Introducing Feedly for Cybersecurity

Streamline your open-source intelligence

150,000 cybersecurity professionals use Feedly to keep up with the latest security news and research insights about critical threats (vulnerabilities, malware, data breaches, threat actor groups, etc.)

Cybersecurity is a game of foresight. It is a chessboard where hackers and defenders are looking to checkmate each other.

Learning more about the tactics, techniques, and procedures used by hackers can help you better prepare against them, saving you the cost and headaches that come with a breach or attack. The cost of ransomware attacks in the U.S. surpassed $7.5 billion in 2019.

But information gathering is tedious: hundreds of new articles and tweets need to be reviewed and triaged every day. Finding critical threats in that sea of information is time-consuming and overwhelming.

Today, we’re excited to launch Feedly for Cybersecurity: a collection of integrations and Leo models that help you cut through the noise, break barriers between team silos, and streamline your threat intelligence.

Leo is your AI research assistant. Ask him to read your security feeds and prioritize what matters to you:

Vulnerabilities, CVE, CVSS, and Exploits
Malware, adware, ransomware, bots, …
Threat actor groups
API

Leo understands malware threats

Research and prepare for the latest malware threats without the information overload

Cybersecurity is a game of foresight. It’s a chessboard on which attackers and defenders are constantly looking for checkmate. 

Hackers launch a new ransomware attack every 14 seconds. They’re increasingly more capable and sophisticated. Learning how they plan attacks, what techniques they use, and who they’re targeting, can make you so much better prepared. You’ll save the cost and headache of a cyber assault too. This is especially important considering that the cost of ransomware attacks in the U.S. alone surpassed $7.5 billion in 2019.

But investigating malware threats is tedious. Hundreds of new articles and tweets need to be reviewed and triaged every day. Finding critical threats in that sea of information is time-consuming and overwhelming.

We want to help you streamline your tactical and operational open-source intelligence, so that you can better protect your environment.

That’s why we’ve taught Leo, your AI research assistant, to recognize malware threats. You can ask him to read your security feeds and prioritize what’s relevant to you, your sector, and your environment.

Let’s imagine that you work in a threat intelligence team and are responsible for researching and analyzing the threat landscape. You’re particularly interested in evolving malware threats (including ransomware and malvertisement).

Cut through the noise

You can train Leo to read your Security News feed and prioritize articles related to malware.

Leo prioritizes malware articles in your Security News feed

Leo continuously reads the thousands of articles published in those feeds. It’s an efficient way to cut through the noise and keep up with the evolving malware landscape without the overwhelm.

You’re in control

Leo has been trained to understand broad topics like malware, as well as hundreds of specific malware types like malvertisement, ransomware, adware, bots, rootkits, spyware, etc.

Asking Leo to prioritize malware in your Security News feed is as simple as creating a new Topic priority and selecting ‘malware’ as the topic.

Ask Leo to prioritize malware threats in your Security News feed

You can combine topics with +AND and +OR and create even more targeted priorities for Leo. For example, use +AND to focus on malware related to Android or top companies in your sector.

Refine the priority to malware and Android

You can also ask Leo to look for a specific type of malware like malvertisement or ransomware.

Prioritize ransomware threats

Continuously learning and getting smarter

Leo is smart. He continuously learns from your feedback. When Leo is wrong, you can use the ‘Less Like This’ down arrow button to let him know that an article he’s prioritized isn’t about malware.

Let Leo know when he’s wrong

Break down silos

Bring your research team into the picture. They can create a Threat Intel Report Board and save the most critical insights they discover in their Feedly. Then everyone with the same Board can leave notes and highlight the biggest threats. 

We’ve seen teams create tactical and operational Boards. For instance, a Vulnerability Report can be built up with information for those that deal with security procedures, while strategic CISO Newsletters can keep management up to speed about malware and your planned response.

Articles bookmarked in a Board can be shared with the rest of the team via daily newsletters, Slack and Microsoft Teams notifications, or pushed to other apps using the Feedly Cybersecurity API.

