Introducing Feedly for Cybersecurity

Streamline your open-source intelligence

150,000 cybersecurity professionals use Feedly to keep up with the latest security news and research insights about critical threats (vulnerabilities, malware, data breaches, threat actor groups, etc.)

Cybersecurity is a game of foresight. It is a chessboard where hackers and defenders are looking to checkmate each other.

Learning more about the tactics, techniques, and procedures used by hackers can help you better prepare against them, saving you the cost and headaches that come with a breach or attack. The cost of ransomware attacks in the U.S. surpassed $7.5 billion in 2019.

But information gathering is tedious: hundreds of new articles and tweets need to be reviewed and triaged every day. Finding critical threats in that sea of information is time-consuming and overwhelming.

Today, we’re excited to launch Feedly for Cybersecurity: a collection of integrations and Leo models that help you cut through the noise, break barriers between team silos, and streamline your threat intelligence.

Leo is your AI research assistant. Ask him to read your security feeds and prioritize what matters to you:

Vulnerabilities, CVE, CVSS, and Exploits
Malware, adware, ransomware, bots, …
Threat actor groups
API

Leo understands malware threats

Research and prepare for the latest malware threats without the information overload

Cybersecurity is a game of foresight. It’s a chessboard on which attackers and defenders are constantly looking for checkmate. 

Hackers launch a new ransomware attack every 14 seconds. They’re increasingly more capable and sophisticated. Learning how they plan attacks, what techniques they use, and who they’re targeting, can make you so much better prepared. You’ll save the cost and headache of a cyber assault too. This is especially important considering that the cost of ransomware attacks in the U.S. alone surpassed $7.5 billion in 2019.

But investigating malware threats is tedious. Hundreds of new articles and tweets need to be reviewed and triaged every day. Finding critical threats in that sea of information is time-consuming and overwhelming.

We want to help you streamline your tactical and operational open-source intelligence, so that you can better protect your environment.

That’s why we’ve taught Leo, your AI research assistant, to recognize malware threats. You can ask him to read your security feeds and prioritize what’s relevant to you, your sector, and your environment.

Let’s imagine that you work in a threat intelligence team and are responsible for researching and analyzing the threat landscape. You’re particularly interested in evolving malware threats (including ransomware and malvertisement).

Cut through the noise

You can train Leo to read your Security News feed and prioritize articles related to malware.

Leo prioritizes malware articles in your Security News feed

Leo continuously reads the thousands of articles published in those feeds. It’s an efficient way to cut through the noise and keep up with the evolving malware landscape without the overwhelm.

You’re in control

Leo has been trained to understand broad topics like malware, as well as hundreds of specific malware types like malvertisement, ransomware, adware, bots, rootkits, spyware, etc.

Asking Leo to prioritize malware in your Security News feed is as simple as creating a new Topic priority and selecting ‘malware’ as the topic.

Ask Leo to prioritize malware threats in your Security News feed

You can combine topics with +AND and +OR and create even more targeted priorities for Leo. For example, use +AND to focus on malware related to Android or top companies in your sector.

Refine the priority to malware and Android

You can also ask Leo to look for a specific type of malware like malvertisement or ransomware.

Prioritize ransomware threats

Continuously learning and getting smarter

Leo is smart. He continuously learns from your feedback. When Leo is wrong, you can use the ‘Less Like This’ down arrow button to let him know that an article he’s prioritized isn’t about malware.

Let Leo know when he’s wrong

Break down silos

Bring your research team into the picture. They can create a Threat Intel Report Board and save the most critical insights they discover in their Feedly. Then everyone with the same Board can leave notes and highlight the biggest threats. 

We’ve seen teams create tactical and operational Boards. For instance, a Vulnerability Report can be built up with information for those that deal with security procedures, while strategic CISO Newsletters can keep management up to speed about malware and your planned response.

Articles bookmarked in a Board can be shared with the rest of the team via daily newsletters, Slack and Microsoft Teams notifications, or pushed to other apps using the Feedly Cybersecurity API.

Share the threat intelligence you collect in Feedly with other teams and apps

Streamline your open-source intelligence

We’re excited to see how your security team will declutter your feeds and dig deeper into the critical threats that matter to you. Sign up today and discover Feedly for Cybersecurity.

If you’re interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack channel. 2020 will be a thrilling year with new skills and bold experiments!

