カテゴリー: Feedly for Cybersecurity

How a WillowTree cybersecurity analyst gathers threat intelligence in just 30 minutes a day

Posted on by Annie Bacher
Case Study
Drew Gallis, analyst at WillowTree, leverages Feedly for Cybersecurity to track cyber threats across the company’s supply chain and protect clients
Impact
box icon

Keeps track of critical vulnerabilities in the supply chain so he can react quickly.

chart icon

Went from spending 2-3 hours sorting through threat intelligence news to 30 minutes of reading only the most relevant articles.

target icon

Monitors breaches and vulnerabilities that could put clients at risk…and creates proactive solutions before they become disasters.

THE CUSTOMER
WillowTree, Digital Product Consultancy

Started using Feedly For Cybersecurity: 2020

WillowTree is a digital product consultancy with clients including HBO, Domino’s, Anheuser-Busch InBev, FOX Sports and Hilton. Drew Gallis, a security analyst at WillowTree’s Virginia headquarters, is part of a small team responsible for company security and for proactively alerting WillowTree’s clients of security concerns.

THE CHALLENGE
A limited amount of time to dedicate to threat intelligence

With a small team dedicated to cybersecurity, efficiency is everything. The team at Willow Tree has to stay on top of the threat landscape so nothing falls through the cracks. While Drew’s official title is “Cyber Security Analyst,” he wears multiple hats: incident response, incident remediation, reporting on security news, and securing web and mobile applications developed by WillowTree, with 20-30 projects running at any given time. 

Consuming information fast so he can quickly share actionable insights across the company 

Drew is deeply passionate about cybersecurity and wants to get the word out to everyone in the company. He’s genuinely excited about sharing information that helps other people (developers, clients, etc.) do their jobs better and be safer.

Only about 20% of Drew’s job is dedicated to risk and analysis, and even less of that time is available for news monitoring. So he needed a way to find the best news about critical vulnerabilities without eating up the rest of his time at work. 

Trying out Feedly for Cybersecurity to consolidate and prioritize in one place

Drew’s mentor and supervisor, Adrian Guevara, Head of Cyber Security at WillowTree, had been using Feedly’s free plan for years to consolidate all of his cybersecurity information into one place. So when Drew and his team learned about Feedly for Cybersecurity’s ability to help them refine their Feeds and prioritize the most important information, they had to try it. 

“I only have about 20% of my day to look into risk and analyze different things going on within our organization. I wanted to narrow our data and focus on certain points with my limited time.

Drew Gallis, Cyber Security Analyst, WillowTree

THE SOLUTION
Reducing the volume of information to only critical insights

Adrian and Drew already had all of their top cybersecurity sources organized into Feeds on the free plan. So when they joined Feedly for Cybersecurity, all they had to do was start using Leo, their AI research assistant in Feedly, to prioritize the most important news. Leo reads every article in their Feeds, and then separates the most important ones into the ‘Priority’ tab. Thanks to this sorting and organization, Adrian and Drew can spend their limited attention reading the high-priority news first. 

“The biggest thing for us was exploring Leo’s functionality. We made tailored filters to prioritize specific services, specific programming languages, specific packages, and different vendors we use.”

Prioritizing critical vulnerabilities in WillowTree’s tech stack

First, Drew set up Leo Priorities for all the software tools and services that they use internally at WillowTree. This was simple: He just used AND to add each supplier’s name to a Priority. 

Drew prioritized critical vulnerabilities for any of the companies in WillowTree’s supply chain.

Then, Drew added a layer to this Priority. In addition to prioritizing products and services used at WillowTree, he prioritized high CVEs for services in WillowTree’s tech stack. 

“Normally there wouldn’t be too many articles in my Priority tab, so if I saw a news article pop up, I knew it would be something pressing.

Tracking major programming languages 

Drew asked Leo to prioritize articles that mention any of the major programming languages used for clients at WillowTree. These include: Swift, .NET, Python, C, JavaScript, and TypeScript. 

Drew prioritized critical vulnerabilities for major programming languages WillowTree and their clients use.

