Microsoft announced Interflow, a new platform for sharing cybersecurity threats in near real-time. Although it's currently available only in "private preview" for Microsoft Active Protections Program (MAPP) members, security threat information will be shared faster, creating a "collectively stronger cybersecurity ecosystem." In the long run that means protecting people better and more quickly.
What exactly does it means to share security and threat information using Interflow? MSRC's Jerry Bryant said the answer is simple:
Interflow is a distributed system where users decide what communities to form, what data feeds to bring to their communities, and with whom to share data feeds. In addition, the use of open specifications STIX (Structured Threat Information eXpression), TAXII (Trusted Automated eXchange of Indicator Information), and CybOX (Cyber Observable eXpression standards) means that Interflow can integrate with existing operational and analytical tools through a plug-in architecture. This means there is no lock-in to proprietary data formats, appliances or subscriptions, all of which raise the cost of cybersecurity.
Collaborate, prioritize, integrate
Those three words basically sum up the benefits of Microsoft's Interflow private preview. Collaborate for a collectively stronger ecosystem. Prioritize action through automation. Integrate using plug-in architecture.
Let's say for the sake of discussion that there's a new botnet, malware strain or zero-day in the wild. Today "security and threat information is primarily shared via email, Comma Separated Values (CSV) files, and web portals." That doesn't imply the new threat will be seen in a timely fashion. Interflow will help eliminate manual processes and bring the sharing of cybersecurity threats into the 21st century. "Using community-driven specifications for the structure and exchange of information in a machine readable format allows for rapid, automated processing which helps enable organizations to build better protections and reduce the cost of defense."
Interflow can help every member of a community stay more secure. Members could:
- Combine their individual analysis of malware to more completely understand the threat landscape and better identify variants.
- Rapidly upload suspected malicious URLs identified by others in the community into firewalls and defense system to automatically block potential threats.
- Work together when under active attack from new malware sharing analysis at near instantaneous speeds.
That's all well and good, but really "how is Interflow different from other exchange platforms and data feeds?"
Firstly, Interflow is an engine designed and built for the greater good of the community, and it requires a Microsoft Azure subscription for use. It does not necessitate purchase of any propriety appliances, products or formats. Secondly, Interflow is designed to integrate into existing operational and analytical tools already in place and be compatible with various other systems via a simple plugin architecture. Finally, Interflow users can choose what communities to form and what data to share and with whom, due to its distributed architecture which provides users autonomy.
The announcement was timed so that attendees at the 26th annual Forum of Incident Response and Security Teams (FIRST conference) in Boston could drop by Microsoft's booth for a demo and discussion. Right now Interflow private preview is available as a cloud service, but Microsoft is taking "input from early adopters in order to evaluate the need for an on-premises version."
How much does it cost? Microsoft's answer:
During the private preview Interflow is free for Microsoft Azure subscribers. Users need an Azure subscription for compute and storage resources, and can get started with an Azure trial subscription at http://azure.microsoft.com/en-us/pricing/free-trial/. During the private preview, there is no fee for the data feeds Microsoft is bringing to Interflow.
For more information, check out Bryant's post about Interflow.