AlienVault USM and OTX Overview Sept 11 2014.pptx

13/09/2014

1

RICHARD KIRK SENIOR VICE PRESIDENT 11 SEPTEMBER 2014

Unified Security Management and Open Threat Exchange

! A quick intro to AlienVault Unified Security Management (USM)

! Overview of the AlienVault Open Threat Exchange (OTX) ! How threat intelligence is gathered and vetted ! Examples of the types of threats you can identify with

OTX ! How to use the threat data provided by OTX free

services ! Questions?

Agenda

13/09/2014

2

Cost of Cybercrime Continues to Climb

Source: 2013 Cost of Cyber Crime Study: United States, Ponemon Institute October 2013

66% of Breaches Go Undiscovered for Months

Source: Verizon 2013 Data Breach Investigations Report

13/09/2014

3

Who We Are

! AlienVault is the leading provider of Unified Security Management and crowd-sourced threat intelligence technology required to detect and act on today’s advanced cyber threats.

1996 2001-2002 2003-2005 2007 2010 2011 2012 2013

Establishes MSSP in Spain, assembles top team

of “ethical hackers”

MSSP analysts overwhelmed

with data

Invents the concept of USM

OSSIM is battle-tested in MSSP

operations

OSSIM unchallenged as the de-facto standard Open Source SIEM

AlienVault founded to

support key customers: EADS, Spanish Govt, and

Telefonica

Sales expanded in 40 countries

Founders move to Silicon

Valley

OSSIM downloads top 160,000

Sales double

Trident Capital discovers a

diamond in the rough

Headquarters move to US

$22.4M Series C; KPCB lead

OTX launched

in Feb.

USM 4.0 & 4.1

Built by Security Practitioners, For Security Practitioners

$30M Series D; GGV Capital lead

Virtual appliance & USM free trial launched April

OTX expands to 8k+ contributors, >140

countries

USM 4.4

13/09/2014

4

The AlienVault Approach

Asset Discovery •  Active Network Scanning •  Passive Network Scanning •  Asset Inventory •  Host-based Software

Inventory


13/09/2014

5


Inventory

Vulnerability Assessment •  Network Vulnerability Testing •  Remediation Verification



Inventory


Threat Detection •  Network IDS •  Host IDS •  Wireless IDS •  File Integrity Monitoring


13/09/2014

6


Inventory



Behavioral Monitoring •  Log Collection •  Netflow Analysis •  Service Availability Monitoring



Inventory



Behavioral Monitoring •  Log Collection •  Netflow Analysis •  Service Availability Monitoring

Security Intelligence •  SIEM Event Correlation •  Incident Response


13/09/2014

7

What You Can Achieve with USM

AlienVault Labs Threat Intelligence Coordinated analysis, ac:onable guidance

§  Weekly updates to coordinated rule sets: §  Network IDS §  Host IDS §  Asset discovery / inventory database §  Vulnerability database §  Event correla:on §  Report modules and templates §  Incident response templates / “how to” guidance for each alarm §  Plug-‐ins to accommodate new data sources

13/09/2014

8

Three Components, Three Form Factors

AlienVault Server to aggregate data and

manage the deployment

AlienVault Sensor to collect data from the

infrastructure

AMI Virtual Appliance Physical Appliance

AlienVault Logger for long

term storage and reporting

AlienVault All-in-One to collect, aggregate, and store data as well

as manage

Unified Monitoring, Prescriptive Guidance and Preventative Response

! AlienVault USM delivers unified and coordinated security monitoring for incident response and compliance management.

! AlienVault Labs provides coordinated intelligence and analysis of the latest threats, and prescriptive guidance on how to respond.

! AlienVault Open Threat Exchange offers real-time insights on incidents affecting others that may impact you, so you can deploy a preventative response.

13/09/2014

9

Crowd Soured Security Intelligence

Open Threat Exchange

WHAT IS OTX?

13/09/2014

10

First Street Credit Union

Zeta Insurance Group

John Smith Auto Nation

Regional Pacific Telecom

Marginal Food Products

Traditional Response

Respond

Attack

Detect

Respond

Detect

Respond

Detect

Respond

Detect

Respond

Detect

OTX Enables Preventative Response

Through an automated, real-time,

threat exchange framework

13/09/2014

11

A Real-Time Threat Exchange Framework

First Street Credit Union

Zeta Insurance Group

John Smith Auto Nation

Regional Pacific Telecom

Marginal Food Products


Attack

Detect

! Automated and anonymized sharing of threat data ! Provides the advantage to the defender ! Benefit from the incidents and response strategies

of other contributing members

OTX: Enabling Preventative Response


13/09/2014

12

OTX in Action

! Continuous updates •  Updates provided every 30 minutes •  200,000-350,000 validated malicious IP’s at any point

! Active and open threat sharing •  Since March 2012, OSSIM & USM users have flagged 196 million

events as malicious •  Average of ~11 million a month (365,000 a day)

! Effective against targeted attacks •  20% of ‘live’ APT1 domains were in OTX at time of Mandiant report •  218 domains were ‘live’ at time of report (the rest were added later the

same day), 44 IPs found in OTX

Benefits of Open Threat Exchange

!   Shifts the advantage from the attacker to the defender

!   Open and free to everyone

!   Each member benefits from the incidents of all other members

!   Automated sharing of threat data

Protects Others in the Network with Preventa2ve Response Measures

13/09/2014

13

How does AlienVault OTX Work?

