The New Cybersecurity Trending Dashboard (Beta)

An at-a-glance overview of the evolving cybersecurity threat landscape

Keeping up with the most critical threats, vulnerabilities, and threat actors can be time consuming and overwhelming.

We have been working with a few existing Feedly for Cybersecurity customers to create a trending dashboard that offers an at-a-glance overview of the evolving cybersecurity threat landscape.

Today, we are excited to launch a beta of the Cybersecurity Trending Dashboard to all the Feedly for Cybersecurity customers.

Here is a quick demo!

Trending Threats

The first component of the Trending Dashboard is a list of the trending threats reported across 1,200 different cybersecurity sources (new sites, blogs, or twitter accounts).

The today section now includes a Trending in Cybersecurity dashboard

It allows you to get a quick overview of what are the critical threats that are being reported across all the cybersecurity sites the Feedly community is reading. You can think of this as a TechMeme for Cybersecurity.

The model producing this dashboard is focusing on the news published in the last 24 hours.

Behind the scene, Leo is reading all the articles across all the cybersecurity sources and twitter accounts, dismissing the ones that are not about cybersecurity threats, clustering the ones that are reporting the same threat, and ranking them using different “features”.

The initial model we are pushing to beta is a global model. This means that your personal priorities and mute filters are not affecting this model (yet!)

Trending Vulnerabilities

The second component is a list of the trending vulnerabilities that are being discovered or discussed across Cybersecurity sources.

You can click on a specific vulnerability and drill down to a page that captures all the mentions and chatter around that vulnerability.

See the chatter about a specific vulnerability

Trending Threat Actors

The last component is a list of trending threat actor mentions. It allows you to get an overview of which threat actors are being covered in the news.

You can click on a specific threat actor and get a “Search across the Web” overview of the mentions.

See the chatter about a specific threat actor

Continuously learning and getting smarter

Every component has a “Less Like This” down arrow button that you can use to provide feedback to Leo. The feedback is going to be reviewed by the product team during the beta to understand how to improve the relevant, deduplication, and prioritization. Leo loves candid feedback.

Using the Less Like This down arrow button to offer Leo feedback

We look forward to listening to your feedback and continuously improving the Cybersecurity Trending Dashboard over the next 8 weeks.

We also want to thank the customers who suggested this feature and worked with us during the Alpha. You know who you are!

Can I remove the Trending Cybersecurity Dashboard from my Today page?

Yes. If you go to your Leo preferences (https://feedly.com/i/account/leo) and scroll to the bottom of that page, you will see an option to hide the Trending Dashboard.

Can I personalize the Trending Cybersecurity Dashboard?

Not in the current version. Once we have the core model optimized, we will look at ways to allow you personalize the dashboard by industry, product, threat types.

What is the best way to offer feedback to the product team during the beta?

If you have feedback regarding specific articles or CVEs, please use the Less Like This down arrow button to submit your feedback. If you have ideas on how to improve the concept, please email leo@feedly.com

How can I get a Demo of Feedly for Cybersecurity?

If you are part of a cybersecurity team and want to get a demo of how Feedly for Cybersecurity can help you streamline your open source intelligence, you can request a demo and a free trial here.

Can I access the Cybersecurity Trending Dashboard in the Feedly Mobils App?

Not yet. The beta is only available in the Feedly Web application. We will integrate this feature into the mobile experience once the beta is complete.

Introducing Feedly for Cybersecurity

Streamline your open-source intelligence

150,000 cybersecurity professionals use Feedly to keep up with the latest security news and research insights about critical threats (vulnerabilities, malware, data breaches, threat actor groups, etc.)

Cybersecurity is a game of foresight. It is a chessboard where hackers and defenders are looking to checkmate each other.

Learning more about the tactics, techniques, and procedures used by hackers can help you better prepare against them, saving you the cost and headaches that come with a breach or attack. The cost of ransomware attacks in the U.S. surpassed $7.5 billion in 2019.

But information gathering is tedious: hundreds of new articles and tweets need to be reviewed and triaged every day. Finding critical threats in that sea of information is time-consuming and overwhelming.

Today, we’re excited to launch Feedly for Cybersecurity: a collection of integrations and Leo models that help you cut through the noise, break barriers between team silos, and streamline your threat intelligence.

