13/09/2014
1
RICHARD KIRK SENIOR VICE PRESIDENT 11 SEPTEMBER 2014
Unified Security Management and Open Threat Exchange
! A quick intro to AlienVault Unified Security Management (USM)
! Overview of the AlienVault Open Threat Exchange (OTX) ! How threat intelligence is gathered and vetted ! Examples of the types of threats you can identify with
OTX ! How to use the threat data provided by OTX free
services ! Questions?
Agenda
13/09/2014
2
Cost of Cybercrime Continues to Climb
Source: 2013 Cost of Cyber Crime Study: United States, Ponemon Institute October 2013
66% of Breaches Go Undiscovered for Months
Source: Verizon 2013 Data Breach Investigations Report
13/09/2014
3
Who We Are
! AlienVault is the leading provider of Unified Security Management and crowd-sourced threat intelligence technology required to detect and act on today’s advanced cyber threats.
1996 2001-2002 2003-2005 2007 2010 2011 2012 2013
Establishes MSSP in Spain, assembles top team
of “ethical hackers”
MSSP analysts overwhelmed
with data
Invents the concept of USM
OSSIM is battle-tested in MSSP
operations
OSSIM unchallenged as the de-facto standard Open Source SIEM
AlienVault founded to
support key customers: EADS, Spanish Govt, and
Telefonica
Sales expanded in 40 countries
Founders move to Silicon
Valley
OSSIM downloads top 160,000
Sales double
Trident Capital discovers a
diamond in the rough
Headquarters move to US
$22.4M Series C; KPCB lead
OTX launched
in Feb.
USM 4.0 & 4.1
Built by Security Practitioners, For Security Practitioners
$30M Series D; GGV Capital lead
Virtual appliance & USM free trial launched April
OTX expands to 8k+ contributors, >140
countries
USM 4.4
13/09/2014
4
The AlienVault Approach
Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software
Inventory
The AlienVault Approach
13/09/2014
5
Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software
Inventory
Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification
The AlienVault Approach
Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software
Inventory
Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification
Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring
The AlienVault Approach
13/09/2014
6
Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software
Inventory
Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification
Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring
Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring
The AlienVault Approach
Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software
Inventory
Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification
Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring
Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring
Security Intelligence • SIEM Event Correlation • Incident Response
The AlienVault Approach
13/09/2014
7
What You Can Achieve with USM
AlienVault Labs Threat Intelligence Coordinated analysis, ac:onable guidance
§ Weekly updates to coordinated rule sets: § Network IDS § Host IDS § Asset discovery / inventory database § Vulnerability database § Event correla:on § Report modules and templates § Incident response templates / “how to” guidance for each alarm § Plug-‐ins to accommodate new data sources
13/09/2014
8
Three Components, Three Form Factors
AlienVault Server to aggregate data and
manage the deployment
AlienVault Sensor to collect data from the
infrastructure
AMI Virtual Appliance Physical Appliance
AlienVault Logger for long
term storage and reporting
AlienVault All-in-One to collect, aggregate, and store data as well
as manage
Unified Monitoring, Prescriptive Guidance and Preventative Response
! AlienVault USM delivers unified and coordinated security monitoring for incident response and compliance management.
! AlienVault Labs provides coordinated intelligence and analysis of the latest threats, and prescriptive guidance on how to respond.
! AlienVault Open Threat Exchange offers real-time insights on incidents affecting others that may impact you, so you can deploy a preventative response.
13/09/2014
9
Crowd Soured Security Intelligence
Open Threat Exchange
WHAT IS OTX?
13/09/2014
10
First Street Credit Union
Zeta Insurance Group
John Smith Auto Nation
Regional Pacific Telecom
Marginal Food Products
Traditional Response
Respond
Attack
Detect
Respond
Detect
Respond
Detect
Respond
Detect
Respond
Detect
OTX Enables Preventative Response
Through an automated, real-time,
threat exchange framework
13/09/2014
11
A Real-Time Threat Exchange Framework
First Street Credit Union
Zeta Insurance Group
John Smith Auto Nation
Regional Pacific Telecom
Marginal Food Products
Open Threat Exchange
Attack
Detect
! Automated and anonymized sharing of threat data ! Provides the advantage to the defender ! Benefit from the incidents and response strategies
of other contributing members
OTX: Enabling Preventative Response
Open Threat Exchange
13/09/2014
12
OTX in Action
! Continuous updates • Updates provided every 30 minutes • 200,000-350,000 validated malicious IP’s at any point
! Active and open threat sharing • Since March 2012, OSSIM & USM users have flagged 196 million
events as malicious • Average of ~11 million a month (365,000 a day)
! Effective against targeted attacks • 20% of ‘live’ APT1 domains were in OTX at time of Mandiant report • 218 domains were ‘live’ at time of report (the rest were added later the
same day), 44 IPs found in OTX
Benefits of Open Threat Exchange
! Shifts the advantage from the attacker to the defender
! Open and free to everyone
! Each member benefits from the incidents of all other members
! Automated sharing of threat data
Protects Others in the Network with Preventa2ve Response Measures
13/09/2014
13
How does AlienVault OTX Work?