Tracking the vulnerabilities that potentially impact clients

Drew also wanted to prioritize news about breaches or cybersecurity events affecting WillowTree’s clients so he could notify them as soon as possible. He used client names (most of which Leo recognizes as companies) in a Priority looking for data breaches. 

Drew created this Priority to find out about data breaches in conjunction with WillowTree’s clients.

Tracking issues regarding MacOS

Since WillowTree is a primarily MacOS company, they’re especially interested in any vulnerabilities affecting MacOS. Drew asked Leo to prioritize vulnerabilities related to MacOS so he could easily tell the rest of the company if there was something to be concerned about.

Drew prioritized articles about MacOS vulnerabilities within his team’s cybersecurity Feed.

THE RESULTS
Protecting WillowTree and their clients in just 25% of the time

Since using Leo, Drew has been able to cut down intelligence gathering time every day to just 30 minutes. He knows which articles are most important to read, and can easily see what’s happening in the world of cybersecurity. Not only can he respond quicker to threats and vulnerabilities, Leo also gives him more time to focus on other important work.

“Instead of having to look and sort through articles over 2-hour periods, now I can do it in about 30 minutes, and get better quality of information with Leo.

Protecting WillowTree with continual threat monitoring

Drew leveraged his Feedly setup during the SolarWinds attack to get the critical information, without the noise that happens during this kind of event. Drew didn’t care about the editorial commentary around SolarWinds; he wanted the technical facts so that he could serve his company and their clients. 

How WillowTree sorted technical updates from news commentary during the  SolarWinds breach: Read the full story

Beyond the SolarWinds event, Drew is able to equip WillowTree developers with the information they need to protect the company. Whenever he finds a vulnerability through Feedly, he shares more about it with the team so they understand why fixing it is important. He also uses the information he finds in Feedly to verify Proof of Concepts (PoCs).

Alerting WillowTree clients to security concerns 

Drew also uses Feedly to get indicators of compromise (IoCs) to share with clients, to better protect them now and prevent future threats. He can now send developers and project managers actionable documentation that they can share with clients in the case of a threat.

Before using Feedly and Leo, Drew spent upwards of two hours each day monitoring security news. Now, he’s reduced the time spent monitoring to just 30 minutes per day. Since using Leo to prioritize critical news, he spends 75% less time, but gets better quality information because his Feeds are tailored to his exact needs. 

“Security news is massive in terms of the scope and the breadth it can go, because each industry has different news. Feedly will save you time and help you condense all of your news articles and news feeds into one place.”

Drew’s team is expanding with a new security hire soon. He plans to train the new team member on the monitoring foundation he’s set up with Feedly so he and his team can continue to efficiently monitor supply chain threats, alert clients, and get the information they need. 

Gather threat intelligence without the noise

Streamline your threat intelligence in Feedly so you can focus on real threats and ignore the distractions.

TRY FEEDLY FOR CYBERSECURITY

How an Australian energy provider stays on top of critical cyber threats with Feedly

Posted on by Annie Bacher
Case Study
This analyst team designed AI-powered security Feeds in Feedly that proactively alert them about specific topics, threats, and threat actors
The energy provider‘s results with Feedly
box icon

Discovered a supply chain data breach a week before the public announcement

chart icon

Able to monitor hundreds of suppliers for breaches

target icon

Detected a critical vulnerability within 2 hours of its release and patched it immediately

This Feedly for Cybersecurity client has graciously allowed us to share their story on the condition of anonymity. Client names have been changed.

THE CUSTOMER
This energy provider “helps keep the lights on for Australia”

Started using Feedly Cybersecurity: 2020

This Feedly client plays a critical role across the Australian energy sector. In tandem with other market players, they help protect Australia’s national energy supply from cyber attacks. “We help keep the lights on for Australia,” says Joe, Cybersecurity Threat Analyst.

