SlideShare una empresa de Scribd logo

How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk Tuesday

AlienVault
AlienVault

Ever feel like you spend more time converting security information from one format to another, than actually connecting the dots hidden within it? The Collective Intelligence Framework (CIF) is a data processor for pulling in and normalizing out all these threat intel sources into a single combined dataset. Watch it on-demand http://ow.ly/li8Lf #TTTSec

Tecnología
1 de 24
How to Normalize Threat Intelligence Data from Multiple Sources #TTTsec @AlienVault Your Host Conrad Constantine Community Manager, AlienVault @cpconstantineTodd Leetham Cyber Threat Intelligence Lead, EMC @rudehimself
Covered In This Talk • Getting the Collective Intelligence Framework installed, collecting intelligence from external sources and generating a custom feed to use with your security controls. • Making sense of the Threat Intelligence Resources out there as part of your security monitoring program.
What You’ll Need to Build and Use CIF • A Linux system, (a Debian-based distro is preferred) with plenty of resources allocated – 4GB and 20GB of storage recommended for experimentation, 16GB and 500GB recommended for production. • Experience installing Linux software from source. • Basic DBA skills with the PostGreSQL Database. • Admin experience with the BIND DNS resolver • Admin experience with the Apache Webserver • Know how to locate and install Perl Modules. • Familiarity with essential internet topology mechanisms (BGP AS’s, registrars, etc)
Collective Intelligence Framework: Redux • Just as a SIEM allows the consumption of log data, normalizing to allow queries, transforms and correlations to be run against them, CIF does the same for Threat Intel Data. • IP addresses, Domains, URI substrings – threat intel comes in many formats and we don’t have time to spend our days converting datasets by hand – automate once, use it forever. • Store Data from multiple sources, combine, process and produce customized output in formats suitable for consumption by the security controls you have in place already. • Query the intelligence data via programming API or human- readable web interface. • Customize output for different audiences, maintain access through a key-based API system, share tokenized, sanitized intelligence amongst multiple organizations without disclosing sensitive information in the process. http://code.google.com/p/collective-intelligence-framework/
CIF Architecture
Threat Intelligence For Mere Mortals• Security Controls (for the most part) detect technical threats – they can’t determine intent. • Malicious activity can be indistinguishable from legitimate, to a software control. • Nothing identifies a False Positive like a second (or third, or fourth) opinion. • Attackers have agility that defenders do not – keeping them on the move and unable to launch an attack from the same place twice raises their costs of ‘doing business’ • Information about where they are launching attacks from, what tools they are using – any piece of information that can make the difference between responding to an Alert, and responding to a Threat.
Putting Threat Intel to Work • Security Controls generate hundreds of alerts per day (on a slow day). • Threat Intelligence allows you to prioritize response efforts around caused by external parties known to be conducting malicious activities. • Threat Intel allows you to group individual alerts together into a larger picture of coordinated activity against your assets, and enable you to strike at the roots of an attack campaign instead of chasing each compromise individually. • 50 compromised machines? Or one Command And Control system to identify and block communications to?
The Threat Intelligence Marketplace • Public internet threat intelligence began with Anti- Spam Blacklists. • Now covers a multitude of open repositories of host/network reputation, malware and exploit signatures and other more specialized information. • Several Public and Private organizations maintain private (or commercial subscription) feeds of Threat Intelligence, ranging from IP Reputation to specialized research about the individuals carrying out attacks. • Many emerging standards for defining and exchanging threat information – and security controls often have only limited support for consuming this information.
Building your first CIF Server • You either: – Want to start incorporating some public Threat Data into your security controls • Or – You’re currently consuming several threat data feeds and want a better way to combine, aggregate and query them, and process them with your security controls and analysis tools
Polling Question #TTTsec @AlienVault
Prerequisites and Environment • A working BIND installation on the CIF server, configured to use trusted public DNS servers for upstream forwarding: https://code.google.com/p/collective-intelligence-framework/wiki/BindSetup_v1 • A working PostgreSQL installation on the CIF server, configured for user/pass based auth https://code.google.com/p/collective-intelligence-framework/wiki/PostgresInstall_v1 • An Apache Webserver installation, with Mod_Perl loaded. • A fairly extensive collection of Perl modules http://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_DebianSqueeze_v1 https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_DebianWheezy_v1 https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_Ubuntu12_v1 https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_CentOS6_v1 https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_CentOS5_v1
