Case Study
An inside look at how the Airbus CyberSecurity team is using Feedly to monitor and share actionable insights
ImpactA cohesive, streamlined workflow for threat intelligence that saves hours every weekIncreased customer satisfaction due to improved speed of intelligenceReal-time sharing makes it easy to instantly alert customers and collaborators
THE CHALLENGE“The process used to be way too time consuming and manual”
Chris Pickard, Cyber Threat Intelligence, and Adam Thomas, Vulnerability Analyst, lead the cyber threat intelligence (CTI) team at Airbus CyberSecurity in the UK. The team has since grown significantly, but just a few years ago they were a small team with painfully manual processes for gathering threat intelligence.
Chris remembers, “We had our favorite sites that we would go to stay on top of the latest trends and to monitor newly released vulnerabilities. It was a more time consuming process compared to how we do things now, and on reflection, it was less structured ” He adds, “We’d have all sorts of set places we would go to to get the news and to get the latest vulnerabilities. It worked but it could sometimes be a frustrating process.”
Before the CTI team enhanced their news gathering and vulnerability monitoring capability with Feedly, they collected information individually. The process is now much more collaborative, with each member of the team having access to and visibility of the Feedly platform. He adds, “We wanted a way of getting news to our customers much more quickly and to work together in a more streamlined way.”
Like many current Feedly for Cybersecurity teams, Chris had been using Feedly for personal use in the past. Once he and Adam discovered Feedly’s cybersecurity-specific features, they felt like they had found a cheat code for finding what matters and getting it to the right people, faster.
“We wanted a way of getting news to our customers more quickly and to work together in a more streamlined way.”Chris Pickard, Cyber Threat Intelligence
Immediate impact from the proof of concept
Chris and Adam still needed to convince upper management to adopt Feedly for Cybersecurity. Chris says, “One of the obstacles we faced was to convince management of the benefits that Feedly would provide. From a management perspective they were already aware that the team were doing a good job, but the challenge we faced was to demonstrate the improvements Feedly would bring to the table”
After a few months of switching the manual process to a more streamlined intelligence workflow with a trial of Feedly for Cybersecurity, “It reached the point where our customers were giving positive feedback about how we were able to respond to the latest trends, while also keeping them informed of the news and our response to it. The efficiency of the new workflow really helped us promote Feedly within Airbus.” Internal management teams, other security teams, and their external customers noticed and appreciated the increased speed in which they were receiving threat intelligence.
“It reached the point where our customers were giving positive feedback about how we were able to respond to the latest trends, while also keeping them informed of the news and our response to it. The efficiency of the new workflow really helped us promote Feedly within Airbus.”Chris Pickard, Cyber Threat Intelligence
Adam adds “The feedback that we received from the customers has already proven that Feedly was worth the investment.” He adds, “Once the customer reviews started backing up what we’d been saying all along, then there was no decision to be made, to be honest. It was easy to convince management to adopt Feedly from then on.”
THE SOLUTIONIncreasing speed of intelligence with a streamlined OSINT process
At Feedly, we use Airbus CyberSecurity’s workflow as a model to teach other security teams to set up efficient, collaborative intelligence gathering processes using our platform. This is how they get actionable cybersecurity intelligence to their customers in a matter of minutes.
1. Asking Leo to track customer assets and products
Chris and Adam ask Leo, Feedly’s AI research assistant, to track anything related to critical vulnerabilities affecting them and their customers’ assets and products across the web (not just in the sources they follow in Feedly). They can then add the results of these Leo Web Alerts to their Feedly account.
Then, using a portfolio of security sources they trust, Chris and Adam asked Leo to prioritize anything related to their customers, including customer assets and products. With Priorities, Leo reads all incoming information and surfaces the most relevant content, based on the specific parameters Chris and Adam set up. According to Chris, “We know that anything that’s triggering the Priorities is something we need to focus on. Instead of us having to hunt for actionable intelligence from different sources, we can just have a glance at the Priorities and go from there.”
Chris and Adam asked Leo to prioritize news about high vulnerabilities related to their customers and products they use
2. Immediately viewing and sharing CVSS scores and trending vulnerabilities
With Feedly for Cybersecurity, Chris and Adam can see the CVSS score directly in their Feeds, which gives them more tools to share with customers. They can click into a CVE Card, to access all the information related to the CVE, access the severity of a vulnerability, and determine if it should be escalated to their team for further research without zig zagging across different tabs. If not provided by the National Vulnerability Database (NVD), Leo will estimate the CVSS score and CWE attack type for each vulnerability.
“We can just look at Leo’s prioritization and see what needs to be taken care of first,” says Chris. “It’s really helpful to see the top attackers and go from there.”
3. Instantly sharing articles with external email addresses
If they find a critical vulnerability about a customer’s supply chain, for example, Chris and Adam’s team need an easy and fast way to get it to the people who need to know.
