Every enterprise organization should take advantage of threat intelligence and send technical feeds into their...
security information and event management (SIEM) products. For IT security, SIEM and threat intelligence are a marriage made in heaven.
What can security professionals stand to gain from consuming threat intelligence inside of their SIEM products?
- Faster event detection. Alerting on threat intelligence matches (IPs, URLs, domains and hashes) is easier than writing good correlation rules.
- Better context. Alert triage and incident investigation becomes easier and information is available faster.
- Threat tracking and awareness. It combines local monitoring observations, external threat intelligence and -- for those who are ready -- internal threat intelligence in one place.
Logs are probably most useful for matching system data with threat intelligence in real-time as well as historically. But historical correlation is more performance intensive on your SIEM storage backend, so proceed with caution.
What data -- logs and threat intel -- do you need?
- Firewalls logs (outbound connection records ),
- Web proxy or secure Web gateway (SW) logs,
- DNS logs, such as the domains that your systems query for,
- NIDS/NIPS data (threat intelligence matching here helps triage the alerts, and thus makes detection better),
- Flows and other connectivity records, down to router logs and anything else that shows connectivity.
Endpoint threat detection tools can usually match to threat intelligence data without using a SIEM, but local endpoint execution data collected in one place (essentially, all executed processes across the environment ) marries well to threat intelligence feeds that contain host data.
Where should threat intelligence data come from?
- Your SIEM vendor. Some vendors are dedicating significant resources to the production of their own threat intelligence or feed aggregation, as well as enrichment and cleaning of this information.
- Community-driven, free threat intelligence feeds. The CIF (crystallographic information file) format comes in really handy here, but CSV (common separate values) can be imported just as well. Some lists and information on how to compare them can be found here.
- Commercial packaged feeds from the threat intelligence aggregator. It may even have pre-formatted rules ready for your SIEM. This threat intelligence may be cleaner than community feeds.
- Commercial threat intelligence providers of original threat intelligence.
Taking advantage of your SIEM vendor's threat intelligence feeds is the first step and it may be as easy as clicking one button to turn it on. At the same time, other data sources are not that hard to integrate with most decent SIEM products.
The result? Better detection, faster triage and easier investigations.
Anton Chuvakin, Ph.D., is a research vice president at Gartner for the Technical Professionals' Security and Risk Management group. As a recognized expert in log management and PCI compliance, Dr. Chuvakin has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI DSS and security management. He is an author of "Security Warrior" and "PCI Compliance." For more, check out his Gartner blog, personal blog or follow him on Twitter @anton_chuvakin.
For more on threat intelligence and SIEM