For threat intelligence to really work for organizations, it must…

  1. Be easy to use
  2. Be easy to integrate
  3. Have dependable coverage

To this end, throughout 2020 we made hundreds of improvements to SearchLight, in 24 releases. Here are my top three features added in the last year.

1. Get more time back with automated playbooks

Automated playbooks are the most exciting addition to SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) in 2020. 

The triage and investigation of invalid exposed employee credential alerts was wasting hours of the security team’s time each week. Often the credentials belonged to employees who were no longer with the company, or the credential did not meet the company’s password policy.

SearchLight’s new automated playbooks enable users to automatically validate these credentials based on a range of validation methods, including integrating with cloud-based user directories. Furthermore, users can automatically reject those exposed credential alerts that do not pass the validation check, saving users valuable time in their week. 

Figure 1: Credential validation methods introduced in SearchLight

2. Find new areas of exposure: exposed access key alerting

In addition to saving security teams from wasted time, we have introduced new types of alerting that uncover even more online risk. 

With threat actors increasingly on the hunt for exposed access keys, we have developed a market-leading capability for detecting this type of data. Our research in September found more than 800,000 exposed keys online–from databases stores, cloud providers, and other online services. 

In near-real-time, SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) detects when keys belonging to your organization are exposed across code repositories and paste sites by employees or contractors. These alerts include rich context on the source of the exposure, information on the author, and a timeline of activity.

Figure 2: Exposed Access Key alert

3. Maintain comprehensive coverage across all sources

Over the past decade, we’ve continuously improved coverage of our four main areas: open web, dark web, file stores, and technical sources. And 2020 was no different.

Open web. We introduced coverage of GitLab, which enables us to assess millions of commits every month for engineers inadvertently exposing sensitive information.

Dark web. We introduced coverage of some top tier criminal forums and dark web marketplaces. The cybercriminal underground is constantly evolving, and so must we. Since January, we have added over 5 billion credentials to our breach store most of these sourced from these forums and marketplaces. 

File stores. We analyze an incredible number of exposed documents to identify sensitive information that has leaked out of your business. We have now indexed 60 billion files and can assess the contents of archive files, too (Another 2020 new feature). You can read more about SearchLight’s new sensitive document capabilities here

Technical sources. Users now benefit from more technical sources and feeds, such as OpenPhish. These sources enable organizations to discover phishing sites impersonating their own domain, but also to use that data for ongoing investigations and response.

We have some exciting changes planned for 2021, so stay tuned for more!