The team initially had a solid workflow set up, and with a few tips from Remi on the Feedly customer success team, they made it even more streamlined. Remi says “The Airbus CyberSecurity team had developed a clever workaround with IFTTT to send articles to a list of six external customers.” But there was room for improvement, so “during one success session, we were able to tweak it a bit to send polished emails directly from the Feedly interface, without using a third-party tool as a workaround.”
Instead of connecting Feedly to email with an IFTTT integration in the middle, Remi showed Chris and Adam how they could actually send parts of an article directly to external email addresses using Notes.
The Airbus CyberSecurity CTI team sends articles instantly from Feedly to external recipients via email, by tagging them in the Notes
4. Curating relevant content daily for each customer for instant, organized communication
To organize information to share with customers, Chris and Adam created one Team Board per customer. Team Boards are shared spaces to save articles, and can trigger other automations, like the Slack integration or an email. If Chris saves an article to a customer’s Board, it can immediately trigger a Slack message or an email notification to the customer. “I used to have to summarize gathered intelligence in an email and send it to customers. Now ??I can just attach relevant information to a Board and I can send it instantly to the people that need it.”
In Team Board > Sharing Settings, the team turns on Slack notifications and choose which Slack channel receives a notification when they save an article to that Board.
Notifications from Boards can be sent to anyone via email, whether or not they have a Feedly account. Chris and Adam send articles to analysts, CTO teams, or even the CEO. “Everyone sees these notifications straight away, and it’s just a really good way of getting it to them quicker.”
5. Sending proactive briefings via automated daily and weekly Newsletters
Apart from ad hoc alerts when relevant issues come up for customers, Chris and Adam also send out daily and weekly newsletters on topics of interest. They add any articles that customers might find interesting to a dedicated Board. They’ve configured the Board to automatically send a Newsletter, which is an automated roundup of recently added articles that can be sent at regular intervals.
Instead of copying and pasting multiple articles into a weekly email, Chris and Adam automate their weekly roundups to send directly as Newsletters from their assorted Boards.
THE RESULTSA fast, streamlined OSINT workflow that leaves time for analysis
The most noticeable impact of using Feedly? The stellar feedback the CTI team has received from both internal and external customers. Chris says, “Customers really love the speed that we are able to quickly get the news to them. As soon as something hits the news, like a critical vulnerability that affects them, we can notify them within minutes.”
Sending out regular news roundups is much easier, too. Chris says, “Team Newsletters have made the biggest difference for me because it’s saved so much time.”
The firehose of information is quickly reduced to only what’s relevant
By asking Leo to track their customers’ assets and products both across the web and within their trusted security sources, Chris and Adam can feel confident they’re not missing anything, but they can also make sure they’re not wasting time on irrelevant news.
“I was amazed by the sheer amount of information Feedly brings in, and then how quickly that’s cut down to what’s relevant, I’ve not used a tool that has the same level of impact.”
“I was amazed by the sheer amount of information Feedly brings in, and then how quickly that’s cut down to what’s relevant, I’ve not used a tool that has the same level of impact.”Adam Thomas, Vulnerability Analyst
Improved communication and cohesion makes the job easier
The process is now much more collaborative, with each member of the team having access to and visibility of the Feedly platform, which avoids duplicate work. And avoiding duplicate work is like having an extra person on the team. Chris says, “The time saved has enabled us to put more resources into threat hunting, vulnerability research, and improving existing processes.”
Working together in a more cohesive way also gives the team the confidence that they’re collectively catching everything they need. Adam adds, “We know that once we put parameters into Feedly, it’s definitely doing its job and is capturing everything we need it to. And we’re not missing anything.”
“We know that once we put parameters into Feedly, it’s definitely doing its job and is capturing everything we need it to. And we’re not missing anything.”Adam Thomas, Vulnerability Analyst
Chris (left) and Adam (right) of Airbus CyberSecurity
What’s next: even more automation and indicators of compromise
When it comes to threat intelligence with Feedly, the Airbus CyberSecurity CTI team is only just getting started. What’s next? Adding even more automation. Chris and Adam are looking to leverage Feedly’s API so they can integrate their intelligence gathering workflow with tools they’re already using, like MISP.
They’re also participating in the beta program of Feedly’s Indicators of Compromise feature, so they can quickly discover and collect malicious IoCs from security news sources, Twitter, and Reddit, and then easily export IoCs with context.
Stay tuned, the Airbus CyberSecurity CTI team is leading the way for efficient, collaborative, and effective threat intelligence.
Gather critical insights quickly, all in one placeCut down the information overload to only the relevant news, so you can proactively alert customers or internal team members in minutes.start 30 day trial
You might also be interested inHow a WillowTree cybersecurity analyst gathers threat intelligence in just 30 minutes a dayDrew Gallis, analyst at WillowTree, leverages Feedly for Cybersecurity to track cyber threats across the company’s supply chain and protect clientQuickly discover and collect indicators of compromise from millions of sourcesLeo recognizes IoCs mentioned in articles, and can gather them for yo
Source: Internet Gov forum