Oftentimes, security attacks that were clearly recorded in logs go unnoticed. They are obscured by a large sea of log data created by most modern cloud environments. In some cases, like during a DDoS attack, there will be a huge spike in logs so it will be very clear what happened. In other situations, just a few logs will document the attack. Finding these logs can be like finding a needle in a hay stack.
But if you know what to looks for, it doesn’t need to be so hard to spot these attacks. Logs that these attacks generate contain clear indicators of malicious intent. For example, the logs can show activity from known malicious IPs, DNSs, or URLs.
The challenge is identifying one or more of these threat indicators within log data in real time. In environments with millions of new logs and threat indicators rapidly publishing on threat intelligence feeds, combing all of this information is no easy task. So when an attack does inevitably come, will you be ready to find the malicious activity in your logs?
Cross-Reference Logs with Public Threat Intel Feeds
Clearly, the task at hand demands automation. No person can spot all the malicious IP addresses throughout their entire log batch. Tools like Logz.io Cloud SIEM automatically cross-reference your incoming logs with public threat feeds to identify malicious IPs, DNSs, and URLs
Currently, Cloud SIEM uses 14 reputable public threat feeds to find known malicious indicators in log data. High confidence feeds are crucial to avoid false positives and find a wide variety of threat information. You can read more about some of these feeds in our article on top ten open source threat feeds.
By hitting the ‘Threats’ tab and opening up ‘Threat Intelligence Feeds’ in Logz.io, you see the complete list of public feeds we use.You can also see that the feeds are updated (“synced”) daily.
Introducing Private Threat Feeds at Logz.io
Now, Logz.io Cloud SIEM users can cross-reference log data with private threat intelligence feeds to identify malicious activity. This expands the amount of security information that can be found in your log data. Private feeds can also be more tailored to a specific environment, rather than providing general threats.
Those already using private threat intelligence feeds know they can be expensive, so they will want to put them to good use. They also may be a part of a long term strategy, so it’s always best to have the flexibility to use different feeds according to changing priorities.
Also, threat feeds will have different focuses and strengths. This is why cross referencing your logs with multiple threat feeds increases the scope and variety of security incidents you can detect in your environment. With the option to use private feeds, Logz.io Cloud SIEM customers can now leverage threat information from a broader set of sources.
Analyzing Threats on the Logz.io Cloud SIEM Threat Overview Dashboard
After cross-referencing logs with public and private threat intelligence feeds, you can be left with a long list of events with known security threats in the log messages. But where do you start? How should the security events be prioritized?
Our Cloud SIEM team at Logz.io built a Threat Overview Dashboard to provide simple answers to these questions. By leveraging the visualization and investigative powers of Kibana, users can quickly slice and dice their log data to drill into the highest-priority information.
The top left visual breaks down attacks by threat feed. This can be helpful for those who want to start their investigations with the highest confidence feeds or by more familiar and preferred feeds.
You can also start investigations according to high priority IOCs (left), the security tool that identified an attack (middle) or by the type of attack (right) in the screenshot below.
From Logz.io’s Threat Overview dashboard, security teams can quickly dive into the most relevant information to prioritize threats.
Of course, we have many other dashboards specific to cloud technologies like EC2, CloudTrail, or Azure Sentinel. Additionally, we have integrations and dashboards for security tools from Palo Alto Networks, Check Point, and Hashicorp. To learn more about our Cloud SIEM check out our product page here.