Get more out of SpyCloud by integrating Cybercrime Analytics into your existing security stack.
SpyCloud shares what criminals are using today to target your business and your customers so you can react quickly to the data that’s being used against you. It’s darknet data we operationalize to protect hundreds of enterprises and over 3 billion consumers from account takeover and online fraud. You can leverage these insights in popular security tools – learn more below.
By integrating SpyCloud into your existing security tools, you can maximize the value of your cybersecurity investments:
- Security Information and Event Management (SIEM): View SpyCloud breach alerts within the context of your overall security posture, triage related alerts, and consolidate event logs for compliance and reporting.
- Security Orchestration, Automation, and Response (SOAR): Enhance internal risk modeling and orchestrate incident response activities when a new data breach exposes enterprise credentials to cybercriminals.
- Threat Analytics & Threat Intelligence Platforms (TIPs): Extend your threat detection and response capabilities by using SpyCloud data for threat hunting and incident response.
- Link Analysis & Graphing: Visualize connections between SpyCloud data and other threat intelligence sources and accelerate your investigations.
- Directory Services & Identity Management: Automatically prevent, detect, and reset compromised employee passwords that put your organization at risk of a data breach or ransomware delivery.
- Ticketing Systems: Generate tickets for incident responders and others who may need to take action based on SpyCloud breach alerts.
- Consumer Applications: Prevent consumers from setting bad passwords within your application and identify when their logins are compromised by a breach or credential-stealing malware.
How Customers Are Integrating SpyCloud
SpyCloud customers integrate our data into a variety of platforms and tools. Here are some examples.
Active Directory, Microsoft
SpyCloud-supported, Directory Services, Employee Protection
Automate Active Directory protection out of the box using SpyCloud Active Directory Guardian. Active Directory Guardian includes two components that can be used together or separately to prevent, detect, and reset weak or compromised passwords automatically.
- The password filter blocks employees from setting insecure passwords that could put corporate resources at risk. When an employee sets a new Active Directory password, the password filter automatically screens their choices for repeated or sequential characters, up to 50,000 custom dictionary words, and any previously-exposed passwords that SpyCloud has recovered from data breaches and malware infections.
- The scanner checks employee credentials for exposures on an ongoing basis as new breaches occur. Security teams can schedule automated scans to check for compromised credentials, custom banned passwords, 1000 “fuzzy” variations of banned and exposed passwords, and any previously-exposed passwords in SpyCloud’s database.
Together, they provide both prevention (password filter) and detection (scanner), complementing each other in the same way as brushing your teeth to prevent cavities and taking regular trips to the dentist to check for issues. The password filter prevents employees from setting weak or compromised passwords in the first place, and the scanner detects and resets additional exposures as new breaches occur over time.
“One of the key areas of value is how the solution is proactive. As soon as it detects a compromised account, the integration with Active Directory works to reset that account, utilizing our CSOC incident response procedures. And it sends a notification to the security teams that remediation is taking place.”
– Al Dixon, Principal IT Security Architect of CorpIT at EBSCO Industries
“With Active Directory Guardian running on a daily or twice-daily basis, as soon as there’s a hit, the password is reset. I’m not sure you can do much better than that.”
– Dan Holland, Global Senior Director of IT Operations, Alvarez & Marsal
Vendor-supported, Threat Intelligence Platform (TIP), Employee Protection
Enhance your security defenses by using SpyCloud data within Anomali to extend your detection and response capabilities. Combining breach data with your other intelligence sources can help you identify potential threats to your enterprise and arm analysts with the information they need to respond to incidents swiftly and effectively.
AT&T Cybersecurity, AlienVault USM Anywhere
Vendor-supported, Security Information and Event Management (SIEM), Employee Protection
Centralize your security posture by viewing SpyCloud breach alerts within the AlienVault USM Anywhere security management platform for threat detection, compliance management, and incident response. USM Anywhere generates alarms when SpyCloud detects your employees’ data on the criminal underground, along with context such as whether the data was stolen in a breach or via a malware infection such as a keylogger.
SpyCloud-supported, Link Analysis, Investigations
Enhance your investigations by combining breach data from SpyCloud with data from internal and other OSINT sources using Maltego. Render directed, interactive graphs for link analysis to help your investigators find relationships between pieces of information collected from different sources located on the internet. With the SpyCloud API, investigators can pivot on data points like username, password, IP address, or email address and find a wealth of data. SpyCloud provides 50+ Maltego transforms, making it easier for investigators to use our rich dataset to research incidents.
