A look at Interflow, Microsoft’s threat information exchange platform

In the last few years, there has been one constant call from almost all participants in the information security community: the call for cooperation. But that is easier said then done – you need to make collaboration mutually beneficial and, above all, easy.

Microsoft recently announced the private preview of Microsoft Interflow, a security and threat information exchange platform for analysts and researchers working in cybersecurity, and they believe that this project ticks both of the aforementioned boxes.

“Interflow delivers security and threat information in a machine-readable format, which makes it possible to integrate into existing tools,” Jerry Bryant, lead senior security strategist, Microsoft Trustworthy Computing, told Help Net Security. “Firewall and IDS/IPS appliances are good examples. If an Interflow user has a highly trusted feed of known malicious URLs, they can choose to have that feed flow into their firewall through a connector to automatically block access to those sites without any human interaction.”

Their aim is to enable and facilitate more exchange of security and threat information across the industry, and to clear the way for end-to-end security automation, which they deem critical to keeping up with the evolving threat landscape.

“We intend to ship Interflow with several connectors for the most common tools already in the box and will work with our preview partners to identify additional connectors and transforms,” said Bryant. “In addition, we encourage the community to share any connectors and transforms they create with others.”

“Sharing good threat intelligence makes the ecosystem safer, which benefits everyone,” he pointed out. “We have designed Interflow specifically to enable more bi-directional sharing in the industry and we strongly encourage organizations to start by sharing their sharable threat data. We enable this through an Excel-like data import wizard that removes the complexity of transforming data into a STIX document.”

Besides STIX, Interflow also incorporates other community-driven specifications, such as TAXII and CybOX.

“Collection and analysis varies from incident to incident. The key factor, though, is that once an indicator is identified and fed into Interflow, protection can happen in near real time for all your sharing partners,” he said.

Participants are free to decide what data they want to share, and they can also set trust levels for the data they receive. (By the by, Incident response organizations, like Computer Emergency Readiness Teams, are more than welcome to participate.)

“Interflow allows users to construct their own ‘watch lists’ to filter out the data that is important to them. A watch list can consist of things like IP ranges or ASNs. As Interflow is designed to consume and process large amounts of data, watch lists are the key to surfacing indicators specific to a given organization,” Bryant explained to us.

“At that point, the data is still in the machine-readable STIX format allowing customers to enable automated use of the data within their networks or drill into it in the Interflow graphical user interface (GUI). The Interflow GUI looks much like an Outlook inbox allowing you to click on new items and see them in a preview pane. Because STIX is extremely complex and has multiple levels of data, the interface allows you to drill deeper and deeper into indicator information depending on how much information was provided by the source.”

“What makes Interflow unique?” I finally asked.

“We designed it specifically to integrate with not only other knowledge exchange platforms but also with network protection systems through our plug-in architecture and SDK,” he noted, but added that there are a number of threat data sharing platforms in the marketplace and that customers should use whichever platform best suits their needs.

Obviously, they are hoping that Interflow will be it.