Leo understands threat actor groups

Research threat actor groups and learn more about their tactics, techniques, and procedures without the overwhelm

Cyber attacks continue to wreak havoc around the world. The actors waging these wars don’t just care about fraud either. They’re part of criminal organisations. Foreign governments stealing data for defense or national interests. Even terrorists or activists driven to disrupt and cause harm. 

What’s more, they’re increasingly capable and sophisticated. It’s a growing threat that can strike anyone at any time.

When you learn about threat actors’ tactics and motivations, you can better prepare against them, saving you the costs and headaches that come with a breach or attack. 

But there’s so much content to wade through when investigating these threat actors. It’s like fishing blind in an ocean. You’ll never know what’s coming back on the hook. More time and stress is spent on finding information about the threat, rather than acting on it. You can be overwhelmed. 

We’re passionate about helping you refine and streamline your open-source intelligence. That’s why we’ve taught Leo, your AI research assistant, to recognize threat actor groups. He can find them in your Feedly security feeds, prioritizing articles related to the actors and sectors you care about.

Let’s imagine that you work in the telecommunications sector, and you’re researching the tactics and motivations of MuddyWater, an Iranian threat actor group.

Cut through the noise

You can train Leo to read all your cybersecurity, foreign affairs, and cyber warfare sources, and prioritize articles related to MuddyWater.

Prioritize a threat actor

Leo continuously reads the articles in your feeds and prioritizes the ones that mention MuddyWater (or any of its aliases). It’s a powerful and effective way to keep up with their latest techniques, tactics, and procedures.

You’re in control

Leo has been trained to recognize all the threat actor groups referenced by the MITRE ATT&CK framework. This is a list of common names for hacking groups, as recognized by the global security community.

Asking Leo to prioritize MuddyWater in your security feed is as simple as creating a new Topic priority and selecting ‘MuddyWater’ as the topic.

Enter a threat actor alias in the topic field

When you prioritize MuddyWater, Leo will also look for other synonyms for that group like Seedworm and TEMP.Zagros.

You can combine topics with +AND and +OR to create even more targeted priorities for Leo. For example, use +AND to combine an actor group with an attack vector or a sector. This narrows his focus further so you find exactly what you’re looking for.

Continuously learning and getting smarter

Because Leo is integrated with the MITRE ATT&CK framework, it’s continuously learning and getting smarter. As new groups or aliases are identified, they’ll be automatically updated in your Feedly.

Leo recognizes threat actor groups listed on the MITRE ATT&CK framework

Break down silos

As you search and discover new content, share insights with your research team. Together, you can create a Threat Intel Report Feedly Board and bookmark the most critical insights you discover. You can also add notes and highlights about why a threat is high-priority.

We’ve already seen security teams create tactical Boards, such as a Vulnerability Report, to share with their operations experts. You might also want to build a CISO Newsletter to keep your management updated. It’s all possible within Feedly.  

Articles bookmarked in a Board can be shared with the rest of the team via daily newsletters, Slack or Microsoft Teams notifications, or pushed to other apps using the Feedly Cybersecurity API.

Share the threat intelligence you collect in Feedly with other teams and apps

Streamline your open-source intelligence

We’re excited to see how your security team will declutter your feeds and dig deeper into the critical threats that matter to you. Sign up today and discover Feedly for Cybersecurity.

If you’re interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack channel. 2020 will be a thrilling year with new skills and bold experiments!

The Feedly Cybersecurity API

Feedly for Cybersecurity includes an API that allows cybersecurity teams to share the intelligence they collect in Feedly with other applications

150,000 cybersecurity professionals use Feedly to collect intelligence about the evolving threat landscape. 

Threat research and collection are one step of the overall threat intelligence, investigation, and response.

The Feedly Cybersecurity API allows security teams to easily integrate the insights they collect in Feedly into other systems and applications. Some teams use the API to extract data about threats and vulnerabilities and feed larger machine learning threat-prioritization models. Some teams use the API to create Jira tickets based on the content of the Feedly boards to make sure that critical vulnerabilities are reviews and patched in a timely manner.

Access to the Feedly API (up to 200,000 requests per month) is an add-on included in the Enterprise Edition of the Feedly for Cybersecurity package.

In this tutorial, we will show you how to use the Feedly API to access the content of your security feeds, your boards, and your Leo priorities.

Authentication

When you subscribe to Feedly for Cybersecurity Enterprise Edition, we will provide you with a special Feedly access token associated with your account. That token will allow you to access the content of your feeds, boards, and priorities and perform up to 200,000 requests per month.

Articles as JSON

The JSON representation of an article combines some of the open-source content included on the RSS or on the website, CVE/CVSS/Exploit information aggregated from vulnerability and exploit databases, as well as the results of the Leo cybersecurity models.

