LQMT – Last Quarter-Mile Toolset

LQMT Last Quarter Mile Toolset

The Problem

Today’s cyber defenders have many sources of Cyber Threat Information (CTI) to choose from and a variety of mechanisms with which to access the data. Once the information has been retrieved, however, the process of loading the information into the analysis and protection tools is cumbersome and problematic. Organizations are like snowflakes: each one has a unique set of end point devices and software tools (e.g., firewalls, proxies, SIEM platforms). Many tools have their own interfaces, connection protocols, and data formats. This situation makes it nearly impossible to take a one-size-fits-all approach to automatic response to CTI.

The Solution

The Last Quarter-Mile Toolset addresses this problem with its modular design. Organizations can use the LQMToolset to individually tailor both the input and output sides — and bypass the need for a one-size-fits-all solution.

As represented in Figure 1, by embedding Cyber Fed Model’s (CFM’s) Flexible Transform (FlexT) tool, the LQMToolset enables users to process a growing list of input formats. These formats are then transformed into a common representation, retaining the original context and meaning. Next, the data are sent to output modules to perform the additional steps needed to interact with individual end points. This modular design also allows for the easy addition of new end points and the reuse of intermediate steps.

LQM Tool diagram

Figure 1: CTI data on the local filesystem is sent through appropriate parsing tools and then fed to tool chains, which send the CTI data to a firewall (for active response) and SIEM tool (for knowledge archival).

Features

Feature Enabling users to:
Flexible Configure only the pieces relevant to the local environment.
Powerful Convert the format without losing context or meaning.
Agile Add new features easily with the modular design.
Cross-protocol Avoid protocol lock-in as each module handles its own end point communication.
Open-source Extend and contribute back easily.

Currently Supports

  • Input Data Formats
    • Structured Threat Information eXpression (STIX)
    • All CFM XML schemas
  • Output Formats, Tools, and Devices
    • Palo Alto
    • Checkpoint
    • ArcSight Logger
    • Splunk
    • Syslog
    • FlexText

Coming Soon

  • FlexText Input
  • Output Formats, Tools, and Devices
    • Cisco Asa
    • Blue Coat
    • Bro
    • Juniper
    • Fortigate
  • Additional Features

Get Involved!

Because the scope of the LQMToolset exceeds the needs of one team at one national laboratory, the LQMToolset has been released as open-source software. The development team welcomes and strongly encourages your participation.

Link to the LQMT GitHub_Logo-xs2 page