Comparing the use of threat intelligence feeds with API access to cloud security services and the use of local scanning engines
Security information and event management (SIEM) solutions now form part of many managed security service provider (MSSP) portfolios. They give an increasing number of enterprises access to the security management and compliance benefits of SIEM solutions.
Here, we will look at how externally sourced threat intelligence can be of use to an enterprise or MSSP. We’ll review how it can reduce false positive and, make analysis easier. We’ll also see how it can help develop a proactive security stance to prevent alerts in the first place.
SIEM solutions were originally designed with the largest enterprise in mind. In an environment where dedicated resources are always available to configure and manage the system, they provide effective near real-time analysis of security alerts delivered by applications and network hardware. They correlate events as they happen, providing a view of threats through alerts and via management consoles. SIEM also delivers forensic analysis and compliance management.
When the solutions work, they’re great – SIEM is a very powerful tool – but as with any system that operates in near real time it can be challenging to implement:
SIEM sees pretty much everything that happens on the network – and while that is powerful it can be overwhelming. Knowing what is important, and filtering the information, is key to managing the information. External data sources that provide intelligence – threat intelligence feeds – can help provide this. Although threat intelligence comes in many formats, here we’re thinking of machine to machine feeds of reputation data or more refined and developed intelligence.
False positives are often identified as a challenge to manage by many users of SIEM. Careful definition of rules can prevent false positives becoming a real problem. When presented with many false positives, real threats may go undetected by a team overwhelmed with alerts. Reducing the incidence of false positives is a key benefit of integrating near real time intelligence. Blending threat intelligence into a SIEM system is, fortunately, possible in many vendors solutions (for example, Splunk).
For the enterprise, buying SIEM as a service from an MSSP brings economies of scale: the enterprise has access to a pool of expertise it would otherwise have difficulty justifying (or even recruiting) – a pool of expertise that deals with building and delivering SIEM every day. The MSSP has a wealth of learning and experience to apply to a task. It can also afford to access data sets that would otherwise be of little benefit to an enterprise – including threat intelligence
MSSPs also have the resources to apply to after-the-event forensic analysis. Forensics particularly benefit from having data concerning what happened in, and outside, the network.
A threat feed delivering information on all identified URLs and domains hosting malware or malicious content worldwide may be difficult to justify for an enterprise operating in only a few countries. However, the MSSP, supporting multiple enterprises, spread across continents would definitely benefit from an up-to-the-minute list of malicious domains, whether they are relatively static or part of a fast-moving domain set.
Integrating intelligence brings many benefits. Preventing access to malicious sites by proactive changes to firewall and gateway settings increases security . Updates to browser blacklists protects clients. Identifying which devices access malicious domains and forensic investigations become easier. Knowing for example, whether at a particular time, on a particular date the URL accessed was part of a domain identified as malicious can be of great value.
Correlating geo-location intelligence with the known threats in the region provides a better understanding of where a company’s network traffic is going to or coming from, and the risks. This may result in a change in the priority of alerts from certain resources. Understanding the source and destination and the classification of the domain (business, shopping etc.) can help identify differing traffic types and destinations. Internal traffic, external-bound traffic, business traffic and personal traffic all present different risks to a company.
MSSPs using threat intelligence will always have a better global view of the threat landscape. Their knowledge of how threats arise, move or are located will be better than an enterprise that does not use threat intelligence.
Threat intelligence feeds provide ‘over the horizon’ visibility to emerging threats. The decision to remove a platform from operation, or implement an immediate patch may result from the knowledge of how threats are developing to take advantage of a platform’s vulnerability. Alternatively, increasing the priority of abnormal behavior alerts coming from the vulnerable platform may considered sufficient. Correlating false positive alerts within a SIEM system with a threat intelligence database can help identify files or alerts that may appear suspicious but have been thoroughly examined and found to be innocuous.
Consuming threat intelligence through feeds is of course only one way to access intelligence. There are others, such as using APIs. To read more about that, have a look at this article from Carlos Valero Llabata.