VALIDATION ENGINE
ALIENVAULT LABS
MALWARE ANALYSIS SANDBOX
EXTERNAL FEEDS
WEB CRAWLER
ALIENVAULT OSSIM
USM SITES
OTX
Crowd-Sourced Threat Data Sources
Validation Engine
AlienVault Labs
Malware Analysis Sandbox
External Feeds
Web Crawler
OSSIM USM
OTX • 8,000 Collection Points • 140+ Countries • Threat data from
• Built-in IDS Signatures • Normalized Event Logs
• Firewalls • Content Filters • IPS/IDS • Proxies • Network devices • Web Servers • Other
13/09/2014
14
Security Research Community Shared Data
Validation Engine
AlienVault Labs
Malware Analysis Sandbox
External Feeds
Web Crawler
OSSIM USM
OTX • 50+ external threat sources
• IP Addresses • Domain Names • URLS • Malware Samples
URL & Malware Analysis
Validation Engine
AlienVault Labs
Malware Analysis Sandbox
External Feeds
Web Crawler
OSSIM USM
OTX • 500,000 samples analyzed per day
• Analysis generates • Threat data • Additional samples • URL’s • Domain names
13/09/2014
15
Threat Types Detected
Malware Domain Distributing malware or hosting exploit code
Malware IP Instrumental in malware, including malicious redirection
Command and Control Sending command and control instructions to malware or a botnet
Scanning Host Observed repeatedly scanning or probing remote systems
APT Observed to be actively involved in an APT campaign
Spamming Host Actively propagating or instrumental in the distribution of spam
Malicious Host Engaged in malicious but uncharacterized activity
OTX Threat Data Produced
§ Updates provided every 30 minutes § 200,000-350,000 validated malicious IPs at any point
122.225.118.219 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841!122.225.118.66 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841!188.138.100.156 # Malware IP;Scanning Host DE,,51.0,9.0!211.87.176.197 # Scanning Host CN,,35.0,105.0!95.163.107.201 # Spamming RU,,60.0,100.0!188.138.110.48 # Malicious Host;Scanning Host DE,,51.0,9.0!72.167.131.220 # Malware IP US,Scottsdale,33.6119003296,-111.890602112!174.120.172.125 # Malware IP US,Houston,29.7523002625,-95.3669967651!210.148.165.67 # Malware IP JP,,36.0,138.0!75.75.253.84 # Spamming US,Henderson,36.0312004089,-115.073898315!
13/09/2014
16
! Confirmation by other sources ! Voting based on known
abuse patterns ! White-listing known sources
of false positives
Verification Engine: Scoring and Analysis
! Contributed Data: expires after 30 days ! Scanning: expires after 30 days
without additional evidence ! Malware: validate ongoing hosting ! Web-based Threats: confirm
ongoing activity
Verification Engine: Data Expiry
13/09/2014
17
! Reputation Monitor • External view of IPs
- Are you targeted?
! ThreatFinder • Internal view of IPs
- Are you compromised?
! OSSIM • World’s most widely used
open source SIEM product
Free Tools
Threat Intelligence Powered by Open Collaboration
OTX + AlienVault Labs
13/09/2014
18
ALIENVAULT USM IN ACTION
AlienVault USM in Action
Step 2: Dig deeper by clicking on bad IP to continue investigation.
Step 1: Immediately identify known malicious IPs targeting your network.
13/09/2014
19
DIG DEEPER ON BAD IP ADDRESSES
SHARE AND REVIEW COMMENTS ON ACTIVE THREATS
AlienVault USM in Action Step 3: Follow step-by-step guidance in responding to the threat.
13/09/2014
20
Step 4: Review all other events that triggered this alarm.
AlienVault USM in Action
AlienVault USM in Action
Step 5: Review vulnerabilities on assets that are being targeted in active threats.
13/09/2014
21
AlienVault USM in Action Step 6: Open a ticket to assign tasks to team members for follow-up and remediation.
AlienVault USM in Action
Optional step: Provide contextual feedback to OTX so others can avoid becoming targets of the same threat.
13/09/2014
22
THANK YOU
@ALIENVAULT ALIENVAULT.COM #ALIENSEC