Share the threat intelligence you collect in Feedly with other teams and apps

Streamline your open-source intelligence

We’re excited to see how your security team will declutter your feeds and dig deeper into the critical threats that matter to you. Sign up today and discover Feedly for Cybersecurity.

If you’re interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack channel. 2020 will be a thrilling year with new skills and bold experiments!

Leo understands threat actor groups

Research threat actor groups and learn more about their tactics, techniques, and procedures without the overwhelm

Cyber attacks continue to wreak havoc around the world. The actors waging these wars don’t just care about fraud either. They’re part of criminal organisations. Foreign governments stealing data for defense or national interests. Even terrorists or activists driven to disrupt and cause harm. 

What’s more, they’re increasingly capable and sophisticated. It’s a growing threat that can strike anyone at any time.

When you learn about threat actors’ tactics and motivations, you can better prepare against them, saving you the costs and headaches that come with a breach or attack. 

But there’s so much content to wade through when investigating these threat actors. It’s like fishing blind in an ocean. You’ll never know what’s coming back on the hook. More time and stress is spent on finding information about the threat, rather than acting on it. You can be overwhelmed. 

We’re passionate about helping you refine and streamline your open-source intelligence. That’s why we’ve taught Leo, your AI research assistant, to recognize threat actor groups. He can find them in your Feedly security feeds, prioritizing articles related to the actors and sectors you care about.

Let’s imagine that you work in the telecommunications sector, and you’re researching the tactics and motivations of MuddyWater, an Iranian threat actor group.

Cut through the noise

You can train Leo to read all your cybersecurity, foreign affairs, and cyber warfare sources, and prioritize articles related to MuddyWater.

Prioritize a threat actor

Leo continuously reads the articles in your feeds and prioritizes the ones that mention MuddyWater (or any of its aliases). It’s a powerful and effective way to keep up with their latest techniques, tactics, and procedures.

You’re in control

Leo has been trained to recognize all the threat actor groups referenced by the MITRE ATT&CK framework. This is a list of common names for hacking groups, as recognized by the global security community.

Asking Leo to prioritize MuddyWater in your security feed is as simple as creating a new Topic priority and selecting ‘MuddyWater’ as the topic.

Enter a threat actor alias in the topic field

When you prioritize MuddyWater, Leo will also look for other synonyms for that group like Seedworm and TEMP.Zagros.

You can combine topics with +AND and +OR to create even more targeted priorities for Leo. For example, use +AND to combine an actor group with an attack vector or a sector. This narrows his focus further so you find exactly what you’re looking for.

Continuously learning and getting smarter

Because Leo is integrated with the MITRE ATT&CK framework, it’s continuously learning and getting smarter. As new groups or aliases are identified, they’ll be automatically updated in your Feedly.

Leo recognizes threat actor groups listed on the MITRE ATT&CK framework

Break down silos

As you search and discover new content, share insights with your research team. Together, you can create a Threat Intel Report Feedly Board and bookmark the most critical insights you discover. You can also add notes and highlights about why a threat is high-priority.

We’ve already seen security teams create tactical Boards, such as a Vulnerability Report, to share with their operations experts. You might also want to build a CISO Newsletter to keep your management updated. It’s all possible within Feedly.  

Articles bookmarked in a Board can be shared with the rest of the team via daily newsletters, Slack or Microsoft Teams notifications, or pushed to other apps using the Feedly Cybersecurity API.

Share the threat intelligence you collect in Feedly with other teams and apps

Streamline your open-source intelligence

We’re excited to see how your security team will declutter your feeds and dig deeper into the critical threats that matter to you. Sign up today and discover Feedly for Cybersecurity.

If you’re interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack channel. 2020 will be a thrilling year with new skills and bold experiments!

The Feedly Cybersecurity API

Feedly for Cybersecurity includes an API that allows cybersecurity teams to share the intelligence they collect in Feedly with other applications

150,000 cybersecurity professionals use Feedly to collect intelligence about the evolving threat landscape. 

Threat research and collection are one step of the overall threat intelligence, investigation, and response.