CIF Server Installation • Download the CIF archive, extract it, run the configure scripts. • Build and ‘make install’ • Run ‘make initdb’ this will fail if postgresql was not configured. • Create a new service account – ‘cif’, generate the base CIF configuration file for it. ~/.cif • Configure Apache to load the CIF http API perl modules via mod_perl. • Install the Cron entries for CIF to update its threat sources periodically • CIF installs to /opt/cif by default. https://code.google.com/p/collective-intelligence- framework/wiki/ServerInstall_v1
Creating API Keys • Access to the CIF datastore is done via client apps using an API key. • You’ll need to generate an access key for each client that will have access to the CIF datastore. • The initial key creation is going to look something like this: $ cif_apikeys -u myuser@mydomain.com -a -g everyone -G everyone userid key description guid default_guid access write revoked expires created myuser@mydomain.com 249cd5fd-04e3-46ad-bf0f-c02030cc864a 8c864306-d21a-37b1- 8705-746a786719bf true all 2012-08-01 11:50:15.969724+00 • You’re going to need this API key to configure a CIF client
Installing a Client • The Client is contained in the ‘libcif’ source package – install the perl dependencies and configure && make && make install, as usual. • This contains the ‘cif’ binary used for commandline interaction with the CIF server. • Configuration is just the URI for the CIF server API, and the client’s API key (generated previous) https://code.google.com/p/collective-intelligence-framework/wiki/ClientInstall_v1
Threat Intel Sources • The default threat intel sources are defined in individual configs in {installdir}/etc/ • They are updated periodically with the {installdir}/bin/cif_crontool executable. • They define a source of information, and some basic transforms to begin the normalization process. • Sources are defined with global access rights, confidence levels, that control how their information is used within CIF client queries. detection = daily feed = http://reputation.alienvault.com/reputation.data source = 'reputation.alienvault.com' guid = everyone confidence = 65 severity = medium restriction = 'need-to-know' alternativeid = "http://reputation.alienvault.com/reputation.generic" alternativeid_restriction = 'public' mirror = /tmp
CIF and AlienVault Open Threat Exchange. • CIF comes with a few public Threat Intel sources by default. • CleanMX, Zeustracker, MalwareDomainList.. • ….and AlienVault Open Threat Exchange. • The same IP reputation and Threat Data we use in the AlienVault product. • With CIF you can consume it.. • ..With AlienVault OSSIM you can contribute to it automatically and help take the fight to the Threat Actors.
Querying Feeds • Commandline client allows querying the normalized feed data by confidence level, type of activity seen, network location, domain, etc • Query if a URI exists in the Threat Feeds: $ cif -q 'http://www.yahoo.com/example.html‘ • Query for all information about hosts on a given network: $ cif -q 130.201.0.0/16 • Has anyone seen this file before? Try a SHA-1 Hash query: $ cif -q a5135ec6f2322cc12f3d9daa38dfb358 • Some simple Web Interfaces created for the HTTP API, or query from your own tools if they are capable of making API queries.
Consuming Feeds • CIF comes with a selection of output feed plugins, available via the commandline tool , using the –p (plugin) argument, using the perl IODEF module or the HTTP API. https://github.com/collectiveintel/iodef-pb-simple-perl/tree/master/lib/Iodef/Pb/Format • Some included formats:  snort rules  csv  json  bindzone  html table  ascii table  bro (network monitor)  pcap filter  iptables
Putting it to Work • Define feeds that query information according to your conditions  Type of Threats observed  Confidence Levels  Network Locations, etc etc • Export in a format consumable by your security controls. • Automatically block connections, or just raise priority on alerts that show up in aggregate threat data. • Create your own data source from your own Security Analysis work, create limited views on the information and share with Security Partners.
Taking it from Here • Get a basic system up • Start Experimenting with the CIF query tools • Generate a feed to automatically pass on to one of your security controls or analysis tools. • SIEM WatchLists are excellent things to populate with Threat Intel, to alert and prioritize on. • Start responding to attacks made by people, not signatures triggered by systems.
• Collective Intelligence Framework (CIF) Websitehttps://code.google.com/p/collective-intelligence-framework/ – Server Installation Instructionshttps://code.google.com/p/collective-intelligence- framework/wiki/ServerInstall_v1 (Don’t forget to check the dependencies page for your Linux Distro!) – Client Installation Instructionshttps://code.google.com/p/collective-intelligence- framework/wiki/ClientInstall_v1 – API Documentationhttps://code.google.com/p/collective-intelligence- framework/wiki/API_v1 • AlienVault Open Threat Exchange (OTX)http://www.alienvault.com/alienvault-labs/open-threat-exchange REFERENCE
• AlienVault OSSIM, free open-source SIEM http://communities.alienvault.com • Free 30-day trial of AlienVault USM http://www.alienvault.com/free-trial • AlienVault Labs blog http://labs.alienvault.com/labs/ • AlienVault Apps & Threat Reportshttp://www.alienvault.com/resource- center/open-minds-exchange Sponsored by: AlienVault www.alienvault.com#TTTsec @AlienVault HELPFUL TOOLS & RESOURCES
Questions? #TTTsec @AlienVault
Thank You. #TTTsec @AlienVault Your Host Conrad Constantine Community Manager, AlienVault @cpconstantine To learn more about AlienVault please visit: www.alienvault.com

