13/09/2014 Unified Security Management and Open Threat Exchange RICHARD KIRK SENIOR VICE PRESIDENT 11 SEPTEMBER 2014 Agenda! A quick intro to AlienVault Unified Security Management (USM)! Overview of the AlienVault Open Threat Exchange (OTX)! How threat intelligence is gathered and vetted! Examples of the types of threats you can identify with OTX! How to use the threat data provided by OTX free services! Questions? 1
Cost of Cybercrime Continues to Climb Source: 2013 Cost of Cyber Crime Study: United States, Ponemon Institute October 2013 66% of Breaches Go Undiscovered for Months Source: Verizon 2013 Data Breach Investigations Report 2
Who We Are! AlienVault is the leading provider of Unified Security Management and crowd-sourced threat intelligence technology required to detect and act on today s advanced cyber threats. Built by Security Practitioners, For Security Practitioners 1996 2001-2002 2003-2005 2007 2010 2011 2012 2013 Establishes MSSP in Spain, assembles top team of ethical hackers OSSIM is battle-tested in MSSP operations Sales expanded in 40 countries Founders move to Silicon Valley $22.4M Series C; KPCB lead OTX launched in Feb. USM 4.0 & 4.1 MSSP analysts overwhelmed with data Invents the concept of USM OSSIM unchallenged as the de-facto standard Open Source SIEM AlienVault founded to support key customers: EADS, Spanish Govt, and Telefonica OSSIM downloads top 160,000 Sales double Trident Capital discovers a diamond in the rough Headquarters move to US $30M Series D; GGV Capital lead Virtual appliance & USM free trial launched April OTX expands to 8k+ contributors, >140 countries USM 4.4 3
The AlienVault Approach The AlienVault Approach Asset Discovery Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory 4
The AlienVault Approach Asset Discovery Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Vulnerability Assessment Network Vulnerability Testing Remediation Verification The AlienVault Approach Asset Discovery Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Vulnerability Assessment Network Vulnerability Testing Remediation Verification Threat Detection Network IDS Host IDS Wireless IDS File Integrity Monitoring 5
The AlienVault Approach Asset Discovery Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Behavioral Monitoring Log Collection Netflow Analysis Service Availability Monitoring Vulnerability Assessment Network Vulnerability Testing Remediation Verification Threat Detection Network IDS Host IDS Wireless IDS File Integrity Monitoring The AlienVault Approach Security Intelligence SIEM Event Correlation Incident Response Behavioral Monitoring Log Collection Netflow Analysis Service Availability Monitoring Asset Discovery Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Vulnerability Assessment Network Vulnerability Testing Remediation Verification Threat Detection Network IDS Host IDS Wireless IDS File Integrity Monitoring 6
What You Can Achieve with USM AlienVault Labs Threat Intelligence Coordinated analysis, ac:onable guidance Weekly updates to coordinated rule sets: Network IDS Host IDS Asset discovery / inventory database Vulnerability database Event correla:on Report modules and templates Incident response templates / how to guidance for each alarm Plug- ins to accommodate new data sources 7
Three Components, Three Form Factors AlienVault Server to aggregate data and manage the deployment AlienVault Logger for long term storage and reporting AlienVault Sensor to collect data from the infrastructure AlienVault All-in-One to collect, aggregate, and store data as well as manage Physical Appliance Virtual Appliance AMI Unified Monitoring, Prescriptive Guidance and Preventative Response! AlienVault USM delivers unified and coordinated security monitoring for incident response and compliance management.! AlienVault Labs provides coordinated intelligence and analysis of the latest threats, and prescriptive guidance on how to respond.! AlienVault Open Threat Exchange offers real-time insights on incidents affecting others that may impact you, so you can deploy a preventative response. 8
Open Threat Exchange Crowd Soured Security Intelligence WHAT IS OTX? 9
Traditional Response Attack First Street Credit Union Zeta Insurance Group John Smith Auto Nation Regional Pacific Telecom Marginal Food Products Respond Respond Respond Respond Respond Detect Detect Detect Detect Detect OTX Enables Preventative Response Through an automated, real-time, threat exchange framework 10
