Analyzing event log data by itself is valuable, but if you can bring additional, non-event data into your SIEM and correlate it with events you can do so much more. One type of such data that isn't event based but belongs in your SIEM are tactical threat feeds. Just think how valuable it would be when analyzing events to instantly know that a given IP address had been identified as a botnet command and control server.
There's been an explosion of free and fee based feeds of threat data. Most threat feeds are lists of domain names, IP addresses and URLs that various entities have classified as malicious or at least suspicious according to different methods and criteria.
In the free open source community, there are very specific threat feeds devoted to specific botnets and malware networks. For starters there are the famous ZeuS Tracker and SpyEye Tracker lists from abuse.ch - The Swiss Security Blog. Then there are the daily updated lists form SRI International's Malware Threat Center. And Malware Patrol provides hourly updated feeds malware URLs and CryptoLocker domains.
And there are proprietary feeds from many different security companies. These companies and organizations use a variety of ways to collect their data from networks of honeypots to networks of malware sandboxes.
The traditional way to consume these feeds is to automatically update firewall and proxy policies to block traffic with suspicious systems. But false positives do happen and can create a variety of communication and end-user problems. Other organizations use these feeds in their IDS solutions for identifying suspicious traffic but you may need a team of network security engineers to chase down rabbit holes.
In this webinar we will explore how to correlate this information with other security and audit log events in your SIEM to make security monitoring more intelligent and thus give you an improved intelligence-driven security defensive posture & reduce the number of false positive incidents you have to track down.
I will show you what these threat intelligence feeds actually look like, how to obtain them and we'll explore their format and how they are commonly integrated. We'll also discuss how to compare threat feeds which is useful when choosing from data that range from community produced free content to expensive proprietary products. My colleague Anton Chuvakin pointed out in a recent article on threat feeds is that it takes actual operational usage to find the best feeds. I think this speaks to being able to use multiple feeds and easily how many of your similar feeds flag the same traffic. It's also important to have some kind of record keeping so that you can see over time which feeds helped you actually find malicious activity and which create more work than they are worth.
But more important are practical ways to correlate threat data with all the log data collected by your SIEM. LogRhythm has agreed to sponsor this webinar and we are going to show you some pretty cool scenarios. LogRhythm is an especially good fit for this topic because their recent enhances really emphasize the need to prefer corroborating evidence from more than one event source before putting alerts up on a dash board so that security analysts can spend less time chasing down rabbit holes that just turn out to be benign anomalies. Plus by normalizing all log data against a common schema it's easy to search across every log source and unique format for domain names and IP addresses for comparison against threat feeds.
Don't miss this real training for free ™. Please register now!