Smiddle Security Administration Platform is a software solution for improving the efficiency of cybersecurity systems.

Smiddle Security Administration Platform

The Smiddle Security Administration Platform is a system that automatically collects and processes Indicators of Compromise (IoC) according to specified parameters.

Our solution has the ability to collect threat information from a large number of different types of sources and in different formats, automatically normalizes, validates and prepares it for security tools.

This allows you to adjust the load and use firewalls and other security tools more efficiently.

This solution can collect IoC from various sources that are available via links (URLs) or downloaded from a file and in different formats, such as websites (HTML), the special format for IoC (STIX), text files (eg TXT, PDF) and others.

Formats and systems with which SSAP works:

Formats:

stix
html
txt / xml
pdf
misp
csv
stix / taxii

Systems:

Cisco Secure Firewall Management Center
ArcSight
Cisco FMC
Cisco Smart Licensing
Cisco Email Security
Cisco SecureX
MISP
Virus Total
FS-List

Features
of Smiddle Security Administration Platform

Data cleaning

One of the important features of the Smiddle Security Administration Platform is cleaning the received data from unnecessary elements such as erroneous values, duplicates, irrelevant and unverified data. This step helps ensure high-quality and effective analysis that increases the reliability of the security system.

IoC Correlation and Validation

Correlating the IoC with company whitelists helps significantly reduce false positives and improves system accuracy. Another important feature is the validation of IoC against threat-level criteria. Such verification helps determine whether these IoCs may pose a threat to a particular information system.

Designation by type

Additionally, IoCs can be labeled by their type and direction of use. This helps to understand exactly how these IoCs can be used, which allows for a better assessment of risks and the adoption of appropriate security measures to protect the information system from possible cyber threats.

Benefits

Unique indicators

Improve the effectiveness of security devices by providing only unique and type-appropriate indicators of compromise

Source Management

The ability to add Threat Intelligence sources directly from the SSAP Web UI without administrators having direct access to security devices

Automation

Automatically process indicators of compromise from various sources and different formats, their normalization and validation

Red button

Quickly enrich the equipment thanks to the presence of the "RED BUTTON" function

Quality of Sources

The ability to compare and evaluate the quality of different sources, paid or free. SSAP allows you to determine how unique and qualitative indicators are obtained from selected sources

Analytics

Receive up-to-date statistics on the operation of IoCs and analytics by sources of IOCs

Blocking mode and Process simplification

Automatic transition of compromise indicators from SSAP collections into blocking mode. This reduces staff workload and streamlines routine processes

White lists

Reducing the number of false positives on security devices, thanks to the implementation of centralized white lists with allowed indicators

Control of licenses

Ensure clear control over the relevance of licenses and subscriptions

Get an offer

Use

Automated collection and enrichment of Threat Intelligence security tools with events

Problem: The large variety of sources and the amount of information about threats make it difficult or impossible to process and manage them manually.

Solution: SSAP acts as a platform that automatically collects, processes, and prepares threat information for delivery to security devices. It has the ability to collect threat information from a large number of different types of sources. These can be both public and paid sources that require authorization when accessing them. It then filters and normalizes the resulting data by cleaning up duplicate, malformed, and invalid VirusTotal and Whitelist items. According to the configured parameters, it prepares customized and clean lists of threat indicators that enrich the security devices.

Result: The burden on security personnel is reduced by automating the processes for collecting and analyzing IoCs.

False positives

Problem: A high number of false positives compromises the effectiveness of safety devices.

Solution: With SSAP, it is possible to minimize the number of false positives on security devices, this is achieved by centrally managing lists of indicators of compromise, having whitelists of allowed indicators, and additionally checking each indicator on VirusTotal. This allows you to keep the most "valid" indicators of compromise in the SSAP database, which will be used by security devices such as SIEM systems, firewalls, antiviruses, etc. in the future.

Result: Zero or minimal number of false positives on security devices, which allows you to save time investigating "false" incidents, as well as guarantee that services required for the company's work will not be blocked in the event of an error on the part of the security list vendor.

Preventing repeat attacks

Problem: The company is becoming a victim of frequent hacking by cybercriminals, and this is becoming the norm, not the exception. Response to such attacks requires prompt and well-coordinated measures.

Solution: The Smiddle Security Administration Platform system uploads information about potentially dangerous artifacts (IoC) to a centralized SSAP database on a schedule or on demand, allowing you to receive updated data from the source as soon as it appears. From the SSAP database, data is quickly transferred to the required security devices. This will allow prompt responses to cyber-attacks and reduce their impact on the organization, avoiding their spread on critical workstations and the organization's network.

Result: Increased speed and efficiency of response to incidents during a cyber-attack will help reduce its negative impact on the organization.

Managing loads on safety devices

Problem: Not being able to directly manage the load of IoCs on security devices can reduce their effectiveness.