A Real-Time Threat Exchange Framework Attack First Street Credit Union Zeta Insurance Group John Smith Auto Nation Regional Pacific Telecom Marginal Food Products Detect Open Threat Exchange OTX: Enabling Preventative Response! Automated and anonymized sharing of threat data! Provides the advantage to the defender! Benefit from the incidents and response strategies of other contributing members Open Threat Exchange 11
OTX in Action! Continuous updates Updates provided every 30 minutes 200,000-350,000 validated malicious IP s at any point! Active and open threat sharing Since March 2012, OSSIM & USM users have flagged 196 million events as malicious Average of ~11 million a month (365,000 a day)! Effective against targeted attacks 20% of live APT1 domains were in OTX at time of Mandiant report 218 domains were live at time of report (the rest were added later the same day), 44 IPs found in OTX Benefits of Open Threat Exchange! Shifts the advantage from the attacker to the defender! Open and free to everyone! Each member benefits from the incidents of all other members! Automated sharing of threat data Protects Others in the Network with Preventa2ve Response Measures 12
How does AlienVault OTX Work? ALIENVAULT OSSIM USM SITES OTX WEB CRAWLER ALIENVAULT LABS MALWARE ANALYSIS SANDBOX VALIDATION ENGINE EXTERNAL FEEDS Crowd-Sourced Threat Data Sources Web Crawler OSSIM USM AlienVault Labs Malware Analysis Sandbox External Feeds OTX 8,000 Collection Points 140+ Countries Threat data from Validation Engine Built-in IDS Signatures Normalized Event Logs Firewalls Content Filters IPS/IDS Proxies Network devices Web Servers Other 13
Security Research Community Shared Data OSSIM USM OTX 50+ external threat sources Web Crawler AlienVault Labs Malware Analysis Sandbox External Feeds Validation Engine IP Addresses Domain Names URLS Malware Samples URL & Malware Analysis OSSIM USM OTX 500,000 samples analyzed per day Web Crawler AlienVault Labs Malware Analysis Sandbox External Feeds Validation Engine Analysis generates Threat data Additional samples URL s Domain names 14
Threat Types Detected Malware Domain Distributing malware or hosting exploit code Malware IP Instrumental in malware, including malicious redirection Command and Control Sending command and control instructions to malware or a botnet Scanning Host Observed repeatedly scanning or probing remote systems APT Observed to be actively involved in an APT campaign Spamming Host Actively propagating or instrumental in the distribution of spam Malicious Host Engaged in malicious but uncharacterized activity OTX Threat Data Produced Updates provided every 30 minutes 200,000-350,000 validated malicious IPs at any point 122.225.118.219 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841! 122.225.118.66 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841! 188.138.100.156 # Malware IP;Scanning Host DE,,51.0,9.0! 211.87.176.197 # Scanning Host CN,,35.0,105.0! 95.163.107.201 # Spamming RU,,60.0,100.0! 188.138.110.48 # Malicious Host;Scanning Host DE,,51.0,9.0! 72.167.131.220 # Malware IP US,Scottsdale,33.6119003296,-111.890602112! 174.120.172.125 # Malware IP US,Houston,29.7523002625,-95.3669967651! 210.148.165.67 # Malware IP JP,,36.0,138.0! 75.75.253.84 # Spamming US,Henderson,36.0312004089,-115.073898315! 15
Verification Engine: Scoring and Analysis! Confirmation by other sources! Voting based on known abuse patterns! White-listing known sources of false positives Verification Engine: Data Expiry! Contributed Data: expires after 30 days! Scanning: expires after 30 days without additional evidence! Malware: validate ongoing hosting! Web-based Threats: confirm ongoing activity 16
Free Tools! Reputation Monitor External view of IPs - Are you targeted?! ThreatFinder Internal view of IPs - Are you compromised?! OSSIM World s most widely used open source SIEM product OTX + AlienVault Labs Threat Intelligence Powered by Open Collaboration 17
ALIENVAULT USM IN ACTION AlienVault USM in Action Step 1: Immediately identify known malicious IPs targeting your network. Step 2: Dig deeper by clicking on bad IP to continue investigation. 18
DIG DEEPER ON BAD IP ADDRESSES SHARE AND REVIEW COMMENTS ON ACTIVE THREATS AlienVault USM in Action Step 3: Follow step-by-step guidance in responding to the threat. 19
AlienVault USM in Action Step 4: Review all other events that triggered this alarm. AlienVault USM in Action Step 5: Review vulnerabilities on assets that are being targeted in active threats. 20
AlienVault USM in Action Step 6: Open a ticket to assign tasks to team members for follow-up and remediation. AlienVault USM in Action Optional step: Provide contextual feedback to OTX so others can avoid becoming targets of the same threat. 21
THANK YOU @ALIENVAULT ALIENVAULT.COM #ALIENSEC 22