Recomendados

Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
Priyanka Aash
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
Owais Ahmad
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 

Recomendados

Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
Priyanka Aash
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
Owais Ahmad
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
PencilData
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
Siem ppt
Siem pptSiem ppt
Siem ppt
kmehul
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
Infosec
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
EC-Council
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
 
Easily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asEasily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg as
RISC-V International
 

Más contenido relacionado

La actualidad más candente

Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
Infosec
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm
 

La actualidad más candente (20)

Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
 
Siem ppt
Siem pptSiem ppt
Siem ppt
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
 

Similar a How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk Tuesday

devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
Deepakgupta273447
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 

Similar a How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk Tuesday (20)

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Easily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asEasily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg as
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
 
Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdf
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
arun.ppt
arun.pptarun.ppt
arun.ppt
 
Ids
IdsIds
Ids
 

Más de AlienVault

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
AlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
AlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 

Más de AlienVault (20)

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk Tuesday

  • 1. How to Normalize Threat Intelligence Data from Multiple Sources #TTTsec @AlienVault Your Host Conrad Constantine Community Manager, AlienVault @cpconstantineTodd Leetham Cyber Threat Intelligence Lead, EMC @rudehimself
  • 2. Covered In This Talk • Getting the Collective Intelligence Framework installed, collecting intelligence from external sources and generating a custom feed to use with your security controls. • Making sense of the Threat Intelligence Resources out there as part of your security monitoring program.
  • 3. What You’ll Need to Build and Use CIF • A Linux system, (a Debian-based distro is preferred) with plenty of resources allocated – 4GB and 20GB of storage recommended for experimentation, 16GB and 500GB recommended for production. • Experience installing Linux software from source. • Basic DBA skills with the PostGreSQL Database. • Admin experience with the BIND DNS resolver • Admin experience with the Apache Webserver • Know how to locate and install Perl Modules. • Familiarity with essential internet topology mechanisms (BGP AS’s, registrars, etc)
  • 4. Collective Intelligence Framework: Redux • Just as a SIEM allows the consumption of log data, normalizing to allow queries, transforms and correlations to be run against them, CIF does the same for Threat Intel Data. • IP addresses, Domains, URI substrings – threat intel comes in many formats and we don’t have time to spend our days converting datasets by hand – automate once, use it forever. • Store Data from multiple sources, combine, process and produce customized output in formats suitable for consumption by the security controls you have in place already. • Query the intelligence data via programming API or human- readable web interface. • Customize output for different audiences, maintain access through a key-based API system, share tokenized, sanitized intelligence amongst multiple organizations without disclosing sensitive information in the process. http://code.google.com/p/collective-intelligence-framework/