THE CHALLENGE
Cybersecurity threat intelligence at human speed is no longer sustainable

The onslaught of information

The world of cyber threat tracking runs on a different clock than human speed. The firehose of cyber news makes it hard for our client’s security analysts to find the signal through the noise. Analysts like Joe and his team struggled to keep up with the onslaught of information. Joe used to manage his own personal spreadsheet of 350 sources of information, which he ranked by tiers based on how trusted they were. But the amount of screen time required to keep up with incoming information and identify trends was unsustainable. “The cyber world is like drinking from a firehose in terms of the information we see,” says Joe.

There’s this concept of cyber time. Last week’s issue is like three years ago. We’re so swamped with information, we don’t have time to dive deep on a lot of stuff.”

– Joe, Cybersecurity Threat Analyst

Ever-changing types of attacks and attackers

As cyber threats and ransomware crews become increasingly sophisticated, the human ability to monitor the cyber threat landscape falls behind. No matter how knowledgeable you are, cybersecurity at human speed can’t keep up with ransomware crews using increasingly complex software to manage their operations. 

For companies like this energy provider, the stakes are high. “If they encrypt our environment, we can’t supply energy to Australia,” says Joe. 

A data breach of even the smallest of our client’s vendors could put them at risk, so Joe and his team needed a way to keep an eye on even the smallest of breaches. 

THE SOLUTION
A stream of AI-powered security intelligence

The analyst team at this company needed better tools to help leverage their time and attention and stop doing manual research. Joe’s team had been using Feedly to aggregate information for years. But when his boss, Oliver, Cyber Threat and Operations Manager, found out that Feedly’s cybersecurity-specific plan could use AI to flag cyber attacks, threats, and vulnerabilities, they knew they had to try it. 

Organizing their security sources into focused Feeds 

Oliver created Feeds around three main focus areas: renewable energy sources + cybersecurity, critical vulnerabilities, and supply chain threats. 

The team selected sources of information they trusted to track cybersecurity news. Not all articles from their trusted sources concern the energy sector. To filter out cybersecurity news unrelated to the energy sector, they configured Leo, Feedly’s AI research assistant, to flag articles about the specific areas they care about.

“Before using Leo, we had very generic Feeds. We were just looking for energy and cybersecurity news in our region. But over time, I’ve been able to nuance our requirements over supply chain attacks, like Solar Winds.”

Tracking ransomware in the energy space

For example, the analyst team has always tracked news at the intersection of cybersecurity and the energy sector. But once they started using Feedly for Cybersecurity, they created a Leo Priority to flag articles that cover ransomware in the energy industry.

The team created a Leo Priority to flag articles about ransomware and the energy industry.

Tracking supply chain attacks

“We were concerned about the supply chain risk for our company,” says Joe. “We talked to our internal procurement team to really understand our top 30 providers, with whom we spend millions of dollars.”

To track supply chain risks, the team selected the exact vendors they work with and created a personalized stream of intelligence to track risks coming from their supply chain. “We were able to turn the list of our top partners into a Leo Priority and ask him to flag cyber attacks targeting those partners,” explains Joe. 

The analyst team used the “Leo company lists” feature to track a list of 650 suppliers — from Microsoft to small law offices. Leo now flags articles about cyber attacks on those companies.  

With a Priority in place, Leo flags articles about data breaches related to any of the company’s suppliers, so they’ll know when one of the companies in their supply chain is breached or attacked. Leo recognizes most of these names as companies, so he can differentiate if an attack is about Amazon (company) vs. Amazon (the river), for example.

Pushing articles to Slack to share with the local intelligence community 

Beyond their internal intelligence team, Joe and Oliver share information with a Slack channel of 150 security professionals across the Australian energy sector. 

When members of Joe’s team save articles to the “Attacks in Energy Sector” Board, they automatically get pushed to a designated channel in Slack.

Joe and Oliver add critical articles to a specific Feedly Board. They’ve connected the Board to the shared Slack channel, so when Joe or his teammates add articles to the Board, their security community will automatically see critical updates. 

The analyst team can add Notes when they save articles to their “Attacks in Energy Sector” Board, and those notes will show up in the designated Slack channel.