Solution: Each security appliance is limited in understanding only certain types of indicators of compromise and has limited resources to process and store them. This can lead to some indicators being ignored if there are too many of them or if they are incompatible with a particular security tool. However, thanks to the Middle Security Administration Platform (SSAP), this problem is solved. With SSAP, you can manage the effectiveness of Threat Intelligence functionality on your security devices by configuring specialized rules. These rules allow you to create appropriate lists of indicators of compromise for each type of security device so that they receive only those indicators that they understand and can handle effectively. It is also possible to limit the number of indicators to the maximum possible volume that these tools can store.

The result: Increased efficiency of the Threat Intelligence functionality on security tools, which allows you to better protect the company from cyber threats.

Analysis of the effectiveness of sources of indicators of compromise (in the new version)

Problem: Lack of understanding of the effectiveness and quality of each source of indicators of compromise used by the organization.

Solution: Organizations may use a large number of sources with indicators of compromise; some of them may be free and some may be paid. However, there is no objective view of how effective each source of indicators is for a particular organization. SSAP enables you to understand this. Using SSAP algorithms, metadata (number of indicators, duplicates, whitelists, triggers, etc.) of each source and security device is analyzed. After analysis, each source is assigned a certain score that reflects its real benefit to the organization at specific time intervals.

Result: Each source of indicators of compromise has its own objective assessment of effectiveness and quality, which allows you to understand its usefulness for each specific organization.

About our company

Smiddle is an international software developer. We don't just build software; we turn ideas into innovative products that change the world. Each project for us is a challenge that we take on with great responsibility and enthusiasm. We value each of our partners and each user of our products.

Your success is our success, and that's why we work to the limit to provide you with the highest level of satisfaction and convenience. Our mission is to create products focused on the needs of our customers. Each of your projects receives our undivided attention. We offer complex solutions, technical support and consulting support.

FAQ

01. Do you provide your own sources with lists of indicators of compromise?

No, we currently do not have our own sources with lists of indicators of compromise.

But, if necessary, our implementation team can recommend some of them depending on the available security tools and the specifics of the organization.

02. SSAP consists of three modules. Are they all necessary for the full operation of the solution?

SSAP actually consists of three modules (Aggregations, Distributions and Inventories). The Aggregation and Distribution modules are mandatory for the complete operation of the solution, because they perform the role of collecting, processing and preparing clean lists.

The Inventory module is additional and expands the functionality by integrating with the Cisco Secure Firewall Management Center, which allows you to send to it from the SSAP console lists with indicators and collect operation statistics.

03. How is SSAP licensed?

SSAP includes three modules (Aggregations, Distribution and Inventory), each of which requires a separate license.

The Aggregation and Distribution modules are mandatory for the operation of the solution and are licensed according to the number of nodes of such modules. In turn, the Distribution module extends SSAP functionality by native integration with Cisco Secure Firewall Management Center, and is licensed depending on the number and models of sensors connected to Cisco Secure FMC.

In any case, you can contact us for consultation and demonstration

04. Does SSAP provide integration capabilities with other security tools?

To download IoCs from SSAP, a standard interface for security devices that works with STIX/TAXII protocols is used, that is, any security device that supports interaction using this protocol can connect to SSAP and download lists with "clean" indicators. And the presence of an open API in each of the modules allows you to make other integrations.

05. From what sources can SSAP take indicators?

You can download indicators to the SSAP database either as a file or as a URL with the following source formats: MISP, STIX, STIX/TAXII, HTML, TXT, XML, PDF, CSV. After processing the indicators, their validation, normalization, it is possible to download them to the security device.

06. How does license control work in SSAP?

In SSAP, it is possible to control licenses for Cisco Secure Firewall and private IoC sources, this is done as follows:

- For Cisco Secure Firewall due to the integration of SSAP with Cisco Smart Account, where the relevant licenses of Cisco products are stored, and it is possible to monitor the status of specific licenses in real time.
- For IoC sources, in manual mode, when creating or editing a source, the expiration date of a specific license is set.

07. How is source quality assessed with IoC?

In SSAP, the function of assessing the quality of the source is implemented. This allows you to assess how suitable the source is for each specific implementation.

In order to evaluate the quality of the source, SSAP uses metadata formed on the basis of information about the sources, such as the total number of indicators, duplicates, indicators from white lists, etc., as well as from data from security devices about the number of activations of these indicators.

After that, the SSAP algorithms analyze the received data and assign a rating to each of the sources.

08. How does SSAP help with threats that have recently become known?

SSAP does not have its own sources with indicators of compromise, and works exclusively with sources added to it. But SSAP helps automate the process of taking IoC from the source according to the schedule, or uploading a new batch of indicators. If the threat became known very recently and the source already contains this indicator, you will receive it in SSAP. After all checks, as soon as the indicator gets into the database of "clean" indicators. It can be unloaded onto a security device upon request.

Company