Leo is your AI research assistant. Ask him to read your security feeds and prioritize what matters to you:

Vulnerabilities, CVE, CVSS, and Exploits
Malware, adware, ransomware, bots, …
Threat actor groups
API

Leo understands malware threats

Research and prepare for the latest malware threats without the information overload

Cybersecurity is a game of foresight. It’s a chessboard on which attackers and defenders are constantly looking for checkmate. 

Hackers launch a new ransomware attack every 14 seconds. They’re increasingly more capable and sophisticated. Learning how they plan attacks, what techniques they use, and who they’re targeting, can make you so much better prepared. You’ll save the cost and headache of a cyber assault too. This is especially important considering that the cost of ransomware attacks in the U.S. alone surpassed $7.5 billion in 2019.

But investigating malware threats is tedious. Hundreds of new articles and tweets need to be reviewed and triaged every day. Finding critical threats in that sea of information is time-consuming and overwhelming.

We want to help you streamline your tactical and operational open-source intelligence, so that you can better protect your environment.

That’s why we’ve taught Leo, your AI research assistant, to recognize malware threats. You can ask him to read your security feeds and prioritize what’s relevant to you, your sector, and your environment.

Let’s imagine that you work in a threat intelligence team and are responsible for researching and analyzing the threat landscape. You’re particularly interested in evolving malware threats (including ransomware and malvertisement).

Cut through the noise

You can train Leo to read your Security News feed and prioritize articles related to malware.

Leo prioritizes malware articles in your Security News feed

Leo continuously reads the thousands of articles published in those feeds. It’s an efficient way to cut through the noise and keep up with the evolving malware landscape without the overwhelm.

You’re in control

Leo has been trained to understand broad topics like malware, as well as hundreds of specific malware types like malvertisement, ransomware, adware, bots, rootkits, spyware, etc.

Asking Leo to prioritize malware in your Security News feed is as simple as creating a new Topic priority and selecting ‘malware’ as the topic.

Ask Leo to prioritize malware threats in your Security News feed

You can combine topics with +AND and +OR and create even more targeted priorities for Leo. For example, use +AND to focus on malware related to Android or top companies in your sector.

Refine the priority to malware and Android

You can also ask Leo to look for a specific type of malware like malvertisement or ransomware.

Prioritize ransomware threats

Continuously learning and getting smarter

Leo is smart. He continuously learns from your feedback. When Leo is wrong, you can use the ‘Less Like This’ down arrow button to let him know that an article he’s prioritized isn’t about malware.

Let Leo know when he’s wrong

Break down silos

Bring your research team into the picture. They can create a Threat Intel Report Board and save the most critical insights they discover in their Feedly. Then everyone with the same Board can leave notes and highlight the biggest threats. 

We’ve seen teams create tactical and operational Boards. For instance, a Vulnerability Report can be built up with information for those that deal with security procedures, while strategic CISO Newsletters can keep management up to speed about malware and your planned response.

Articles bookmarked in a Board can be shared with the rest of the team via daily newsletters, Slack and Microsoft Teams notifications, or pushed to other apps using the Feedly Cybersecurity API.

Share the threat intelligence you collect in Feedly with other teams and apps

Streamline your open-source intelligence

We’re excited to see how your security team will declutter your feeds and dig deeper into the critical threats that matter to you. Sign up today and discover Feedly for Cybersecurity.

If you’re interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack channel. 2020 will be a thrilling year with new skills and bold experiments!

Leo understands threat actor groups

Research threat actor groups and learn more about their tactics, techniques, and procedures without the overwhelm

Cyber attacks continue to wreak havoc around the world. The actors waging these wars don’t just care about fraud either. They’re part of criminal organisations. Foreign governments stealing data for defense or national interests. Even terrorists or activists driven to disrupt and cause harm. 

What’s more, they’re increasingly capable and sophisticated. It’s a growing threat that can strike anyone at any time.

When you learn about threat actors’ tactics and motivations, you can better prepare against them, saving you the costs and headaches that come with a breach or attack. 

But there’s so much content to wade through when investigating these threat actors. It’s like fishing blind in an ocean. You’ll never know what’s coming back on the hook. More time and stress is spent on finding information about the threat, rather than acting on it. You can be overwhelmed. 

