Unified Security Management and Open Threat Exchange

Similar documents
The SIEM Evaluator s Guide

Discover Security That s Highly Intelligent.

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

WHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard

THE BEST WAY TO CATCH A THIEF. Patrick Bedwell, Vice President, Product Marketing

How To Manage Security On A Networked Computer System

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

81% of participants believe the government should share more threat intelligence with the private sector.

QRadar SIEM and FireEye MPS Integration

Eight Essential Elements for Effective Threat Intelligence Management May 2015

MANAGED SECURITY SERVICES (MSS)

Next Generation IPS and Reputation Services

How to send s triggered by events

Assets, Groups & Networks

Unified Security Management vs. SIEM

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

AlienVault. Unified Security Management 5.x Configuration Backup and Restore

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

MANAGED SECURITY SERVICES (MSS)

Intrusion Detection in AlienVault

Critical Security Controls

SPEAR PHISHING AN ENTRY POINT FOR APTS

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

The Importance of Cybersecurity Monitoring for Utilities

Cisco Advanced Malware Protection

Device Integration: CyberGuard SG565

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Extreme Networks Security Analytics G2 Vulnerability Manager

QRadar SIEM and Zscaler Nanolog Streaming Service

Metric Matters. Dain Perkins, CISSP

User Management Guide

Vulnerability Management

REPORT State of Vulnerability Risk Management

SANS Top 20 Critical Controls for Effective Cyber Defense

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

Data Center Security in a World Without Perimeters

Combating a new generation of cybercriminal with in-depth security monitoring

WHITE PAPER: THREAT INTELLIGENCE RANKING

Symantec Cyber Security Services: DeepSight Intelligence

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Doris Yang Vectra Networks, Inc. June 16, 2015 The World Ahead

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

APPLICATION PROGRAMMING INTERFACE

End-user Security Analytics Strengthens Protection with ArcSight

Cisco Security Intelligence Operations

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Cisco & Big Data Security

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Unified Security, ATP and more

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

1 Introduction Product Description Strengths and Challenges Copyright... 5

Can We Become Resilient to Cyber Attacks?

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Deploying HIDS Client to Windows Hosts

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

Security Intelligence Services.

Defending Against Data Beaches: Internal Controls for Cybersecurity

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

IBM Advanced Threat Protection Solution

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Practical Steps To Securing Process Control Networks

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Concierge SIEM Reporting Overview

AlienVault Unified Security Management (USM) x. Configuring High Availability (HA)

Software that provides secure access to technology, everywhere.

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

WHITE PAPER WHAT HAPPENED?

Monitoring VMware ESX Virtual Switches

RSA Security Analytics

IBM Security QRadar Vulnerability Manager

24/7 Visibility into Advanced Malware on Networks and Endpoints

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

ClearSkies SIEM Security-as-a-Service (SecaaS) Infocom Security Athens April 2014

Speed Up Incident Response with Actionable Forensic Analytics

Whitepaper. Advanced Threat Hunting with Carbon Black

Bridging the gap between COTS tool alerting and raw data analysis

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Cisco Advanced Malware Protection for Endpoints

Device Integration: Checkpoint Firewall-1

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Cisco RSA Announcement Update

Using SIEM for Real- Time Threat Detection

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

ThreatSTOP Technology Overview

THE EVOLUTION OF SIEM

Dealing with Big Data in Cyber Intelligence

SourceFireNext-Generation IPS

CyberNEXS Global Services

Hackers are here. Where are you?

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

RAVEN, Network Security and Health for the Enterprise

Transcription:

13/09/2014 Unified Security Management and Open Threat Exchange RICHARD KIRK SENIOR VICE PRESIDENT 11 SEPTEMBER 2014 Agenda! A quick intro to AlienVault Unified Security Management (USM)! Overview of the AlienVault Open Threat Exchange (OTX)! How threat intelligence is gathered and vetted! Examples of the types of threats you can identify with OTX! How to use the threat data provided by OTX free services! Questions? 1

Cost of Cybercrime Continues to Climb Source: 2013 Cost of Cyber Crime Study: United States, Ponemon Institute October 2013 66% of Breaches Go Undiscovered for Months Source: Verizon 2013 Data Breach Investigations Report 2