THE RESULTS
Staying ahead of the curve

In October 2020, thanks to the work Joe had done to create Priorities based on their top 30 suppliers, his team proactively identified a data breach from one of their vendors. 

“Thanks to my supply chain Priority in Feedly, we identified that one of our vendors had been breached a week before that the actual company actually officially told us.”

This proactive alerting allowed Joe’s team to inform procurement areas and monitor leak sites to see if any sensitive material had been published. Luckily none had been released, and the issue eventually went away.

In March 2021, Joe checked his Feedly in the morning as usual, and found an F5 breach within two hours of the breach itself. “I was sitting at my desk, and I saw the F5 vulnerability pop up in Feedly. I pushed it out to management, and then there was a massive effort to patch that problem within two days, which was awesome.” 

I was sitting at my desk, and I saw the F5 vulnerability pop up in Feedly. I pushed it out to management, and then there was a massive effort to patch that problem within two days, which was awesome.”

Avoiding information overload

When a vulnerability is exposed, “information overload goes up — you can see how the malware reporting goes up associated with that particular vulnerability” says Joe. In response to an exposed vulnerability, there’s a corresponding increase in exploits. That’s where Feedly comes in. Instead of wading through pages of articles about vulnerabilities and exploits that don’t concern his company, Joe can use Leo to surface vulnerabilities and exploits relevant to them.

“And that’s the power of Feedly. Using the smarts, intelligence, and Leo’s natural language processing to align vulnerabilities with exploits. What pops out at the end is what you need to know, what you need to take action on. Not the noise.”

What’s next: expanding the supply chain tracking 

In late 2020, the analyst team discovered that a smaller supplier, a local law firm, was attacked after using a tool with an unpatched vulnerability. Criminals were able to steal data through a File Transfer tool. Our client was spending a relatively small amount of money with this company, so they weren’t on their list of top 30 suppliers, but this made Joe and his team realize they needed to expand their supply chain tracking in Feedly. 

The more they personalize their Feeds with help from Leo, the more our client’s security analysts can stay focused on the real threats. As Joe trusts Feedly more and more, he can focus on the high level analysis, and rely on Leo’s natural language processing to do the tedious work for him. 

Joe is excited for the possibilities to get even more proactive with upcoming Feedly features. In addition to their supply chain tracking project, the analyst team plans to use the Feedly API to push alerts directly to their internal intelligence platform, which will make it even easier to focus on threats.

From a proactive monitoring perspective, the power of using Feedly is to actually inform you of breaches before anyone else knows.”

More proactive threat intelligence. Less noise.

Streamline your threat intelligence in Feedly so you can focus on real threats and ignore the distractions.

TRY FEEDLY FOR CYBERSECURITY

The New Cybersecurity Trending Dashboard (Beta)

Posted on by Edwin K
An at-a-glance overview of the evolving cybersecurity threat landscape

Keeping up with the most critical threats, vulnerabilities, and threat actors can be time consuming and overwhelming.

We have been working with some existing Feedly for Cybersecurity customers to create a trending dashboard that offers an at-a-glance overview of the evolving cybersecurity threat landscape.

Today, we are excited to launch a beta of the Cybersecurity Trending Dashboard to all the Feedly for Cybersecurity customers.

TRY Feedly for Cybersecurity

Here is a quick demo!

Trending Threats

The first component of the Trending Dashboard is a list of the trending threats reported across 1,200 different cybersecurity sources (new sites, blogs, or twitter accounts).

The today section now includes a Trending in Cybersecurity dashboard

It allows you to get a quick overview of what are the critical threats that are being reported across all the cybersecurity sites the Feedly community is reading. You can think of this as a TechMeme for Cybersecurity.

The model producing this dashboard is focusing on the news published in the last 24 hours.

Behind the scene, Leo is reading all the articles across all the cybersecurity sources and twitter accounts, dismissing the ones that are not about cybersecurity threats, clustering the ones that are reporting the same threat, and ranking them using different “features”.

The initial model we are pushing to beta is a global model. This means that your personal priorities and mute filters are not affecting this model (yet!)