  • 6. Threat Intelligence For Mere Mortals• Security Controls (for the most part) detect technical threats – they can’t determine intent. • Malicious activity can be indistinguishable from legitimate, to a software control. • Nothing identifies a False Positive like a second (or third, or fourth) opinion. • Attackers have agility that defenders do not – keeping them on the move and unable to launch an attack from the same place twice raises their costs of ‘doing business’ • Information about where they are launching attacks from, what tools they are using – any piece of information that can make the difference between responding to an Alert, and responding to a Threat.
  • 7. Putting Threat Intel to Work • Security Controls generate hundreds of alerts per day (on a slow day). • Threat Intelligence allows you to prioritize response efforts around caused by external parties known to be conducting malicious activities. • Threat Intel allows you to group individual alerts together into a larger picture of coordinated activity against your assets, and enable you to strike at the roots of an attack campaign instead of chasing each compromise individually. • 50 compromised machines? Or one Command And Control system to identify and block communications to?
  • 8. The Threat Intelligence Marketplace • Public internet threat intelligence began with Anti- Spam Blacklists. • Now covers a multitude of open repositories of host/network reputation, malware and exploit signatures and other more specialized information. • Several Public and Private organizations maintain private (or commercial subscription) feeds of Threat Intelligence, ranging from IP Reputation to specialized research about the individuals carrying out attacks. • Many emerging standards for defining and exchanging threat information – and security controls often have only limited support for consuming this information.
  • 9. Building your first CIF Server • You either: – Want to start incorporating some public Threat Data into your security controls • Or – You’re currently consuming several threat data feeds and want a better way to combine, aggregate and query them, and process them with your security controls and analysis tools
  • 11. Prerequisites and Environment • A working BIND installation on the CIF server, configured to use trusted public DNS servers for upstream forwarding: https://code.google.com/p/collective-intelligence-framework/wiki/BindSetup_v1 • A working PostgreSQL installation on the CIF server, configured for user/pass based auth https://code.google.com/p/collective-intelligence-framework/wiki/PostgresInstall_v1 • An Apache Webserver installation, with Mod_Perl loaded. • A fairly extensive collection of Perl modules http://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_DebianSqueeze_v1 https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_DebianWheezy_v1 https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_Ubuntu12_v1 https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_CentOS6_v1 https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_CentOS5_v1
  • 12. CIF Server Installation • Download the CIF archive, extract it, run the configure scripts. • Build and ‘make install’ • Run ‘make initdb’ this will fail if postgresql was not configured. • Create a new service account – ‘cif’, generate the base CIF configuration file for it. ~/.cif • Configure Apache to load the CIF http API perl modules via mod_perl. • Install the Cron entries for CIF to update its threat sources periodically • CIF installs to /opt/cif by default. https://code.google.com/p/collective-intelligence- framework/wiki/ServerInstall_v1
  • 13. Creating API Keys • Access to the CIF datastore is done via client apps using an API key. • You’ll need to generate an access key for each client that will have access to the CIF datastore. • The initial key creation is going to look something like this: $ cif_apikeys -u myuser@mydomain.com -a -g everyone -G everyone userid key description guid default_guid access write revoked expires created myuser@mydomain.com 249cd5fd-04e3-46ad-bf0f-c02030cc864a 8c864306-d21a-37b1- 8705-746a786719bf true all 2012-08-01 11:50:15.969724+00 • You’re going to need this API key to configure a CIF client
  • 14. Installing a Client • The Client is contained in the ‘libcif’ source package – install the perl dependencies and configure && make && make install, as usual. • This contains the ‘cif’ binary used for commandline interaction with the CIF server. • Configuration is just the URI for the CIF server API, and the client’s API key (generated previous) https://code.google.com/p/collective-intelligence-framework/wiki/ClientInstall_v1
