customers are at risk.”

Letting Feedly AI handle collection means the team gets intel fast — faster than when the on-call analyst was manually scouring the web. And even faster than other sources of intel:

Once we get a hit in Feedly, we can dig into it, assess it, and push advice to customers, often faster than our own national CERT, and it gets news to our customers before it hits the hype cycle.

- Per Kroghrud, CTI Team Lead, Sopra Steria Scandinavia

The CTI team harnessed Feedly’s integration with MISP, an open source threat intelligence platform (TIP), to automatically ingest IoCs from Feedly into MISP, and then push them to customers. When an analyst saves an article to a Board within Feedly, the IoCs are automatically extracted and sent to MISP with context, validated, and disseminated to customers.

Automated newsletters consistently share intelligence

The team quickly discovered that with the streamlined collection and processing of intelligence, it was easier than ever to share their assessments.

Before, the CTI team used to format their own newsletters and manually add articles to distribute to customers and stakeholders. Part of the process was automated, but they still used to spend up to two hours each week addressing formatting and distribution issues. During especially busy or hectic weeks for the team, they might be forced to skip an issue of the newsletter.

Per remembers, “It was a lot of manual work for us analysts, which increases the chance of errors. Sometimes the newsletters were sent with ugly formatting errors. Other times, we had to make sure it was sent as BCC so we didn’t expose the whole recipient list. There were several steps that could cause mishaps or security glitches — that wouldn’t look good. It was a process that worked, but it wasn't very smooth. We wanted a better way to automate the process.”

But now, they use the customizable newsletters feature built-in newsletter builder in Feedly to send out three weekly briefings:

  • Weekly security curated newsletter: A summary that includes attack trends and insights, new phishing techniques, and statistics about attacks.
  • Daily vulnerabilities newsletter: A very technical newsletter, sent to everyone who is responsible for patching and keeping systems up to date, including vulnerability analysts.
  • Internal weekly detection opportunities newsletter: An internal newsletter sent to the security operations center (SOC) where Per’s team highlights if there's an ongoing attack campaign. This newsletter includes information about things the team should potentially act on or get coverage for, including intel about attackers and techniques.
An edition of Sopra Steria Scandinavia's Weekly Security newsletter, created in Feedly, which goes out to customers.

According to Per, what helped the Sopra Steria Scandinavia team create newsletters efficiently:

  • Templated design: they can now “set it and forget it” instead of fiddling with formatting every week.
  • Categories: Per’s team set up Team Boards within Feedly that correlate to specific sections in their newsletters. If an analyst saves an article to the “Trends & Insights” Board, it automatically gets added to the corresponding “Trends & Insights” section in their newsletter.
  • Built-in recipient list: Now, Per doesn't have to worry about about BCC-ing recipients each time he sends a newsletter.
  • AI-generated article summaries: Feedly AI automatically summarizes each article, so readers can get the gist of a story without clicking through. Per’s team just has to check the quality of the summary before it sends, instead of writing from scratch.
  • Analyst notes: In addition to the AI-generated summaries, CTI analysts on Per’s team can add an “analyst note” about a specific vulnerability or issue.
  • Automatic scheduling: Each newsletter gets sent at a certain time (daily or weekly), doesn’t depend on a specific employee, and customers can count on it hitting their inboxes regularly.
  • Subscribe button: If recipients forward a newsletter, their colleagues can sign up with a single click.
  • Analytics: Per is able to evaluate the performance of each newsletter: “We can see exactly who clicks on the newsletter, what kind of articles are people most interested in.” This lets them tailor content to their recipients’ needs, and provide the most value to their customers.
Feedly AI generates summaries of each article for the newsletter, and then Per's team can add an analyst note if they want to provide additional context.

THE RESULTS
Gathering intelligence and distributing it to customers faster than they can say “have you seen this?”

The CTI team still has a security analyst on-call. But now that the team is using Feedly to help them gather intelligence faster, act as a source of truth, and distribute intel, so they can focus on doing higher-level work. Each analyst uses their expertise to save articles to Boards and decide what needs to be acted on now, and what is most relevant to share with customers.