Trending Vulnerabilities

The second component is a list of the trending vulnerabilities that are being discovered or discussed across Cybersecurity sources.

You can click on a specific vulnerability and drill down to a page that captures all the mentions and chatter around that vulnerability.

See the chatter about a specific vulnerability

Trending Threat Actors

The last component is a list of trending threat actor mentions. It allows you to get an overview of which threat actors are being covered in the news.

You can click on a specific threat actor and get a “Search across the Web” overview of the mentions.

See the chatter about a specific threat actor

Continuously learning and getting smarter

Every component has a “Less Like This” down arrow button that you can use to provide feedback to Leo. The feedback is going to be reviewed by the product team during the beta to understand how to improve the relevant, deduplication, and prioritization. Leo loves candid feedback.

Using the Less Like This down arrow button to offer Leo feedback

We look forward to listening to your feedback and continuously improving the Cybersecurity Trending Dashboard over the next 8 weeks.

TRY Feedly for Cybersecurity

We also want to thank the customers who suggested this feature and worked with us during the Alpha. You know who you are!

Can I personalize the Trending Cybersecurity Dashboard?

Not in the current version. Once we have the core model optimized, we will look at ways to allow you personalize the dashboard by industry, product, threat types.

What is the best way to offer feedback to the product team during the beta?

If you have feedback regarding specific articles or CVEs, please use the Less Like This down arrow button to submit your feedback. If you have ideas on how to improve the concept, please email leo@feedly.com

How can I get a Demo of Feedly for Cybersecurity?

If you are part of a cybersecurity team and want to get a demo of how Feedly for Cybersecurity can help you streamline your open source intelligence, you can request a demo and a free trial here.

Can I access the Cybersecurity Trending Dashboard in the Feedly Mobils App?

Not yet. The beta is only available in the Feedly Web application. We will integrate this feature into the mobile experience once the beta is complete.

Can I remove the Trending Cybersecurity Dashboard from my Today page?

Yes. If you go to your Leo preferences (https://feedly.com/i/account/leo) and scroll to the bottom of that page, you will see an option to hide the Trending Dashboard.

Introducing Feedly for Cybersecurity

Posted on by Clement Osternaud

Streamline your open-source intelligence

150,000 cybersecurity professionals use Feedly to keep up with the latest security news and research insights about critical threats (vulnerabilities, malware, data breaches, threat actor groups, etc.)

Cybersecurity is a game of foresight. It is a chessboard where hackers and defenders are looking to checkmate each other.

Learning more about the tactics, techniques, and procedures used by hackers can help you better prepare against them, saving you the cost and headaches that come with a breach or attack. The cost of ransomware attacks in the U.S. surpassed $7.5 billion in 2019.

But information gathering is tedious: hundreds of new articles and tweets need to be reviewed and triaged every day. Finding critical threats in that sea of information is time-consuming and overwhelming.

Today, we’re excited to launch Feedly for Cybersecurity: a collection of integrations and Leo models that help you cut through the noise, break barriers between team silos, and streamline your threat intelligence.

Try Feedly for Cybersecurity

Leo is your AI research assistant. Ask him to read your security feeds and prioritize what matters to you:

Vulnerabilities, CVE, CVSS, and Exploits
Malware, adware, ransomware, bots, …
Threat actor groups
API

Leo understands malware threats

Posted on by Lucinda Jukes

Research and prepare for the latest malware threats without the information overload

Cybersecurity is a game of foresight. It’s a chessboard on which attackers and defenders are constantly looking for checkmate. 

Hackers launch a new ransomware attack every 14 seconds. They’re increasingly more capable and sophisticated. Learning how they plan attacks, what techniques they use, and who they’re targeting, can make you so much better prepared. You’ll save the cost and headache of a cyber assault too. This is especially important considering that the cost of ransomware attacks in the U.S. alone surpassed $7.5 billion in 2019.

But investigating malware threats is tedious. Hundreds of new articles and tweets need to be reviewed and triaged every day. Finding critical threats in that sea of information is time-consuming and overwhelming.