  • 15. Threat Intel Sources • The default threat intel sources are defined in individual configs in {installdir}/etc/ • They are updated periodically with the {installdir}/bin/cif_crontool executable. • They define a source of information, and some basic transforms to begin the normalization process. • Sources are defined with global access rights, confidence levels, that control how their information is used within CIF client queries. detection = daily feed = http://reputation.alienvault.com/reputation.data source = 'reputation.alienvault.com' guid = everyone confidence = 65 severity = medium restriction = 'need-to-know' alternativeid = "http://reputation.alienvault.com/reputation.generic" alternativeid_restriction = 'public' mirror = /tmp
  • 16. CIF and AlienVault Open Threat Exchange. • CIF comes with a few public Threat Intel sources by default. • CleanMX, Zeustracker, MalwareDomainList.. • ….and AlienVault Open Threat Exchange. • The same IP reputation and Threat Data we use in the AlienVault product. • With CIF you can consume it.. • ..With AlienVault OSSIM you can contribute to it automatically and help take the fight to the Threat Actors.
  • 17. Querying Feeds • Commandline client allows querying the normalized feed data by confidence level, type of activity seen, network location, domain, etc • Query if a URI exists in the Threat Feeds: $ cif -q 'http://www.yahoo.com/example.html‘ • Query for all information about hosts on a given network: $ cif -q 130.201.0.0/16 • Has anyone seen this file before? Try a SHA-1 Hash query: $ cif -q a5135ec6f2322cc12f3d9daa38dfb358 • Some simple Web Interfaces created for the HTTP API, or query from your own tools if they are capable of making API queries.
  • 18. Consuming Feeds • CIF comes with a selection of output feed plugins, available via the commandline tool , using the –p (plugin) argument, using the perl IODEF module or the HTTP API. https://github.com/collectiveintel/iodef-pb-simple-perl/tree/master/lib/Iodef/Pb/Format • Some included formats:  snort rules  csv  json  bindzone  html table  ascii table  bro (network monitor)  pcap filter  iptables
  • 19. Putting it to Work • Define feeds that query information according to your conditions  Type of Threats observed  Confidence Levels  Network Locations, etc etc • Export in a format consumable by your security controls. • Automatically block connections, or just raise priority on alerts that show up in aggregate threat data. • Create your own data source from your own Security Analysis work, create limited views on the information and share with Security Partners.
  • 20. Taking it from Here • Get a basic system up • Start Experimenting with the CIF query tools • Generate a feed to automatically pass on to one of your security controls or analysis tools. • SIEM WatchLists are excellent things to populate with Threat Intel, to alert and prioritize on. • Start responding to attacks made by people, not signatures triggered by systems.
  • 21. • Collective Intelligence Framework (CIF) Websitehttps://code.google.com/p/collective-intelligence-framework/ – Server Installation Instructionshttps://code.google.com/p/collective-intelligence- framework/wiki/ServerInstall_v1 (Don’t forget to check the dependencies page for your Linux Distro!) – Client Installation Instructionshttps://code.google.com/p/collective-intelligence- framework/wiki/ClientInstall_v1 – API Documentationhttps://code.google.com/p/collective-intelligence- framework/wiki/API_v1 • AlienVault Open Threat Exchange (OTX)http://www.alienvault.com/alienvault-labs/open-threat-exchange REFERENCE
  • 22. • AlienVault OSSIM, free open-source SIEM http://communities.alienvault.com • Free 30-day trial of AlienVault USM http://www.alienvault.com/free-trial • AlienVault Labs blog http://labs.alienvault.com/labs/ • AlienVault Apps & Threat Reportshttp://www.alienvault.com/resource- center/open-minds-exchange Sponsored by: AlienVault www.alienvault.com#TTTsec @AlienVault HELPFUL TOOLS & RESOURCES
  • 24. Thank You. #TTTsec @AlienVault Your Host Conrad Constantine Community Manager, AlienVault @cpconstantine To learn more about AlienVault please visit: www.alienvault.com