“SpyCloud really helps our research in connecting dots between a persona that we have and one that we don’t.”
– Global Managed Services Provider
Vendor-supported, Extended Detection and Response (XDR), Employee Protection
Expedite your incident response activities by drawing SpyCloud data into Cisco SecureX. Using the SecureX Threat Response SpyCloud Module, you can initiate investigations into security events and discover additional context from data SpyCloud has recovered from third-party breaches.
IBM Security i2 Analyst Notebook
Link Analysis, Investigations, Not Officially Supported
Integrating SpyCloud data into i2 Analyst Notebook can help your agency visualize connections between entities and build a case by determining venue, discovering digital accounts tied to a single actor or criminal campaign, and pulling the thread to the end before spending months on process. Analysts can visually link artifacts, pivot on selectors of interest, and uncover links that can open new avenues for investigation.
Open-source, Link Analysis, Investigations, Not Officially Supported
Utilize our prebuilt Jupyter Notebooks to enhance your investigations with SpyCloud data. View potential trouble spots, or filter the data to highlight just the most actionable records and optionally export those records into a CSV for sharing or use in other tools.
Identity and Access Management (IAM), Employee Protection, Not Officially Supported
Seamlessly integrate SpyCloud and Okta to prevent account takeovers and monitor users for exposure and compromised credentials. Once enabled, you can check each set of user credentials at the time of login against the largest repository of recovered breach and botnet data in the industry to identify and reset passwords that have been exposed to criminals. If an exposed email or password is discovered during user authentication, Okta can automatically provide user notification, request an additional authentication factor, and reset passwords to remediate the exposure and prevent account takeover.
Palo Alto Networks Cortex XSOAR (Demisto)
Customer-created, Security Orchestration, Automation, and Response (SOAR), Employee Protection, Not Officially Supported
Streamline your incident response program by drawing SpyCloud data into your security, orchestration, automation, and response (SOAR) platform. Create playbooks to orchestrate your response when a new breach exposes a user’s data and give your analysts the context they need to prevent account takeover swiftly.
Vendor-supported, Security Orchestration, Automation, and Response (SOAR), Employee Protection
SpyCloud-supported, Security Information and Event Management (SIEM), Employee Protection
See breach alerts within the context of your broader security landscape by ingesting SpyCloud logs into Splunk, enabling you to run queries, view dashboards, and centralize logs for compliance management. Using the two products together, you can accentuate Splunk’s built-in risk model with SpyCloud data and triage related alerts.
“Splunk scripts pull in the SpyCloud data automatically to provide instant visibility into which students’ or staffs’ credentials have been exposed. The quantity and quality of their data is amazing, we’ve never seen anything like it.”
– Large U.S. University
Vendor-supported, Security Orchestration, Automation, and Response (SOAR), Employee Protection
Automate threat detection and response around company assets being exposed in third-party breaches and leaks, and keep cybercriminals out of corporate accounts and networks. Mutual customers can operationalize SpyCloud’s database of exposed assets tied to company employees through ThreatConnect, and:
- Rapidly access a wealth of detailed, accurate and relevant breach data at the touch of a button and along with other threat intelligence feeds
- Automate logging and remediation around exposures detected by SpyCloud
- Leverage additional ThreatConnect integrations for further enrichment or triage
Vendor-supported, Link Analysis, Investigations
Enhance your investigations and attribute cybercrime faster by enriching your existing threat intelligence sources with SpyCloud data. Visualize connections in multiple formats and perform queries to support your analysis, including macros and storm commands.
Don’t See Your Product Listed? You Have Options!
If no pre-built integration exists for your specific toolset or use case, you’re still in luck. SpyCloud provides high-volume APIs to help you put our data to use in conjunction with your essential technologies.
SpyCloud Enabled a Global Fintech Company to Protect Thousands of Vulnerable Accounts Representing Tens of Millions of Dollars
How It Works
SpyCloud provides access to Cybercrime Analytics based on billions of recaptured darknet data assets using REST-based APIs. Our APIs include easy-to-understand, resource-oriented URLs, and use HTTP response codes to indicate API errors. All API responses return JSON, including those with errors.
Any application with the ability to query an external API endpoint can integrate SpyCloud data. Once the application has been configured to query the SpyCloud API within appropriate parameters, such as providing an email or target domain, the results should be mapped to appropriate fields within your solution.
Customers using SpyCloud Active Directory Guardian have additional integration options. Active Directory Guardian can write scan logs to the file system location for ever AD scan. These logs, which are in CSV format, can be read and consumed by any security solution that supports reading standard CSV data out of a known file location.