Who We Are! AlienVault is the leading provider of Unified Security Management and crowd-sourced threat intelligence technology required to detect and act on today s advanced cyber threats. Built by Security Practitioners, For Security Practitioners 1996 2001-2002 2003-2005 2007 2010 2011 2012 2013 Establishes MSSP in Spain, assembles top team of ethical hackers OSSIM is battle-tested in MSSP operations Sales expanded in 40 countries Founders move to Silicon Valley $22.4M Series C; KPCB lead OTX launched in Feb. USM 4.0 & 4.1 MSSP analysts overwhelmed with data Invents the concept of USM OSSIM unchallenged as the de-facto standard Open Source SIEM AlienVault founded to support key customers: EADS, Spanish Govt, and Telefonica OSSIM downloads top 160,000 Sales double Trident Capital discovers a diamond in the rough Headquarters move to US $30M Series D; GGV Capital lead Virtual appliance & USM free trial launched April OTX expands to 8k+ contributors, >140 countries USM 4.4 3

The AlienVault Approach The AlienVault Approach Asset Discovery Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory 4

The AlienVault Approach Asset Discovery Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Vulnerability Assessment Network Vulnerability Testing Remediation Verification The AlienVault Approach Asset Discovery Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Vulnerability Assessment Network Vulnerability Testing Remediation Verification Threat Detection Network IDS Host IDS Wireless IDS File Integrity Monitoring 5

The AlienVault Approach Asset Discovery Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Behavioral Monitoring Log Collection Netflow Analysis Service Availability Monitoring Vulnerability Assessment Network Vulnerability Testing Remediation Verification Threat Detection Network IDS Host IDS Wireless IDS File Integrity Monitoring The AlienVault Approach Security Intelligence SIEM Event Correlation Incident Response Behavioral Monitoring Log Collection Netflow Analysis Service Availability Monitoring Asset Discovery Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Vulnerability Assessment Network Vulnerability Testing Remediation Verification Threat Detection Network IDS Host IDS Wireless IDS File Integrity Monitoring 6

What You Can Achieve with USM AlienVault Labs Threat Intelligence Coordinated analysis, ac:onable guidance Weekly updates to coordinated rule sets: Network IDS Host IDS Asset discovery / inventory database Vulnerability database Event correla:on Report modules and templates Incident response templates / how to guidance for each alarm Plug- ins to accommodate new data sources 7

Three Components, Three Form Factors AlienVault Server to aggregate data and manage the deployment AlienVault Logger for long term storage and reporting AlienVault Sensor to collect data from the infrastructure AlienVault All-in-One to collect, aggregate, and store data as well as manage Physical Appliance Virtual Appliance AMI Unified Monitoring, Prescriptive Guidance and Preventative Response! AlienVault USM delivers unified and coordinated security monitoring for incident response and compliance management.! AlienVault Labs provides coordinated intelligence and analysis of the latest threats, and prescriptive guidance on how to respond.! AlienVault Open Threat Exchange offers real-time insights on incidents affecting others that may impact you, so you can deploy a preventative response. 8

Open Threat Exchange Crowd Soured Security Intelligence WHAT IS OTX? 9

Traditional Response Attack First Street Credit Union Zeta Insurance Group John Smith Auto Nation Regional Pacific Telecom Marginal Food Products Respond Respond Respond Respond Respond Detect Detect Detect Detect Detect OTX Enables Preventative Response Through an automated, real-time, threat exchange framework 10

A Real-Time Threat Exchange Framework Attack First Street Credit Union Zeta Insurance Group John Smith Auto Nation Regional Pacific Telecom Marginal Food Products Detect Open Threat Exchange OTX: Enabling Preventative Response! Automated and anonymized sharing of threat data! Provides the advantage to the defender! Benefit from the incidents and response strategies of other contributing members Open Threat Exchange 11