We want to help you streamline your tactical and operational open-source intelligence, so that you can better protect your environment.

That’s why we’ve taught Leo, your AI research assistant, to recognize malware threats. You can ask him to read your security feeds and prioritize what’s relevant to you, your sector, and your environment.

try feedly for cybersecurity

Let’s imagine that you work in a threat intelligence team and are responsible for researching and analyzing the threat landscape. You’re particularly interested in evolving malware threats (including ransomware and malvertisement).

Cut through the noise

You can train Leo to read your Security News feed and prioritize articles related to malware.

Leo prioritizes malware articles in your Security News feed

Leo continuously reads the thousands of articles published in those feeds. It’s an efficient way to cut through the noise and keep up with the evolving malware landscape without the overwhelm.

You’re in control

Leo has been trained to understand broad topics like malware, as well as hundreds of specific malware types like malvertisement, ransomware, adware, bots, rootkits, spyware, etc.

Asking Leo to prioritize malware in your Security News feed is as simple as creating a new Topic priority and selecting ‘malware’ as the topic.

Ask Leo to prioritize malware threats in your Security News feed

You can combine topics with +AND and +OR and create even more targeted priorities for Leo. For example, use +AND to focus on malware related to Android or top companies in your sector.

Refine the priority to malware and Android

You can also ask Leo to look for a specific type of malware like malvertisement or ransomware.

Prioritize ransomware threats

Continuously learning and getting smarter

Leo is smart. He continuously learns from your feedback. When Leo is wrong, you can use the ‘Less Like This’ down arrow button to let him know that an article he’s prioritized isn’t about malware.

Let Leo know when he’s wrong

Break down silos

Bring your research team into the picture. They can create a Threat Intel Report Board and save the most critical insights they discover in their Feedly. Then everyone with the same Board can leave notes and highlight the biggest threats. 

We’ve seen teams create tactical and operational Boards. For instance, a Vulnerability Report can be built up with information for those that deal with security procedures, while strategic CISO Newsletters can keep management up to speed about malware and your planned response.

Articles bookmarked in a Board can be shared with the rest of the team via daily newsletters, Slack and Microsoft Teams notifications, or pushed to other apps using the Feedly Cybersecurity API.

Share the threat intelligence you collect in Feedly with other teams and apps

Streamline your open-source intelligence

We’re excited to see how your security team will declutter your feeds and dig deeper into the critical threats that matter to you. Sign up today and discover Feedly for Cybersecurity.

try feedly for cybersecurity

If you’re interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack channel. 2020 will be a thrilling year with new skills and bold experiments!

Leo understands threat actor groups

Posted on by Lucinda Jukes

Research threat actor groups and learn more about their tactics, techniques, and procedures without the overwhelm

Cyber attacks continue to wreak havoc around the world. The actors waging these wars don’t just care about fraud either. They’re part of criminal organisations. Foreign governments stealing data for defense or national interests. Even terrorists or activists driven to disrupt and cause harm. 

What’s more, they’re increasingly capable and sophisticated. It’s a growing threat that can strike anyone at any time.

When you learn about threat actors’ tactics and motivations, you can better prepare against them, saving you the costs and headaches that come with a breach or attack. 

But there’s so much content to wade through when investigating these threat actors. It’s like fishing blind in an ocean. You’ll never know what’s coming back on the hook. More time and stress is spent on finding information about the threat, rather than acting on it. You can be overwhelmed. 

We’re passionate about helping you refine and streamline your open-source intelligence. That’s why we’ve taught Leo, your AI research assistant, to recognize threat actor groups. He can find them in your Feedly security feeds, prioritizing articles related to the actors and sectors you care about.

try feedly for cybersecurity

Let’s imagine that you work in the telecommunications sector, and you’re researching the tactics and motivations of MuddyWater, an Iranian threat actor group.

Cut through the noise

You can train Leo to read all your cybersecurity, foreign affairs, and cyber warfare sources, and prioritize articles related to MuddyWater.