VALIDATION ENGINE

ALIENVAULT LABS

MALWARE ANALYSIS SANDBOX

EXTERNAL FEEDS

WEB CRAWLER

ALIENVAULT OSSIM

USM SITES

OTX

Crowd-Sourced Threat Data Sources

Validation Engine

AlienVault Labs

Malware Analysis Sandbox

External Feeds

Web Crawler

OSSIM USM

OTX •  8,000 Collection Points •  140+ Countries •  Threat data from

•  Built-in IDS Signatures •  Normalized Event Logs

•  Firewalls •  Content Filters •  IPS/IDS •  Proxies •  Network devices •  Web Servers •  Other

13/09/2014

14

Security Research Community Shared Data

Validation Engine

AlienVault Labs


External Feeds

Web Crawler

OSSIM USM

OTX •  50+ external threat sources

•  IP Addresses •  Domain Names •  URLS •  Malware Samples

URL & Malware Analysis

Validation Engine

AlienVault Labs


External Feeds

Web Crawler

OSSIM USM

OTX •  500,000 samples analyzed per day

•  Analysis generates •  Threat data •  Additional samples •  URL’s •  Domain names

13/09/2014

15

Threat Types Detected

Malware Domain Distributing malware or hosting exploit code

Malware IP Instrumental in malware, including malicious redirection

Command and Control Sending command and control instructions to malware or a botnet

Scanning Host Observed repeatedly scanning or probing remote systems

APT Observed to be actively involved in an APT campaign

Spamming Host Actively propagating or instrumental in the distribution of spam

Malicious Host Engaged in malicious but uncharacterized activity

OTX Threat Data Produced

§  Updates provided every 30 minutes §  200,000-350,000 validated malicious IPs at any point

122.225.118.219 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841!122.225.118.66 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841!188.138.100.156 # Malware IP;Scanning Host DE,,51.0,9.0!211.87.176.197 # Scanning Host CN,,35.0,105.0!95.163.107.201 # Spamming RU,,60.0,100.0!188.138.110.48 # Malicious Host;Scanning Host DE,,51.0,9.0!72.167.131.220 # Malware IP US,Scottsdale,33.6119003296,-111.890602112!174.120.172.125 # Malware IP US,Houston,29.7523002625,-95.3669967651!210.148.165.67 # Malware IP JP,,36.0,138.0!75.75.253.84 # Spamming US,Henderson,36.0312004089,-115.073898315!

13/09/2014

16

! Confirmation by other sources ! Voting based on known

abuse patterns ! White-listing known sources

of false positives

Verification Engine: Scoring and Analysis

! Contributed Data: expires after 30 days ! Scanning: expires after 30 days

without additional evidence ! Malware: validate ongoing hosting ! Web-based Threats: confirm

ongoing activity

Verification Engine: Data Expiry

13/09/2014

17

! Reputation Monitor •  External view of IPs

-  Are you targeted?

! ThreatFinder •  Internal view of IPs

-  Are you compromised?

! OSSIM •  World’s most widely used

open source SIEM product

Free Tools

Threat Intelligence Powered by Open Collaboration

OTX + AlienVault Labs

13/09/2014

18

ALIENVAULT USM IN ACTION

AlienVault USM in Action

Step 2: Dig deeper by clicking on bad IP to continue investigation.

Step 1: Immediately identify known malicious IPs targeting your network.

13/09/2014

19

DIG DEEPER ON BAD IP ADDRESSES

SHARE AND REVIEW COMMENTS ON ACTIVE THREATS

AlienVault USM in Action Step 3: Follow step-by-step guidance in responding to the threat.

13/09/2014

20

Step 4: Review all other events that triggered this alarm.



Step 5: Review vulnerabilities on assets that are being targeted in active threats.

13/09/2014

21

AlienVault USM in Action Step 6: Open a ticket to assign tasks to team members for follow-up and remediation.


Optional step: Provide contextual feedback to OTX so others can avoid becoming targets of the same threat.

13/09/2014

22

THANK YOU

@ALIENVAULT ALIENVAULT.COM #ALIENSEC

AlienVault USM and OTX Overview Sept 11 2014.pptx

Documents

Transcript of AlienVault USM and OTX Overview Sept 11 2014.pptx