Overview
Mandiant and Vulcan Cyber - What's the added value?
The power of two
A scenario to consider
What do you get as a CISO/Security Engineer?
Actively seek critical new vulnerabilities that need attention today
Identify vulnerabilities that also exist in Mandiant TI
Explore CVE analysis comprehensively and take action
Access the correlated CVE Threat Intelligence reports collected from Mandiant directly through the Vulcan Platform
Configure the Mandiant connector
Prerequisites
Steps
Why Mandiant?
The Mandiant connector is a TI (Threat Intelligence) connector that enriches the existing threat intelligence data in your Vulcan Platform. Mandiant adds another layer of intelligence to the CVE severity based on extensive vulnerabilities research.
Vulcan Cyber acknowledges the high reliability of Mandiant TI, as well as the dependency of many Security Engineers and CISO on it as their primary source of Cyber Threat Intelligence. Therefore, we now offer a new dedicated connector that consolidates and aggregates the TI data from Mandiant.
Mandiant and Vulcan Cyber - What's the added value?
The power of two
Mandiant holds comprehensive threat intelligence data that focuses on the actual threat behind vulnerabilities. When synced with your Vulcan Platform, you can get a new consolidated risk calculation that takes into consideration also the assets in your organization. This means that when syncing Mandiant with the Vulcan Platform, you get an enriched, aggregated, and consolidated Threat Intelligence from both platforms. This ability introduces a better view of the cyber vulnerabilities and threats in your organization, on your assets, allowing you to prioritize remediation more efficiently.
A scenario to consider
Let's assume that in the Vulcan Platform you have an external-facing asset that belongs to a production business group, and another asset that belongs to another non-production business group. Both assets have a vulnerability identified as Critical by Mandiant and High by Vulcan. Both assets have Business-Groups and Tags by Vulcan that allow you to understand their criticality in the organization. Without needing to go back and forth between the Mandiant and the Vulcan platforms, you get a comprehensive look at the vulnerabilities and threats directly from your Vulcan Platform. Then, you get to decide where to remediate first. In this case, you would probably prioritize remediating the vulnerability on the production business group over the non-production one.
What do you get as a CISO/Security Engineer?
Actively seek critical new vulnerabilities that need attention today:
Filter to view the most recent vulnerabilities which have the highest Mandiant risk-rating and assign tasks by taking a remediation action on a vulnerability
Identify vulnerabilities that also exist in Mandiant TI
There is a dedicated Threat tag for the Mandiant risk score so you can identify if there is TI info from Mandiant and assess the related risk.
Explore CVE analysis comprehensively and take action
Look into CVE analysis by accessing the Mandiant TI data, the Vulcan TI data, available fixes, and related assets. Then, take your next-step remediation action based on the consolidated data in the Vulcan Platform.
Access aggregated and correlated CVE Threat Intelligence reports collected from Mandiant
Go to Vulnerabilities > Enter a vulnerability that has the Mandiant Risk tag > Click on the Threat Intelligence tab > Explore the Mandiant Reports:
Expand a report to get valuable details on the such as description, related CVE, attacking ease, and more.
The Reports are organized from the most recent and highest risk score to the oldest and lowest risk score
You are exposed to the most valuable cyber-related information from Mandiant consolidated into a concise block of information (Description, Risk rating, Exploit rating, Attaching ease, Exploitation consequence, Exploits, and related CVEs)
Configure the Mandiant connector
Prerequisites
To establish a sync between your Vulcan Platform and your Mandiant subscription, you will require Mandiant *v2 API credentials and must have a RPI audience subscription type in Mandiant.
*Note: Mandiant v2 API credentials are not currently available from the Mandiant user portal, so you will need to contact Mandiant customer support and request v2 API credentials for your Mandiant subscription.
Steps
In your Vulcan Platform, go to Connectors, and click Add a Connector.
Select the Mandiant connector.
Fill in the Public and Private keys of Mandiant.
Set the number of days to fetch past reports from Mandiant.
Enable / Disable Mandiant risk rating adjusted score. (Not sure what it means? See Mandiant Risk Score, Threat tags, and Risk Calculation)
Note: After the initial sync is complete (it might take some time), the connector will sync once a day to bring new TI reports from Mandiant.
Mandiant Risk Score, Threat tags, and Risk Calculation
How is the risk score calculated when integrating with Mandiant?
The risk calculation in the Vulcan Cyber Platform might change only if you enable the "Mandiant risk rating adjusted score" option on the configuration page of the connector.
When enabled, the vulnerabilities that have the "Mandiant risk" threat tag will have a custom risk calculation as described in the table below:
Mandiant Threat tags | Risk calculation and score |
| 100 |
| 85 + 0.15 (15%) Tags score |
| The risk score in the Vulcan Cyber platform isn't affected |
| 10 + 0.3 (30%) Tags score + 0.2 (20%) Threat tags |
If a vulnerability has several CVEs and some of them have different Mandiant risk scores, what determines the Mandiant risk threat tag?
The CVE that has the higher Mandiant risk score determines the Mandiant risk tag the vulnerability gets.
For example, if there is a vulnerability that has 4 CVEs, 2 of which have a Mandiant risk score of Medium and one has Critical, the vulnerability will have the threat tag of Mandiant risk: CRITICAL.
What if I don't enable the "Mandiant risk rating adjusted score" configuration?
If not enabled, you'll still be able to see Threat Intelligence info as collected by Mandiant including the Mandiant dedicated risk tags on the relevant vulnerabilities. However, the MAX RISK score won't be affected by Mandiant TI at all. The MAX RISK score will be based on Vulcan TI and risk calculations.
What happens if a vulnerability is identified as Medium by the Vulcan Platform and High/Critical by Mandiant TI?
It means that the Mandiant research team has done some further research on the vulnerability and came to the conclusion that the risk is higher than we thought (i.e., higher than what the official threat intel sources report).