One of the hot topics right now among our customers is how to use 3rd party lists or feeds of information in their SIEM or log management tool.
Gartner has some good starting points and references here.
This typically involves obtaining threat intelligence from single or multiple sources. This could include lists of operational threat intelligence indicators or artifacts such as IP, Domain names, URLs, or md5s of suspicious filenames that can be matched to behavior or traffic flowing through your network or enterprise.
An enhanced iteration of this is the ability of companies to selectively share intelligence with partners or organizations in the same sector, (i.e., a bank would share with other banks) while retaining some anonymity.
The SIEM should then have the ability to analyze the threat intelligence against the incoming and historical log sources so that
users visiting suspicious or known malicious domains or hosts attempting (or successfully) making connections back to command and control servers would trigger an instant alert or incident or triage.
More benefit can be obtained if the log sources have additional context (or the SIEM can add context) such that contain the actual md5 of a file that has been downloaded/transferred by or stored on a host.
The important thing here is that the SIEM has the ability to assimilate the different artifacts from the intelligence data sets and then have the ability to correlate against the customer log sources in real time, providing operational value.
With an integrated, cross-correlated and prioritized view into network, server, application and user logs, AccelOps simplifies the collection of information that impacts your business. AccelOps supports cross-domain patterns, nested patterns and time-based operators to codify and detect sophisticated threats, including custom defined threat intelligence sources for both real-time alerting and forensic analysis.
Want to talk about how we can help you secure your network? Contact us; we’re here to help.