Empower your security analysts with SIEM Threat Intelligence
The key to advanced threat detection is to understand your vulnerabilities and to have adequate experience and intelligence to mitigate threats. While indicators of real risk are often difficult to identify and preparation to each and every new threat is impossible, making the best use out of available intelligence sources will help your organisation to prioritise threats and broaden your armoury should it come down to an attack.
Threat intelligence automation, one aspect of a holistic cybersecurity strategy, helps you comprehend risks related to the most common and severe external threats, such as zero-day threats, advanced persistent threats and exploits. It enables you to collect and analyze data on the latest threats from a wide range of sources. Threat intelligence information from security vendors, intelligence groups and connections to your own network helps you fend off attacks by initiating security activities to stop malicious behavior and avoid incidents.
We strongly believe that Threat Intelligence automation is an aspect of cybersecurity that no-one in charge of a network can afford to ignore. Its role in network defense is now proven, and the threat data collected has an indisputable value for organizations. In effect, they give decision-makers a reliable basis to help confirm the benefits and consequences of their decisions.
Being proactive is key
Real-time feeds combine intelligence and previous experience from other organizations into a single source providing your team with contextual information to make better informed strategic choices and therefore mitigate attacks.
However, identifying a threat within large volumes of collected information could be like finding a needle in a haystack. You may find yourself asking:
- What am I looking for?
- How can I differentiate normal and malicious activity that might signal an attack?
The reason why the integration of SIEM and TI is regarded as a two-bladed sword by some lays in the lack of calibration. In LogPoint, we believe that it’s not the volume of information but the right implementation is what leads to results.
While ongoing analysis of enterprise log data alone is valuable, next-gen protection against advanced threats is only possible by comparing your internal datawith the relevant indicators of compromise. By optimizing your internal data to the threats your sector is the most imposed to, LogPoint SIEM integrated with TI feeds together creates a highly focused solution to gain the most insights out of your enterprise log-data for maximum efficiency.
Integration of SIEM and Threat Intelligence brings customers even faster threat correlation and management to enhance their ability to monitor, manage and remediate cyberthreats. Leveraging LogPoint’s architecture, organizations can now benefit from an accelerated ability to correlate multiple threat indicators generated inside their perimeter with external threat IOCs.
We not only enable your security team to be proactive when it comes to defending your critical assets but also help you to achieve full situational awareness so you will always know:
- When you have been attacked?
- Is there a new potential attack on the rise?
- Who is the target within your organisation? Why?
- What vulnerabilities the attackers are planning to exploit?
Threat Intelligence powered by LogPoint SIEM
The LogPoint SIEM Threat Intelligence Application offers a simple and efficient advanced threat intelligence platform to identify emerging threats within your infrastructure, integrating with more than 100 threat intelligence feeds. Leveraging LogPoint’s single taxonomy, the data is converted into a “common language” format, then LogPoint compares it with your enterprise log data.
By this, analysts can automate event interrogation, screening hundreds of thousands of indications of compromise to evaluate the data based on known attacks. The effectiveness of organizational infrastructure protection necessarily relies on a knowledge of the characteristic techniques of a threat, so as to identify and collect data on that attack methodology or other proof of compromise.
With LogPoint, the sharing of this information happens at an unparalleled, near- real time speed. Obtaining the analysis of useful information that allows the countering of diverse threats is always a more complex challenge, taking into account the permanent evolution of risk and methods of attack.
LogPoint not only screens hundreds of thousands of indications of compromise to alert you about known attacks but also proactively prompts action, such as blocking known bad IP addresses should an alert of a potential threat rise.
A flexible platform to fit your organization’s needs
Threat Intelligence automation in LogPoint provides the ability to generate alerts irrespective of the data structure, taxonomy and semantics. With LogPoint SIEM Threat Intelligence, you can benefit from a wide selection of commercial, community-driven, and open source top Threat Intelligence tools, or feeds, such as Emerging Threats or Critical Stack, and STIX/TAXII compliant providers. We also support csv format for Threat Intelligence feeds. By this, you can gain real-time, cross-platform insight into potential threats so your security team can effectively eliminate false positives and focus on uncovering advanced threats. Even better, should you miss anything, it can be custom built.
Difficulty in defining correct cybersecurity risk posture.
Based on the unique taxonomy for threat indicator scores, analysts can benefit from fully automated incident response mechanisms using queries for numerical comparison. Further they can understand the geographical distribution of the attack sources.
Alert queries can be defined based on the scores for threat indicators, risk values/functions and also based on the country of origination for each of these alerts. With this threat intelligence automation, we empower your security team to make better-informed strategic choices leading to more effective than ever incident response and remediation.
norm_id=* | process ti(destination_address) | search cs_score>80 | process geoip(destination_address) as country | chart count() by country() order by count() desc
Historical analysis is not possible.
By using both static and dynamic enrichment, analysts can benefit from a unique set of options and make the best use of threat intelligence in LogPoint.
By statically enriching any threat indicator (ip address or domain name) your analysts can get instant overview of potential risks. In LogPoint SIEM Threat Intelligence, risk is always explained by a number of enriched key-value pairs such as category and risk score. These key-value pairs will be then indexed and stored on the disks until cleared by the retention policy.
Threat sources cannot always be detected near real time leading to serious attacks going undetected. In order to avoid similar scenarios, dynamic enrichment in LogPoint enables analysts to retrospectively investigate attacks and thus uncover hard to spot indicators.
Static: Without the usage of “process ti()” command
norm_id=* source_address IN HOMENET | chart count() by cs_category, cs_score, source_address, destination_address
Dynamic: Using “process ti()” command
norm_id=* | process ti(destination_address)
+ 1 STIX/TAXII support
STIX/TAXII uses RESTful API with a special definition of services and messages for data exchange. LogPoint consumes the STIX 1.x feed in JSON format by making API requests to the STIX/TAXII server.
- url: complete host name of the feed server
- user name: identification for accessing the feed
- password: password for authentication
- fetch interval: time interval at which new feed is fetched
- age limit: time interval for which the feed is retained
Once LogPoint consumes the threat feed, it is parsed according to the standard LogPoint SIEM threat intelligence taxonomy resulting in hassle-free and fast set up.
The best part?
The LogPoint Threat Intelligence Application is a free plugin included with a LogPoint license. The download is available from our Help Center.