How to Use Third Party Feeds to Detect Threats

data feeds

One of the hot topics right now among our customers is how to use 3rd party lists or feeds of information in their SIEM or log management tool.

Gartner has some good starting points and references here.

This typically involves obtaining threat intelligence from single or multiple sources. This could include lists of operational threat intelligence indicators or artifacts such as IP, Domain names, URLs, or md5s of suspicious filenames that can be matched to behavior or traffic flowing through your network or enterprise.

An enhanced iteration of this is the ability of companies to selectively share intelligence with partners or organizations in the same sector, (i.e., a bank would share with other banks) while retaining some anonymity.

The SIEM should then have the ability to analyze the threat intelligence against the incoming and historical log sources so that

users visiting suspicious or known malicious domains or hosts attempting (or successfully) making connections back to command and control servers would trigger an instant alert or incident or triage.

More benefit can be obtained if the log sources have additional context (or the SIEM can add context) such that contain the actual md5 of a file that has been downloaded/transferred by or stored on a host.

The important thing here is that the SIEM has the ability to assimilate the different artifacts from the intelligence data sets and then have the ability to correlate against the customer log sources in real time, providing operational value.

With an integrated, cross-correlated and prioritized view into network, server, application and user logs, AccelOps simplifies the collection of information that impacts your business. AccelOps supports cross-domain patterns, nested patterns and time-based operators to codify and detect sophisticated threats, including custom defined threat intelligence sources for both real-time alerting and forensic analysis.

Want to talk about how we can help you secure your network? Contact us; we’re here to help. 

 

Authors


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone

Try AccelOps FREE for 30 Days

 

Get a Live Product Demo

 

Tags

cloud
security
big data
RSA
analytics
compliance
Q&A
PCI DSS
HIPAA
Sarbanes Oxley (SOX)
Target breach

About Accelops

AccelOps provides the leading IT operations analytics platform for the modern data center. The virtual appliance software monitors security, performance and compliance in cloud and virtualized infrastructures – all from a single screen.

 

AccelOps automatically discovers, analyzes and automates IT issues in machine and big data across organizations’ data centers and cloud resources, spanning servers, storage, networks, security, applications and users. AccelOps’ patented analytics engine with cross-correlation and statistical anomaly detection sends real-time alerts when deviations occur that indicate a security or performance-impacting event.

 

The AccelOps platform scales seamlessly and provides unmatched delivery of proactive security and operational intelligence, allowing organizations to be more responsive and competitive as they expand their IT capabilities. 

Keep Social