Cloud, microservices, Kubernetes — all these bleeding-edge technologies revolutionizing the way applications are built and deployed are also a huge security headache. Modern IT environments are increasingly comprised of more and more components and layers, each of generating growing amounts of data.
In most organizations, more data is a double-edged sword. On the one hand, it gives teams more visibility into their environment. On the other hand, it also means that these teams will most likely be dealing with more security events.
Since more data sources also mean new vulnerabilities and attack vectors, the engineer or security analyst tasked with securing these environments faces not only an overwhelming amount of security alerts, a large percentage of which are false-positives, but also an ever-evolving threat landscape.
Needless to say, this complexity slows down and impedes security investigations. Which is why modern SIEM solutions seek to alleviate some of this pain by providing teams with threat intelligence — additional information that can be used to understand the threats currently targeting an organization and thus make faster and more informed security decisions.
What is Threat Intelligence?
Gartner defines threat intelligence as follows:
“Threat intelligence” (TI) is evidence-based knowledge — including context, mechanisms, indicators, implications, and actionable advice — about an existing or emerging menace or hazard to IT or information assets. It can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Put simply, threat intelligence helps the engineer or analyst make faster and more informed decisions by providing information about who’s attacking, what their motivation is, and what to look for.
An example could be a malicious IP address recorded in a log message generated by a web server. This log is collected and stored together with the other millions of log messages generated by the environment and without threat intelligence, it would go unnoticed until it’s too late. Solutions like Logz.io Cloud SIEM offer advanced threat intelligence capabilities that will automatically identify the IP in the log as being malicious and flag it for further investigation.
Threat Intelligence in Logz.io Cloud SIEM
Logz.io Cloud SIEM provides simple threat detection and analytics built on top of the ELK stack. It’s fast, easy to use, and open-source-native to reduce threat detection times and improve a team’s security posture. One of the ways Logz.io’s Cloud SIEM helps speed up investigation times is with threat intelligence.
Logz.io Cloud SIEM automatically correlates the data sent to the system from your environment with multiple public threat feeds such as blocklist.de and alienvault reputation. If your logs are found to contain an IOC (an indication of compromise), the threat is recorded and displayed on a dedicated Threats page:
From this page, further investigation can ensue by clicking on a malicious IP and drilling down further into the rabbit hole.
Conveniently, the threat feeds used to correlate with your data can be viewed on the new Threats → Threat intelligence feeds page:
Each feed listed on the page displays the IOC (Indication of Compromise) type, a confidence score, a URL for investigating further, and the date of the last sync.
Currently, Logz.io Cloud SIEM supports three IOC types — IP, DNS and URL. The confidence score is a rating given by Logz.io’s security analysts which indicates a level of accuracy for each feed, based on their experience investigating data. Feeds are updated and synced once a day.
The page can also be used to perform research on potential IOCs. Simply enter an IP, DNS or URL you suspect might be malicious to search across the feeds. This could prove to be useful in case you’re investigating IOCs in historical logs or logs not currently being shipped into Logz.io.
To keep leaders, stakeholders and other users informed on the latest threats in your environment you can create a report, in essence, a snapshot of the Threats page, on a set schedule.
Why is threat intelligence important?
Organizations have an increasingly low tolerance for risk. Downtime or breaches are simply not an option. The teams tasked with securing modern IT environments, therefore, require security solutions that facilitate smarter and more efficient investigation workflows instead of manually triaging false-positives.
Threat intelligence gives teams the information they need to make faster and more informed security decisions. It helps keep teams informed of the latest threats and be more proactive about how they investigate threats. Logz.io Cloud SIEM provides users with automatic and up-to-date threat intelligence enabling you to identify and mitigate new and emerging attacks more quickly.