In today’s increasingly volatile cyber landscape, information technology (IT) teams and their organizations are actively seeking the right solutions to help them safeguard their network infrastructure and protect their businesses against malicious attacks, data breaches, and any other digital threats. As cybercriminals, scammers, and viruses are becoming more adept at using sophisticated tools and procedures to access systems, businesses should hone their information security teams and solidify their defenses through the use of threat intelligence.
By implementing an effective threat intelligence strategy, IT teams and businesses can bolster their technology infrastructure and prepare their environments for both known (and unknown) threats. But what exactly is threat intelligence, and how can this approach lead to a more holistic view of the threat landscape, thus allowing organizations to recognize, detect, analyze, and prevent various attacks in a real-time manner?
In the following article, Chris Doman, the Threat Engineer and Security Researcher at AlienVault, discusses the direct business benefits of threat intelligence for security teams, and expands on how the AlienVault Open Threat Exchange (OTX) can help organizations achieve top-class security in a seamless and cost-efficient manner.
Q: Can you share a brief background of AlienVault as a company? Who are some current clients that trust their security and threat detection with AlienVault?
A: AlienVault was founded in 2007 on the belief that every organization deserves a strong security posture, regardless of the complexity of their IT environment or the size of their IT security budget. The company’s mission is to simplify security monitoring and management for organizations of all sizes through Unified Security Management® (USM), a unique approach that integrates essential security controls into a single platform. AlienVault’s SaaS-based cloud platform, USM Anywhere™, makes it easy, fast, and affordable for companies to achieve centralized threat detection, incident response, and compliance management across cloud and on-premises environments.
The company also developed and delivered the first truly open threat intelligence platform, Open Threat Exchange (OTX), which allows members to share data about emerging threats for free, making actionable threat intelligence accessible to all. Combined with the security controls of AlienVault USM Anywhere, OTX data enables companies to detect and respond to threats faster.
Today, AlienVault has more than 6,000 commercial customers representing a range of industries. Notable customers include the Arizona Cyber Warfare Range, Bank of Marin, Boise State University, CeloPay, FOCUS Brands, Lucky Shoes, Save Mart Supermarkets, Shake Shack, Soul Cycle, Starwood Waypoint, and Tinder.
Q: In your opinion, what would you say are some of the most pressing threats to today’s businesses?
A: One of the biggest threats that companies are facing today is ransomware. With do-it-yourself ransomware toolkits and Ransomware-as-a-Service (RaaS) providers easily accessible, businesses face an ever-increasing risk of being held hostage to cybercriminals demanding high payments to unlock encrypted servers and data.
Chris Doman, the Threat Engineer and Security Researcher at AlienVault
There’s a growing threat of ransomware explicitly targeting small businesses, and charging high ransoms to return key business systems back to recovery. Two malware families we’ve recently seen deployed for this are SamSam and LockCrypt.
Meeting compliance standards including PCI DDS and HIPAA is another key threat for IT teams. It is often a manual process that requires aggregating data from different systems using multiple security tools to provide a single view or set of reports to management and auditors. This is an expensive and time-consuming process. However, it still doesn’t provide comprehensive visibility into all data or continuously monitor it to detect threats — leaving the door open to cybercriminals. As regulatory requirements are changing with the addition of the General Data Protection Regulation (GDPR) in May 2018, companies are scrambling to put the necessary processes and technology in place to ensure compliance.
Q: What are some of the common ways that cybercriminals hack networks or compromise security? What are some standard practices that businesses can employ to help prevent these?
A: There are many ways that cybercriminals can compromise corporate networks. One common way is through email accounts when an employee clicks on a malicious attachment or link or provides credentials in response to a “spoofed” email address that looks like it has come from within the company. We’re also seeing lots of old-fashioned fraud over email, with criminals impersonating the CEO and emailing finance departments requesting a bank transfer. Unfortunately, it works all too often, and the FBI estimates losses to “Business Email Compromise” amount to billions of dollars.
Other common attack vectors can arise when more companies move some or all of their operations to the cloud without knowing how to properly secure it. Cybercriminals can take advantage of resulting vulnerabilities that in-house IT and security professionals are often not prepared to address either because they don’t understand their role in cloud security or are not aware of the best way to execute. For example, private information has been publicly exposed because Amazon Web Services (AWS) buckets were not properly secured. This has resulted in several breaches including Accenture’s, which occurred last month. Similarly, many companies were found to have inadvertently left sensitive documents publicly accessible on Microsoft’s docs.com.
To combat attacks, companies have typically invested the bulk of their security budgets in tools for prevention. Despite years of increasing cybersecurity spend on prevention, however, breaches are occurring more frequently, and impacting a greater number of users and companies. More attention should be going towards building out threat detection capabilities in order to discover when an attack is underway, or has occurred in a relatively short timeframe. In addition, awareness and education of employees are key strategies that can help minimize risk and keep company data safe – regardless of whether it’s on-premises or in the cloud.
Q: As a provider of powerful threat detection and incident response, AlienVault takes pride in real-time threat intelligence. Can you please give us an idea of how this works and what this encompasses?