The Feedly Cybersecurity API allows security teams to easily integrate the insights they collect in Feedly into other systems and applications. Some teams use the API to extract data about threats and vulnerabilities and feed larger machine learning threat-prioritization models. Some teams use the API to create Jira tickets based on the content of the Feedly boards to make sure that critical vulnerabilities are reviews and patched in a timely manner.

Access to the Feedly API (up to 200,000 requests per month) is an add-on included in the Enterprise Edition of the Feedly for Cybersecurity package.

In this tutorial, we will show you how to use the Feedly API to access the content of your security feeds, your boards, and your Leo priorities.

Authentication

When you subscribe to Feedly for Cybersecurity Enterprise Edition, we will provide you with a special Feedly access token associated with your account. That token will allow you to access the content of your feeds, boards, and priorities and perform up to 200,000 requests per month.

Articles as JSON

The JSON representation of an article combines some of the open-source content included on the RSS or on the website, CVE/CVSS/Exploit information aggregated from vulnerability and exploit databases, as well as the results of the Leo cybersecurity models.

The title, content, and visual information give you access to the core of the content of the articles:

JSON representation of the core of the article

The commonTopics array represents Leo’s topic classification. The entities represent CVEs, products, or companies Leo has identified in the article. The CVE entity includes CVSS and exploits information extracted from vulnerability databases.

The estimatedCVSS represents the result of Leo’s CVSS scoring model. This is useful for zero-days and articles which do not mention a CVE explicitly. In those cases, Leo reads the content of the article and computes an approximative CVSS score based on the terminology used in the article or the tweet.

Leo enrichment of the article

Pro tip: When you have an article open in the Feedly web application, you can use the Shift+D keyboard shortcut to see and inspect the JSON of the article.

Use keyboard shortcut SHIFT+D to see the preview of the article JSON

Accessing the content of your feeds

Let’s imagine that you have a “Security News” feed which contains a list of known and trusted security sources you want to follow.

The Feedly API allows you to query Feedly and ask for the last 100 articles aggregated in that feed. The articles are normalized in a JSON format which includes the title, the content, the source information, as well as all some cybersecurity metadata (Leo topics classification, CVE metadata, CVSS metadata, exploit information.

You can use the Stream endpoint to get the last 100 articles published in a feed:

Overview of the stream endpoint

The most important parameter is the streamId. Each feed in your Feedly account has a unique stream id. When you select the feed in the left navigation bar, you see the streamId as part of the URL. The stream id is formatted as `enterprise/xxxx/category/xxxx` for team feeds and `user/xxxx/category/xxxx` for personal feeds.

Finding the streamId of a feed

The count parameter defines the number of articles the server will return. We recommend that you select a number between 20 and 100. If you need access to more than 100 articles, you can use the continuation parameter returned by the response to chain the requests and ask for the next 100 articles.

Finally, the importantOnly parameter allows you to get the list of articles in the stream that has been prioritized by Leo.

Troubleshooting tips:

  • Make sure that the requests you are making are authenticated using the token you have received from the Feedly team.
  • Make sure that the streamId is URL encoded when it is passed as a parameter to the Stream endpoint.

Accessing the content of your boards

Security teams use boards to bookmark critical articles everyone in the team should be aware of. They also often use boards to bookmark articles they want to share with other applications.

You can use the same Stream endpoint to access the last N articles manually bookmarked by your team to a board.

The only difference will be the streamId. Team Board streamIds are formatted as `enterprise/xxxx/tag/xxxx`. Personal Board streamIds are formatted as `user/xxxx/tag/xxxx`.

Finding the streamId of a board

If users have annotated the articles with some notes and highlights while saving the article to a board, those notes and highlights will be included in the article JSON structure.

JSON of notes and highlights

Example: Integrating Feedly with your ticketing system

Here is an example of how you can streamline the integration between the research and collection work of your threat intelligence team and the analysis and patching work of your operations team.

The research team creates a Feedly board called Critical Vulns where why bookmark articles related to critical vulnerabilities they want the operations team to be aware off and review.

Each time the research team finds a critical insight, they save that article in the Critical Vulns board, adding a note about why they think the vulnerability needs to be reviewed and patched.