Per says "Now, we are able to approach our open source collection in a much more systematic and structured way, to ensure that all security analysts consume OSINT from the same place. The CTI team can continuously improve the information received by adding, validating, and reviewing our sources. In this way, we are confident that we can reduce the number of blind spots in our intelligence collection efforts."

The newsletter used to take 2 hours to put together, now it can take 10 minutes

It used to take Per and his team up to two hours to put together the newsletter, and most of the time was spent avoiding formatting errors or inconsistencies. Now “we don’t use any time on formatting or distribution — all that is handled automatically.”

Instead of fiddling with formatting, the team can focus on proactive threat intelligence. “We’re able to use the time to discuss what happened in our region last week that is really relevant for our customers — instead of trying to get the indent right, or fix the font in the email.”

Now, Per can allocate minimal time to newsletter creation, since the content collection, distillation, and formatting is automated — and he never misses a week. “During the summer holidays we have been able to maintain the production of the weekly and daily newsletters, even while part of the team is on vacation — it just takes 10 minutes of my time to review the content.”

For us, this is the way to handle open source collection and dissemination via newsletters. I haven't seen anything that comes remotely close to what we’ve been able to do with Feedly.

Per Kroghrud, CTI Team Lead, Sopra Steria Scandinavia

Extracting IoCs from a single article used to take 45 minutes, now it’s automated

Before, a single article could take 45 minutes for a CTI analyst to process, extract IoCs, and format them. Now that Sopra Steria uses Feedly, it takes just minutes between saving an article to a Board and getting it pushed to a customer.

Members of the CTI team view articles in their AI Feeds with IoCs and save select articles to a Team Board. IoCs are automatically pushed with context from the Team Board to MISP, where an analyst can validate.

"Support tickets from customers concerning the threat landscape or new vulnerabilities were significantly reduced”

Now that they receive weekly (and sometimes daily) newsletters from Sopra Steria, customers’ situational awareness has skyrocketed.

Instead of creating tickets to ask “are you aware of this?” about a new vulnerability, customers see a note in the daily vulnerabilities newsletter and their question is answered, without spending their own time (or the CTI team’s time) creating support tickets.

“Tickets concerning questions about the threat landscape or new vulnerabilities were significantly reduced. The newsletter captures the essential reporting each week and also serves as a basis for discussion in our bi-weekly operational meetings with our customers.”

Before, collecting and sharing IoCs was a bottleneck. Now, I could push 100 articles a day if I wanted to. The technical ability to do so is no longer a limitation.

Per Kroghrud, CTI Team Lead, Sopra Steria Scandinavia

WHAT'S NEXT
Increasingly curated intelligence collection and sharing for specific audiences

Next on the roadmap for the CTI team is creating increasingly segmented newsletters so they can give each customer hyper-relevant and hyper-specific intelligence. They plan to further segment newsletters based on the sector and job title of each audience. “We’d like to create a monthly CISO newsletter with more strategic content,” says Per. “We also want to drill down and industry-specific newsletters. The energy sector will get their own newsletter, for example, and the defense national security sector will get their own newsletter.”

Sopra Steria is an active partner with the Feedly team, evaluating beta features, suggesting improvements, and providing feedback to help Feedly design and enhance the product with market-leading capabilities. Collaboration with smart CTI teams like Sopra Steria Scandinavia is the reason we've been able to build Feedly Threat Intelligence into the product to what it is today.

Per notes, “We have feature requests, and the team follows up about the status and the actual deliverables, which they are able to push out fairly quickly. That is unlike any of our other vendors.”

We’re excited to keep collaborating with Sopra Steria to make collecting, analyzing, and sharing OSINT faster and easier.

Collect and share open source intel via newsletters

Start a free 30-day trial of Feedly for Threat Intelligence. Start collecting and sharing your own open source threat intelligence via newsletters.

START FREE TRIAL
Share