Threat intelligence takes many forms, and for us that means everything from high-level reports and rules to hunt for unusual behavior, right down to signatures for individual malware families.
AlienVault Labs’ Threat Intelligence is a continuously updated collection of correlation directives, network IDS signatures, host IDS signatures, asset discovery signatures, vulnerability assessment signatures, reports, dynamic incident response templates, and plugins that collect data (system, application, and devices), detect threats, and generate actionable alarms.
In addition, the AlienVault Open Threat Exchange (OTX) is a free, rich database of crowd-sourced threat intelligence that provides its 65,000 members with real-time data related to emerging threats. However, with more than 14 million threat indicators contributed to OTX each day, the challenge is to analyze and organize this information and make it easy for members to find the data that they’re looking for. OTX quickly parses data into pulses – collections of threat indicators related to a potentially malicious activity. Members can subscribe to each other’s pulses and provide feedback / additional Indicators of Compromise to improve the quality of a particular pulse. Data from OTX feeds directly into our Unified Security Management platform to ensure that it is updated with the latest threat indicators, but members can also automatically export data from OTX into any security platform to update their defenses through our DirectConnect API, which eliminates the need to manually export threat data from the platform.
Q: You introduced the open source Open Threat Exchange (OTX) community. What is the community founded on, and what are its goals? Who can be a part this community? And why do you believe open source is important to businesses, regardless of industry?
A: AlienVault’s OTX was founded on the fundamental belief that threat intelligence should not only be accessible to large companies with huge budgets and security research teams – all companies large or small need to have access to timely threat data to ensure that their systems are able to detect new and evolving threats.
OTX is freely accessible to anyone. It is a truly open community of over 65,000 threat researchers and security professionals who actively discuss, research, and validate the latest threats.
The recent destructive attacks involving WannaCry, NotPetya, and BadRabbit were great tests of OTX. In each case we had a report on the incident out soon after the attacks started – and before analysis started to arrive in the form of blogs. AlienVault pushed out indicators relating to the attacks and corrected misinformation live as we continued our analysis – and other users of OTX did the same. It was great to share the urgent analysis with the other users on the platform.
AlienVault was founded on open-source (OSSIM). For myself, it was one of the reasons I was attracted to work at AlienVault, and I think that’s true for many of my colleagues.
Q: Why is community-generated threat data important? Why is it advantageous to count on this?
A: The traditional threat sharing model was based on one-way communication and was very expensive and unattainable for most — data would flow from a vendor or research team to a subscriber with very little collaboration taking place. There are such a diverse set of threats out there that no single organization can cover them all — instead, we collect all the information from multiple organizations in one place.
However, AlienVault OTX enables a different model of threat sharing entirely, one that allows members to openly research, share and collaborate on threats. We were determined to change the way that the information security community creates and consumes threat data; our Open Threat Exchange does just that by crowd-sourcing data and providing all members with access to a rich and comprehensive database of threat indicators. Crowd-sourcing threat data allows each member of the OTX community to benefit from the collective knowledge and experience of all members of the exchange, and each of them can then use this data to automatically update their own security solutions.
The rapid growth we’ve seen in the number of participants and the amount of data collected by the OTX since we launched it in 2012 is a testament to our success in realizing our goal of making threat intelligence accessible to all.
Q: What is “threat intelligence”? Why is it relevant to enterprises, and how can they embrace it?
A: Threat intelligence is information that can be used to prevent attacks against an organization. In practice that normally means information that identifies a potential attack, or helps prioritize resources.
Many security tools generate a steady stream of alerts about important (and not so important) activity, causing IT teams to use up their valuable time trying to manually correlate disparate activity in their log files. They typically need to dig through thousands of seemingly innocuous events, in the hopes of identifying those few indicators that might signify system compromise or data breach.
Given these challenges, timely threat intelligence that works with security solutions to analyze and prioritize alerts is essential for enterprises in accelerating threat detection.
Q: What are some future developments that AlienVault is pursuing? And what do you see in the future of cyber threat security?
A: We’ll be releasing a new version of the Open Threat Exchange soon. It has a big focus on better visualizing malware to explain how it works to users that aren’t reverse engineering experts.
There have been some great leaps forward in the past few years. The largest software vendors now rarely release code with significant vulnerabilities, and the growth in the cyber-security market has led to an influx of new talent.
But there are also real challenges to address. Ransomware still works, there’s a booming business in selling malware to dictatorships and the increasing usage of encryption poses security challenges as well as benefits.
About AlienVault
AlienVault, a premier developer of open threat intelligence solutions, provides organizations of all shapes and sizes with highly-intelligent security options that are both affordable and easy to use. Headquartered in San Mateo, California, the company delivers powerful threat detection, incident response, and compliance management solutions in the cloud, on-premises, and across hybrid environments. AlienVault specializes in asset discovery, intrusion detection, unified security management, vulnerability assessment, log management and security information and event management (SIEM), cloud security, continuous threat intelligence, and more. Trusted by over 6,000 customers, AlienVault is applicable to companies in all industries that are seeking world-class security without the huge expense.