Instead of asking the research team to manually create a ticket in your ticketing system (Jira, Service Now, etc.), you can write a small app which every 5 minutes connect to the Critical Vulns board, requests the last 20 articles bookmarked in that board, and for each new article, used the API of your ticketing system to create a new ticket. The app can enrich the ticket with the URL of the article saved in the board, the CVE information, and the notes and highlights from the researcher.

This is a powerful way to break the silos between your research team and your operations team and make sure that critical vulnerabilities are patched faster.

Pro tip: there is a simple solution to finding the new articles saved in a board. When your app processes a list of articles, it should save the first article in the list and the next time it uses the Stream Feedly app to get the latest articles bookmarked to a board, your app can use the newerThan parameter of the /v3/stream/content and pass that article id instead of a timestamp to get newer articles.

A lot more…

The Feedly web application and mobile applications are built on top of the Feedly API. This means that every piece of information available in the application and every action taken in the application is available in the API.

For more information about the Feedly API, please visit the Feedly Developer Website.

Streamline your open-source intelligence

We are excited to see many security teams use the Feedly API to streamline their open-source threat intelligence process. Sign up today and discover what Feedly for Cybersecurity can do for you!

If you are interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack. 2020 will be a thrilling year with new skills and bold experiments!

Leo Understands COVID-19

Look beyond the big headlines. Leo can show you exactly what’s happening to your industry as a result of COVID-19, or filter it out.

Coronavirus news is everywhere right now. It’s not so much a wave of information as an ocean. It’s easy to get overwhelmed or miss a crucial market development. 

Or maybe you want to cut out the COVID-19 content altogether so you can find out what else is happening around the world. 

So we’ve taught Leo, your AI research assistant, how to help.

Mute or prioritize COVID-19 in your Feedly

Leo can already learn what you like to see and refine your Feedly. Now, he can mute or prioritize COVID-19 as well. And he does it across tens of millions of trusted sources. 

It works just like Leo’s other prioritization parameters such as keywords, topics, and events. ‘Coronavirus’ and ‘COVID-19’ are just two of the terms he recognizes. Leo takes into account a variety of the virus’s other names, too, like SARS-CoV-2. 

Leo prioritizes mentions of COVID-19 and its wide variety of aliases

Once you give Leo a priority, you’ll get a specific view of how your industry is reacting to the pandemic. Then just save the most interesting publications in your Feedly Board. 

You can mute or prioritize one feed, or every feed, and those feeds can be personal or spread across your team. It lets some team members focus on COVID-19 news if they need to, while others look beyond it. 

Here’s a few examples to show how Leo’s coronavirus filter might work for you. After all, the virus is impacting every sector, whether you’re in retail, cyberspace, automotive or pharmaceuticals…

COVID-19 and biopharma

You’re a drug development director looking for news and insight around cardiovascular disease, and how COVID-19 is affecting this research. 

Let’s imagine you have a Cardiology feed in Feedly, and you’re following multiple science and medicine journals. Hit ‘Train Leo’ in the top left toolbar. You can prioritize COVID-19 subjects by entering it as a topic.

Preview the prioritized COVID-19 articles in your Cardiology feed

The publications displayed are now all about coronavirus and cardiology. 

Refine the search further with +AND or +OR. Here’s some more information about Leo’s topic combinations.

COVID-19 and cybersecurity

You’re part of a large tech company. Security threats may have emerged during the pandemic, buried by the noise online. 

Do the exact same thing. Click ‘Train Leo’ and enter COVID-19 as the topic.

Preview the prioritized COVID-19 articles in your Threat Research feed

You can see the most recent coronavirus-related publications from your sources in the preview. Choose whether to filter by Entire Content or titles that explicitly contain COVID-19 or its aliases.

New threats to your business can then be spotted and prepared for.

COVID-19 and retail

You’re a business intelligence analyst searching for COVID-19’s effects on stores and brands around the globe. Retail, one of the most disrupted sectors, is under intense scrutiny. The prioritization feature can help here too. 

With a Retail feed, you’ll preview countless pieces of content that tackle this subject. 

Again, just create a Leo priority around COVID-19.