Prioritize a threat actor

Leo continuously reads the articles in your feeds and prioritizes the ones that mention MuddyWater (or any of its aliases). It’s a powerful and effective way to keep up with their latest techniques, tactics, and procedures.

You’re in control

Leo has been trained to recognize all the threat actor groups referenced by the MITRE ATT&CK framework. This is a list of common names for hacking groups, as recognized by the global security community.

Asking Leo to prioritize MuddyWater in your security feed is as simple as creating a new Topic priority and selecting ‘MuddyWater’ as the topic.

Enter a threat actor alias in the topic field

When you prioritize MuddyWater, Leo will also look for other synonyms for that group like Seedworm and TEMP.Zagros.

You can combine topics with +AND and +OR to create even more targeted priorities for Leo. For example, use +AND to combine an actor group with an attack vector or a sector. This narrows his focus further so you find exactly what you’re looking for.

Continuously learning and getting smarter

Because Leo is integrated with the MITRE ATT&CK framework, it’s continuously learning and getting smarter. As new groups or aliases are identified, they’ll be automatically updated in your Feedly.

Leo recognizes threat actor groups listed on the MITRE ATT&CK framework

Break down silos

As you search and discover new content, share insights with your research team. Together, you can create a Threat Intel Report Feedly Board and bookmark the most critical insights you discover. You can also add notes and highlights about why a threat is high-priority.

We’ve already seen security teams create tactical Boards, such as a Vulnerability Report, to share with their operations experts. You might also want to build a CISO Newsletter to keep your management updated. It’s all possible within Feedly.  

Articles bookmarked in a Board can be shared with the rest of the team via daily newsletters, Slack or Microsoft Teams notifications, or pushed to other apps using the Feedly Cybersecurity API.

Share the threat intelligence you collect in Feedly with other teams and apps

Streamline your open-source intelligence

We’re excited to see how your security team will declutter your feeds and dig deeper into the critical threats that matter to you. Sign up today and discover Feedly for Cybersecurity.

try feedly for cybersecurity

If you’re interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack channel. 2020 will be a thrilling year with new skills and bold experiments!

The Feedly Cybersecurity API

Posted on by Edwin K

Feedly for Cybersecurity includes an API that allows cybersecurity teams to share the intelligence they collect in Feedly with other applications

150,000 cybersecurity professionals use Feedly to collect intelligence about the evolving threat landscape. 

Threat research and collection are one step of the overall threat intelligence, investigation, and response.

The Feedly Cybersecurity API allows security teams to easily integrate the insights they collect in Feedly into other systems and applications. Some teams use the API to extract data about threats and vulnerabilities and feed larger machine learning threat-prioritization models. Some teams use the API to create Jira tickets based on the content of the Feedly boards to make sure that critical vulnerabilities are reviews and patched in a timely manner.

Access to the Feedly API (up to 200,000 requests per month) is an add-on included in the Enterprise Edition of the Feedly for Cybersecurity package.

TRY FEEDLY FOR CYBERSECURITY

In this tutorial, we will show you how to use the Feedly API to access the content of your security feeds, your boards, and your Leo priorities.

Authentication

When you subscribe to Feedly for Cybersecurity Enterprise Edition, we will provide you with a special Feedly access token associated with your account. That token will allow you to access the content of your feeds, boards, and priorities and perform up to 200,000 requests per month.

Articles as JSON

The JSON representation of an article combines some of the open-source content included on the RSS or on the website, CVE/CVSS/Exploit information aggregated from vulnerability and exploit databases, as well as the results of the Leo cybersecurity models.

The title, content, and visual information give you access to the core of the content of the articles:

JSON representation of the core of the article

The commonTopics array represents Leo’s topic classification. The entities represent CVEs, products, or companies Leo has identified in the article. The CVE entity includes CVSS and exploits information extracted from vulnerability databases.

The estimatedCVSS represents the result of Leo’s CVSS scoring model. This is useful for zero-days and articles which do not mention a CVE explicitly. In those cases, Leo reads the content of the article and computes an approximative CVSS score based on the terminology used in the article or the tweet.