OTX in Action! Continuous updates Updates provided every 30 minutes 200,000-350,000 validated malicious IP s at any point! Active and open threat sharing Since March 2012, OSSIM & USM users have flagged 196 million events as malicious Average of ~11 million a month (365,000 a day)! Effective against targeted attacks 20% of live APT1 domains were in OTX at time of Mandiant report 218 domains were live at time of report (the rest were added later the same day), 44 IPs found in OTX Benefits of Open Threat Exchange! Shifts the advantage from the attacker to the defender! Open and free to everyone! Each member benefits from the incidents of all other members! Automated sharing of threat data Protects Others in the Network with Preventa2ve Response Measures 12

How does AlienVault OTX Work? ALIENVAULT OSSIM USM SITES OTX WEB CRAWLER ALIENVAULT LABS MALWARE ANALYSIS SANDBOX VALIDATION ENGINE EXTERNAL FEEDS Crowd-Sourced Threat Data Sources Web Crawler OSSIM USM AlienVault Labs Malware Analysis Sandbox External Feeds OTX 8,000 Collection Points 140+ Countries Threat data from Validation Engine Built-in IDS Signatures Normalized Event Logs Firewalls Content Filters IPS/IDS Proxies Network devices Web Servers Other 13

Security Research Community Shared Data OSSIM USM OTX 50+ external threat sources Web Crawler AlienVault Labs Malware Analysis Sandbox External Feeds Validation Engine IP Addresses Domain Names URLS Malware Samples URL & Malware Analysis OSSIM USM OTX 500,000 samples analyzed per day Web Crawler AlienVault Labs Malware Analysis Sandbox External Feeds Validation Engine Analysis generates Threat data Additional samples URL s Domain names 14

Threat Types Detected Malware Domain Distributing malware or hosting exploit code Malware IP Instrumental in malware, including malicious redirection Command and Control Sending command and control instructions to malware or a botnet Scanning Host Observed repeatedly scanning or probing remote systems APT Observed to be actively involved in an APT campaign Spamming Host Actively propagating or instrumental in the distribution of spam Malicious Host Engaged in malicious but uncharacterized activity OTX Threat Data Produced Updates provided every 30 minutes 200,000-350,000 validated malicious IPs at any point 122.225.118.219 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841! 122.225.118.66 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841! 188.138.100.156 # Malware IP;Scanning Host DE,,51.0,9.0! 211.87.176.197 # Scanning Host CN,,35.0,105.0! 95.163.107.201 # Spamming RU,,60.0,100.0! 188.138.110.48 # Malicious Host;Scanning Host DE,,51.0,9.0! 72.167.131.220 # Malware IP US,Scottsdale,33.6119003296,-111.890602112! 174.120.172.125 # Malware IP US,Houston,29.7523002625,-95.3669967651! 210.148.165.67 # Malware IP JP,,36.0,138.0! 75.75.253.84 # Spamming US,Henderson,36.0312004089,-115.073898315! 15

Verification Engine: Scoring and Analysis! Confirmation by other sources! Voting based on known abuse patterns! White-listing known sources of false positives Verification Engine: Data Expiry! Contributed Data: expires after 30 days! Scanning: expires after 30 days without additional evidence! Malware: validate ongoing hosting! Web-based Threats: confirm ongoing activity 16

Free Tools! Reputation Monitor External view of IPs - Are you targeted?! ThreatFinder Internal view of IPs - Are you compromised?! OSSIM World s most widely used open source SIEM product OTX + AlienVault Labs Threat Intelligence Powered by Open Collaboration 17

ALIENVAULT USM IN ACTION AlienVault USM in Action Step 1: Immediately identify known malicious IPs targeting your network. Step 2: Dig deeper by clicking on bad IP to continue investigation. 18

DIG DEEPER ON BAD IP ADDRESSES SHARE AND REVIEW COMMENTS ON ACTIVE THREATS AlienVault USM in Action Step 3: Follow step-by-step guidance in responding to the threat. 19

AlienVault USM in Action Step 4: Review all other events that triggered this alarm. AlienVault USM in Action Step 5: Review vulnerabilities on assets that are being targeted in active threats. 20

AlienVault USM in Action Step 6: Open a ticket to assign tasks to team members for follow-up and remediation. AlienVault USM in Action Optional step: Provide contextual feedback to OTX so others can avoid becoming targets of the same threat. 21

THANK YOU @ALIENVAULT ALIENVAULT.COM #ALIENSEC 22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information