Blog

STIX 1 or STIX 2: The Answer Is Both

Jun 5, 2020 10:15:26 AM

The release of STIX 2.1 and TAXII 2.1 heralds a new, simpler era of cyber threat intelligence (CTI) sharing. The new standards add essential new capabilities and address key issues identified in prior versions. Vendors are rapidly adopting the new formats. Cyber defenders are now faced with a choice: STIX1 or STIX2?

Cyber threat intelligence is most commonly used for threat detection. CTI is aggregated into a tool; enrichment, analysis, and prioritization might be performed; and then the data is sent to security infrastructure like a SIEM or IDS in order to detect threats. These tools then feed into the Incident Response process. Cyber defenders need a threat router that supports STIX1 and STIX2. Here are just a few reasons why:

  1. You need access to as many sources of threat intelligence as possible.

While many vendors are moving toward STIX2, there are still plenty of cyber threat intelligence feeds that use STIX1. However, the data those feeds provide is still crucial to the work of cyber threat analysts. Being able to receive data in both STIX1 and STIX2 means you never miss out on intelligence that may be relevant to your mission.

  1. You need to streamline how you use cyber threat intelligence.

Receiving different streams of threat intelligence is only the first step: you also need to be able to use it. Having all your threat data in one repository makes enrichment and analysis of your intelligence easy.

  1. You need to deepen your understanding of cyber threat intelligence.

STIX2 added new objects and ways to express relationships between objects, giving much improved context to threats. Using these objects allows you to go beyond indicators and observables to learn about the actors targeting your organization, allowing you to develop more effective theories of attack.

A good threat router has three key capabilities: support STIX1 and STIX2, simple and straightforward routing tools, and the ability to scale up to millions of CTI objects. These key capabilities allow cyber defenders to spend more time defending and less time on data engineering and enables the solution to flexibly scale up as the cyber defense practice grows and matures.

Soltra®, powered by Celerium®, checks all these boxes and more. It provides robust tagging and routing tools, and is easily interoperable with tools you may already be using. Our Proactive Defense whitepaper will help you learn how Soltra can help you stay a step ahead of bad actors.

Ready to get started? Request a 30-day free trial of Soltra to experience world-class threat sharing today!