Threat Intelligence2018-11-30T16:08:07+00:00
//Threat Intelligence

Empower your security analysts with Threat Intelligence

The key to advanced threat detection is to understand your vulnerabilities and to have adequate experience and intelligence to mitigate threats. While indicators of real risk are often difficult to identify and preparation to each and every new threat is impossible, making the best use out of available intelligence sources will help your organisation to prioritise threats and broaden your armoury should it come down to an attack.

Threat intelligence, one aspect of a holistic cybersecurity strategy, helps you comprehend risks related to the most common and severe external threats, such as zero-day threats, advanced persistent threats and exploits. It enables you to collect and analyze data on the latest threats from a wide range of sources. Threat intelligence information from security vendors, intelligence groups and connections to your own network helps you fend off attacks by initiating security activities to stop malicious behavior and avoid incidents.

We strongly believe that Threat Intelligence is an aspect of cybersecurity that no-one in charge of a network can afford to ignore. Its role in network defense is now proven, and the threat data collected has an indisputable value for organizations. In effect, they give decision-makers a reliable basis to help confirm the benefits and consequences of their decisions.

Being proactive is key

Real-time feeds combine intelligence and previous experience from other organizations into a single source providing your team with contextual information to make better informed strategic choices and therefore mitigate attacks.

However, identifying a threat within large volumes of collected information could be like finding a needle in a haystack. You may find yourself asking:

  • What am I looking for?
  • How can I differentiate normal and malicious activity that might signal an attack?

The reason why the integration of SIEM and TI is regarded as a two-bladed sword by some lays in the lack of calibration. In LogPoint, we believe that it’s not the volume of information but the right implementation is what leads to results.

While ongoing analysis of enterprise log data alone is valuable, next-gen protection against advanced threats is only possible by comparing your internal datawith the relevant indicators of compromise. By optimizing your internal data to the threats your sector is the most imposed to, LogPoint SIEM integrated with TI feeds together creates a highly focused solution to gain the most insights out of your enterprise log-data for maximum efficiency.

Integration of SIEM and Threat Intelligence  brings customers even faster threat correlation and management to enhance their ability to monitor, manage and remediate cyberthreats.  Leveraging Logpoint’s architecture, organizations can now benefit from an accelerated ability to correlate multiple threat indicators generated inside their perimeter with external threat IOCs.

We not only enable your security team to be proactive when it comes to defending your critical assets but also help you to achieve full situational awareness so you will always know:

  • When you have been attacked?
  • Is there a new potential attack on the rise?
  • Who is the target within your organisation? Why?
  • What vulnerabilities the attackers are planning to exploit?

Threat Intelligence powered by LogPoint SIEM

The LogPoint Threat Intelligence Application offers a simple and efficient threat intelligence platform to identify emerging threats within your infrastructure, integrating with more than 100 threat intelligence feeds. Leveraging LogPoint’s single taxonomy, the data is converted into a “common language” format, then LogPoint compares it with your enterprise log data.

By this, analysts can automate event interrogation, screening hundreds of thousands of indications of compromise to evaluate the data based on known attacks. The effectiveness of organizational infrastructure protection necessarily relies on a knowledge of the characteristic techniques of a threat, so as to identify and collect data on that attack methodology or other proof of compromise.

With LogPoint, the sharing of this information happens at an unparalleled, near- real time speed. Obtaining the analysis of useful information that allows the countering of diverse threats is always a more complex challenge, taking into account the permanent evolution of risk and methods of attack.
LogPoint not only screens hundreds of thousands of indications of compromise to alert you about known attacks but also proactively prompts action, such as blocking known bad IP addresses should an alert of a potential threat rise.

A flexible platform to fit your organization’s needs

Threat Intelligence in LogPoint provides the ability to generate alerts irrespective of the data structure, taxonomy and semantics. With LogPoint Threat Intelligence, you can benefit from a wide selection of commercial, community-driven, and open source TI feeds, such as Emerging Threats or Critical Stack, and STIX/TAXII compliant providers. We also support csv format for Threat Intelligence feeds. By this, you can gain real-time, cross-platform insight into potential threats so your security team can effectively eliminate false positives and focus on uncovering advanced threats. Even better, should you miss anything, it can be custom built.

How do we do it?

Challenge

Identifying threat indicator while working with large volumes of logs.

Solution

Analysts can use queries with generic commands for threat intelligence to filter out only critical threat indicators. In LogPoint, Filtering can be generic giving you all matches to the threat intelligence database or based on certain threat category or threat score. With this approach, we enable your analysts to simplify the investigation process and focus on the actual threat.

Query Example:
source_address IN HOMENET | process ti(destination_address) | chart count() as cnt by cs_score, source_address order by cnt desc

Challenge

Difficulty in defining correct cybersecurity risk posture.

Solution

Based on the unique taxonomy for threat indicator scores, analysts can benefit from fully automated incident response mechanisms using queries for numerical comparison. Further they can understand the geographical distribution of the attack sources.

Alert queries can be defined based on the scores for threat indicators, risk values/functions and also based on the country of origination for each of these alerts. By this, we empower your security team to make better-informed strategic choices leading to more effective than ever incident response and remediation.

Query Example:
norm_id=* | process ti(destination_address) | search cs_score>80 | process geoip(destination_address) as country | chart count() by country() order by count() desc

Challenge

Historical analysis is not possible.

Solution

By using both static and dynamic enrichment, analysts can benefit from a unique set of options and make the best use of threat intelligence in LogPoint.

By statically enriching any threat indicator (ip address or domain name) your analysts can get instant overview of potential risks. In LogPoint Threat Intelligence, risk is always explained by a number of enriched key-value pairs such as category and risk score. These key-value pairs will be then indexed and stored on the disks until cleared by the retention policy.

Threat sources cannot always be detected near real time leading to serious attacks going undetected. In order to avoid similar scenarios, dynamic enrichment in LogPoint enables analysts to retrospectively investigate attacks and thus uncover hard to spot indicators.

Query Example:
Static: Without the usage of “process ti()” command
norm_id=* source_address IN HOMENET | chart count() by cs_category, cs_score, source_address, destination_address

Dynamic: Using “process ti()” command
norm_id=* | process ti(destination_address)

+ 1 STIX/TAXII support

STIX/TAXII uses RESTful API with a special definition of services and messages for data exchange. LogPoint consumes the STIX 1.x feed in JSON format by making API requests to the STIX/TAXII server.

Required parameters:

  • url: complete host name of the feed server
  • user name: identification for accessing the feed
  • password: password for authentication
  • fetch interval: time interval at which new feed is fetched
  • age limit: time interval for which the feed is retained

Once LogPoint consumes the threat feed, it is parsed according to the standard LogPoint threat intelligence taxonomy resulting in hassle-free and fast set up.

The best part?

The LogPoint Threat Intelligence Application is a free plugin included with a LogPoint license. The download is available from our Help Center.