We’re passionate about helping you refine and streamline your open-source intelligence. That’s why we’ve taught Leo, your AI research assistant, to recognize threat actor groups. He can find them in your Feedly security feeds, prioritizing articles related to the actors and sectors you care about.

Let’s imagine that you work in the telecommunications sector, and you’re researching the tactics and motivations of MuddyWater, an Iranian threat actor group.

Cut through the noise

You can train Leo to read all your cybersecurity, foreign affairs, and cyber warfare sources, and prioritize articles related to MuddyWater.

Prioritize a threat actor

Leo continuously reads the articles in your feeds and prioritizes the ones that mention MuddyWater (or any of its aliases). It’s a powerful and effective way to keep up with their latest techniques, tactics, and procedures.

You’re in control

Leo has been trained to recognize all the threat actor groups referenced by the MITRE ATT&CK framework. This is a list of common names for hacking groups, as recognized by the global security community.

Asking Leo to prioritize MuddyWater in your security feed is as simple as creating a new Topic priority and selecting ‘MuddyWater’ as the topic.

Enter a threat actor alias in the topic field

When you prioritize MuddyWater, Leo will also look for other synonyms for that group like Seedworm and TEMP.Zagros.

You can combine topics with +AND and +OR to create even more targeted priorities for Leo. For example, use +AND to combine an actor group with an attack vector or a sector. This narrows his focus further so you find exactly what you’re looking for.

Continuously learning and getting smarter

Because Leo is integrated with the MITRE ATT&CK framework, it’s continuously learning and getting smarter. As new groups or aliases are identified, they’ll be automatically updated in your Feedly.

Leo recognizes threat actor groups listed on the MITRE ATT&CK framework

Break down silos

As you search and discover new content, share insights with your research team. Together, you can create a Threat Intel Report Feedly Board and bookmark the most critical insights you discover. You can also add notes and highlights about why a threat is high-priority.

We’ve already seen security teams create tactical Boards, such as a Vulnerability Report, to share with their operations experts. You might also want to build a CISO Newsletter to keep your management updated. It’s all possible within Feedly.  

Articles bookmarked in a Board can be shared with the rest of the team via daily newsletters, Slack or Microsoft Teams notifications, or pushed to other apps using the Feedly Cybersecurity API.

Share the threat intelligence you collect in Feedly with other teams and apps

Streamline your open-source intelligence

We’re excited to see how your security team will declutter your feeds and dig deeper into the critical threats that matter to you. Sign up today and discover Feedly for Cybersecurity.

If you’re interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack channel. 2020 will be a thrilling year with new skills and bold experiments!

The Feedly Cybersecurity API

Feedly for Cybersecurity includes an API that allows cybersecurity teams to share the intelligence they collect in Feedly with other applications

150,000 cybersecurity professionals use Feedly to collect intelligence about the evolving threat landscape. 

Threat research and collection are one step of the overall threat intelligence, investigation, and response.

The Feedly Cybersecurity API allows security teams to easily integrate the insights they collect in Feedly into other systems and applications. Some teams use the API to extract data about threats and vulnerabilities and feed larger machine learning threat-prioritization models. Some teams use the API to create Jira tickets based on the content of the Feedly boards to make sure that critical vulnerabilities are reviews and patched in a timely manner.

Access to the Feedly API (up to 200,000 requests per month) is an add-on included in the Enterprise Edition of the Feedly for Cybersecurity package.

In this tutorial, we will show you how to use the Feedly API to access the content of your security feeds, your boards, and your Leo priorities.

Authentication

When you subscribe to Feedly for Cybersecurity Enterprise Edition, we will provide you with a special Feedly access token associated with your account. That token will allow you to access the content of your feeds, boards, and priorities and perform up to 200,000 requests per month.

Articles as JSON

The JSON representation of an article combines some of the open-source content included on the RSS or on the website, CVE/CVSS/Exploit information aggregated from vulnerability and exploit databases, as well as the results of the Leo cybersecurity models.

The title, content, and visual information give you access to the core of the content of the articles:

JSON representation of the core of the article

The commonTopics array represents Leo’s topic classification. The entities represent CVEs, products, or companies Leo has identified in the article. The CVE entity includes CVSS and exploits information extracted from vulnerability databases.