The title, content, and visual information give you access to the core of the content of the articles:

JSON representation of the core of the article

The commonTopics array represents Leo’s topic classification. The entities represent CVEs, products, or companies Leo has identified in the article. The CVE entity includes CVSS and exploits information extracted from vulnerability databases.

The estimatedCVSS represents the result of Leo’s CVSS scoring model. This is useful for zero-days and articles which do not mention a CVE explicitly. In those cases, Leo reads the content of the article and computes an approximative CVSS score based on the terminology used in the article or the tweet.

Leo enrichment of the article

Pro tip: When you have an article open in the Feedly web application, you can use the Shift+D keyboard shortcut to see and inspect the JSON of the article.

Use keyboard shortcut SHIFT+D to see the preview of the article JSON

Accessing the content of your feeds

Let’s imagine that you have a “Security News” feed which contains a list of known and trusted security sources you want to follow.

The Feedly API allows you to query Feedly and ask for the last 100 articles aggregated in that feed. The articles are normalized in a JSON format which includes the title, the content, the source information, as well as all some cybersecurity metadata (Leo topics classification, CVE metadata, CVSS metadata, exploit information.

You can use the Stream endpoint to get the last 100 articles published in a feed:

Overview of the stream endpoint

The most important parameter is the streamId. Each feed in your Feedly account has a unique stream id. When you select the feed in the left navigation bar, you see the streamId as part of the URL. The stream id is formatted as `enterprise/xxxx/category/xxxx` for team feeds and `user/xxxx/category/xxxx` for personal feeds.

Finding the streamId of a feed

The count parameter defines the number of articles the server will return. We recommend that you select a number between 20 and 100. If you need access to more than 100 articles, you can use the continuation parameter returned by the response to chain the requests and ask for the next 100 articles.

Finally, the importantOnly parameter allows you to get the list of articles in the stream that has been prioritized by Leo.

Troubleshooting tips:

  • Make sure that the requests you are making are authenticated using the token you have received from the Feedly team.
  • Make sure that the streamId is URL encoded when it is passed as a parameter to the Stream endpoint.

Accessing the content of your boards

Security teams use boards to bookmark critical articles everyone in the team should be aware of. They also often use boards to bookmark articles they want to share with other applications.

You can use the same Stream endpoint to access the last N articles manually bookmarked by your team to a board.

The only difference will be the streamId. Team Board streamIds are formatted as `enterprise/xxxx/tag/xxxx`. Personal Board streamIds are formatted as `user/xxxx/tag/xxxx`.

Finding the streamId of a board

If users have annotated the articles with some notes and highlights while saving the article to a board, those notes and highlights will be included in the article JSON structure.

JSON of notes and highlights

Example: Integrating Feedly with your ticketing system

Here is an example of how you can streamline the integration between the research and collection work of your threat intelligence team and the analysis and patching work of your operations team.

The research team creates a Feedly board called Critical Vulns where why bookmark articles related to critical vulnerabilities they want the operations team to be aware off and review.

Each time the research team finds a critical insight, they save that article in the Critical Vulns board, adding a note about why they think the vulnerability needs to be reviewed and patched.

Instead of asking the research team to manually create a ticket in your ticketing system (Jira, Service Now, etc.), you can write a small app which every 5 minutes connect to the Critical Vulns board, requests the last 20 articles bookmarked in that board, and for each new article, used the API of your ticketing system to create a new ticket. The app can enrich the ticket with the URL of the article saved in the board, the CVE information, and the notes and highlights from the researcher.

This is a powerful way to break the silos between your research team and your operations team and make sure that critical vulnerabilities are patched faster.

Pro tip: there is a simple solution to finding the new articles saved in a board. When your app processes a list of articles, it should save the first article in the list and the next time it uses the Stream Feedly app to get the latest articles bookmarked to a board, your app can use the newerThan parameter of the /v3/stream/content and pass that article id instead of a timestamp to get newer articles.

A lot more…

The Feedly web application and mobile applications are built on top of the Feedly API. This means that every piece of information available in the application and every action taken in the application is available in the API.

For more information about the Feedly API, please visit the Feedly Developer Website.

Streamline your open-source intelligence

We are excited to see many security teams use the Feedly API to streamline their open-source threat intelligence process. Sign up today and discover what Feedly for Cybersecurity can do for you!

If you are interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack. 2020 will be a thrilling year with new skills and bold experiments!