ZScaler IOC’s source / customer IOCs source

(Alex) #1

Does ZScale use external IOCs or fully rely on its own?
Is there a way to correlate ZScsler IOC’s with external IOC’s? Alternatively, could ZScaler customer bring custom IOCs into ZScaler for proactive blocking?

(Bob Hendryx) #2

Zscaler receives over 60 threat intel feeds both public and private in addition to information obtained by mining its own cloud data. It is possible using the API to to automate the creation of custom URL categories from customer IOCs to be used in blocking.

(Alex) #3

Hi Bob,
Would you be able to provide a document on which public/private IOC sources ZScaler uses?
We have our parent organization asking for this information.

(Bob Hendryx) #4

The list is not shared publicly due to it’s sensitive nature just as any organization shouldn’t share which AV, IPS, firewall, endpoint protection, etc. it uses.

(Alex) #5

We have auditors asking for the list. Would you be able to release the list under NDA?

(Bob Hendryx) #6

Please contact your Zscaler account team to discuss options.

(Jozef Krakora) #7

Bob is correct; an API can be used to manage custom URL/IP/Domain block lists. Additionally, the Zscaler ThreatLabZ team can review any IOC and add to global block lists, and in some cases, can also implement an automated custom feed source protocol to ingest customer sourced IOCs.

(Alex) #8

Is there any plan to add STIX/TAXII functionality?
We use on-prem Soltra EDGE to recieve IOCs from our parent org.

(Jozef Krakora) #9

Hi, STIX/TAXII compliant threat intel sharing is some thing that is being investigated. Can you be more specific on what kinds of IOCs you receive from your parent org and how you use them?

(Alex) #10

We recieve MD5s, Compromised IP addresses and domain names. The package is delivered via SoltraEdge platform.
We use MD5 checksums to upload into Tenable Security Center and if there is hit on MD5 we have to report it to the Federal Government. DNS names a feeder into Infoblox DNSFW for blocking and reporting.