The estimatedCVSS represents the result of Leo’s CVSS scoring model. This is useful for zero-days and articles which do not mention a CVE explicitly. In those cases, Leo reads the content of the article and computes an approximative CVSS score based on the terminology used in the article or the tweet.

Leo enrichment of the article

Pro tip: When you have an article open in the Feedly web application, you can use the Shift+D keyboard shortcut to see and inspect the JSON of the article.

Use keyboard shortcut SHIFT+D to see the preview of the article JSON

Accessing the content of your feeds

Let’s imagine that you have a “Security News” feed which contains a list of known and trusted security sources you want to follow.

The Feedly API allows you to query Feedly and ask for the last 100 articles aggregated in that feed. The articles are normalized in a JSON format which includes the title, the content, the source information, as well as all some cybersecurity metadata (Leo topics classification, CVE metadata, CVSS metadata, exploit information.

You can use the Stream endpoint to get the last 100 articles published in a feed:

Overview of the stream endpoint

The most important parameter is the streamId. Each feed in your Feedly account has a unique stream id. When you select the feed in the left navigation bar, you see the streamId as part of the URL. The stream id is formatted as `enterprise/xxxx/category/xxxx` for team feeds and `user/xxxx/category/xxxx` for personal feeds.

Finding the streamId of a feed

The count parameter defines the number of articles the server will return. We recommend that you select a number between 20 and 100. If you need access to more than 100 articles, you can use the continuation parameter returned by the response to chain the requests and ask for the next 100 articles.

Finally, the importantOnly parameter allows you to get the list of articles in the stream that has been prioritized by Leo.

Troubleshooting tips:

  • Make sure that the requests you are making are authenticated using the token you have received from the Feedly team.
  • Make sure that the streamId is URL encoded when it is passed as a parameter to the Stream endpoint.

Accessing the content of your boards

Security teams use boards to bookmark critical articles everyone in the team should be aware of. They also often use boards to bookmark articles they want to share with other applications.

You can use the same Stream endpoint to access the last N articles manually bookmarked by your team to a board.

The only difference will be the streamId. Team Board streamIds are formatted as `enterprise/xxxx/tag/xxxx`. Personal Board streamIds are formatted as `user/xxxx/tag/xxxx`.

Finding the streamId of a board

If users have annotated the articles with some notes and highlights while saving the article to a board, those notes and highlights will be included in the article JSON structure.

JSON of notes and highlights

Example: Integrating Feedly with your ticketing system

Here is an example of how you can streamline the integration between the research and collection work of your threat intelligence team and the analysis and patching work of your operations team.

The research team creates a Feedly board called Critical Vulns where why bookmark articles related to critical vulnerabilities they want the operations team to be aware off and review.

Each time the research team finds a critical insight, they save that article in the Critical Vulns board, adding a note about why they think the vulnerability needs to be reviewed and patched.

Instead of asking the research team to manually create a ticket in your ticketing system (Jira, Service Now, etc.), you can write a small app which every 5 minutes connect to the Critical Vulns board, requests the last 20 articles bookmarked in that board, and for each new article, used the API of your ticketing system to create a new ticket. The app can enrich the ticket with the URL of the article saved in the board, the CVE information, and the notes and highlights from the researcher.

This is a powerful way to break the silos between your research team and your operations team and make sure that critical vulnerabilities are patched faster.

Pro tip: there is a simple solution to finding the new articles saved in a board. When your app processes a list of articles, it should save the first article in the list and the next time it uses the Stream Feedly app to get the latest articles bookmarked to a board, your app can use the newerThan parameter of the /v3/stream/content and pass that article id instead of a timestamp to get newer articles.

A lot more…

The Feedly web application and mobile applications are built on top of the Feedly API. This means that every piece of information available in the application and every action taken in the application is available in the API.

For more information about the Feedly API, please visit the Feedly Developer Website.

Streamline your open-source intelligence

We are excited to see many security teams use the Feedly API to streamline their open-source threat intelligence process. Sign up today and discover what Feedly for Cybersecurity can do for you!

If you are interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack. 2020 will be a thrilling year with new skills and bold experiments!