Leo enrichment of the article

Pro tip: When you have an article open in the Feedly web application, you can use the Shift+D keyboard shortcut to see and inspect the JSON of the article.

Use keyboard shortcut SHIFT+D to see the preview of the article JSON

Accessing the content of your feeds

Let’s imagine that you have a “Security News” feed which contains a list of known and trusted security sources you want to follow.

The Feedly API allows you to query Feedly and ask for the last 100 articles aggregated in that feed. The articles are normalized in a JSON format which includes the title, the content, the source information, as well as all some cybersecurity metadata (Leo topics classification, CVE metadata, CVSS metadata, exploit information.

You can use the Stream endpoint to get the last 100 articles published in a feed:

Overview of the stream endpoint

The most important parameter is the streamId. Each feed in your Feedly account has a unique stream id. When you select the feed in the left navigation bar, you see the streamId as part of the URL. The stream id is formatted as `enterprise/xxxx/category/xxxx` for team feeds and `user/xxxx/category/xxxx` for personal feeds.

Finding the streamId of a feed

The count parameter defines the number of articles the server will return. We recommend that you select a number between 20 and 100. If you need access to more than 100 articles, you can use the continuation parameter returned by the response to chain the requests and ask for the next 100 articles.

Finally, the importantOnly parameter allows you to get the list of articles in the stream that has been prioritized by Leo.

Troubleshooting tips:

  • Make sure that the requests you are making are authenticated using the token you have received from the Feedly team.
  • Make sure that the streamId is URL encoded when it is passed as a parameter to the Stream endpoint.

Accessing the content of your boards

Security teams use boards to bookmark critical articles everyone in the team should be aware of. They also often use boards to bookmark articles they want to share with other applications.

You can use the same Stream endpoint to access the last N articles manually bookmarked by your team to a board.

The only difference will be the streamId. Team Board streamIds are formatted as `enterprise/xxxx/tag/xxxx`. Personal Board streamIds are formatted as `user/xxxx/tag/xxxx`.

Finding the streamId of a board

If users have annotated the articles with some notes and highlights while saving the article to a board, those notes and highlights will be included in the article JSON structure.

JSON of notes and highlights

Example: Integrating Feedly with your ticketing system

Here is an example of how you can streamline the integration between the research and collection work of your threat intelligence team and the analysis and patching work of your operations team.

The research team creates a Feedly board called Critical Vulns where why bookmark articles related to critical vulnerabilities they want the operations team to be aware off and review.

Each time the research team finds a critical insight, they save that article in the Critical Vulns board, adding a note about why they think the vulnerability needs to be reviewed and patched.

Instead of asking the research team to manually create a ticket in your ticketing system (Jira, Service Now, etc.), you can write a small app which every 5 minutes connect to the Critical Vulns board, requests the last 20 articles bookmarked in that board, and for each new article, used the API of your ticketing system to create a new ticket. The app can enrich the ticket with the URL of the article saved in the board, the CVE information, and the notes and highlights from the researcher.

This is a powerful way to break the silos between your research team and your operations team and make sure that critical vulnerabilities are patched faster.

Pro tip: there is a simple solution to finding the new articles saved in a board. When your app processes a list of articles, it should save the first article in the list and the next time it uses the Stream Feedly app to get the latest articles bookmarked to a board, your app can use the newerThan parameter of the /v3/stream/content and pass that article id instead of a timestamp to get newer articles.

A lot more…

The Feedly web application and mobile applications are built on top of the Feedly API. This means that every piece of information available in the application and every action taken in the application is available in the API.

For more information about the Feedly API, please visit the Feedly Developer Website.

Streamline your open-source intelligence

We are excited to see many security teams use the Feedly API to streamline their open-source threat intelligence process. Sign up today and discover what Feedly for Cybersecurity can do for you!

TRY FEEDLY FOR CYBERSECURITY

If you are interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack. 2020 will be a thrilling year with new skills and bold experiments!