Preview the prioritized COVID-19 articles in your Retail feed

And that’s it. You have a feed at the intersection of two subjects, with plenty of room for more priorities and further refinement.

Muting COVID-19

You might want to look past COVID-19 instead, and keep it out of your feeds. 

Muting is just as easy. Click ‘Train Leo’ and scroll to ‘Mute Filters’. Type in COVID-19. You’ll see a message asking which Feedly feeds you want to remove it from.

Here’s how it looks in a Tech feed. 

Preview the muted COVID-19 articles in your Tech feed

No more content on the topic will turn up in your Feedly, as long as the mute is active. It’s one of 1,000 pre-trained topics that Leo can mute right away.

Train Leo to prioritize or mute COVID-19 now

Whatever happens with coronavirus and your market, the trusted insights are here. Leo makes sure you’re never overwhelmed or struggling to see the big picture.

If you’re interested in learning more about Leo’s roadmap, join the Feedly Community Slack channel. 2020 will be a challenging year, but by staying informed, you can respond better and remain in control.

Leo understands Vulnerability Threats

Do you need to keep up with the latest vulnerabilities and threats but do not have the time to read all your security feeds? We can help.

In 2018, fifteen thousand vulnerabilities were discovered, the number of exploits doubled and more than four security articles were published every minute. Keeping up with all these trends can be time-consuming and overwhelming.

This is a problem we are very passionate about and have been researching with two of the largest security teams in Silicon Valley.

Today, we are excited to announce a new Leo skill called Security Threats.

We have been teaching Leo to read security articles and find or assess the severity of the software vulnerabilities they mention so that he can help you focus your attention on the most critical threats in your feeds first.

Here is a demo!

Let’s look at how you can train your Leo to prioritize articles mentioning critical vulnerabilities related to Microsoft, WordPress, or Docker.

Cut through the noise

Leo reads and prioritizes the most critical threats in your feeds

Leo continuously reads your feeds and short-lists the most critical vulnerabilities in the priority tab.

For example, you might have a cybersecurity feed connected to niche security experts, vulnerability databases, keyword alerts, etc. with thousands of new articles per month.

You can train Leo to read those 1,000+ articles and prioritize the 30 or so referencing high severity threats (CVSS > 8) and related to vendors you care about (Microsoft, WordPress, Docker in the example above).

Leo’s new Security Threat skill

You’re in control

Leo is not an opaque recommendation engine. Instead, Leo has a set of skills that gives you control over defining what information is important to you.

The new Security Threat skill allows Leo to read an article, lookup CVE, CVSS, and exploit information from multiple open source databases and determine how critical a vulnerability is.

The new Security Threat skill also includes a sophisticated machine learning model that allows Leo to assess the severity of a threat based on the vocabulary used to describe the software vulnerability. This is particularly useful for zero-day vulnerabilities which might not have a CVE or CVSS.

Training Leo to prioritize vulnerabilities is very simple.

Creating a Leo cybersecurity model

The first layer of the model captures the severity threshold. High means CVSS > 8 or CVSS > 5 but with an exploit.

The second layer of the model captures the list of vendors.

Control and transparency are core Leo design principles.

All the articles prioritized by Leo have a green priority marker. Clicking on that marker offers an explanation of why the article was prioritized and the opportunity to refine, pause or remove that priority.

Full control and transparency

When an article is related to a CVE, you can also click on that CVE to get additional information about the vulnerability: description, CVSS score, exploits, patches, etc.

Quick access to CVE information

Continuously learning and getting smarter

Leo learns from his mistakes. When a recommendation is wrong, you can use the “Less-Like-This” down arrow button to correct Leo.

Leo learns from Less Like This feedback

You can let Leo know that he misclassified a vulnerability, miscalculated the severity, or misidentified a vendor.

Leo learns from your feedback and gets continuously smarter.

Streamline your open-source intelligence

We are excited to see many security teams declutter their feeds and dig deeper into the vulnerabilities that matter to them. Sign up today and discover what Feedly for Cybersecurity can do for you!

If you are interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack. 2020 will be a thrilling year with new skills and bold experiments!