cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Log & Event Manager 6.2 and a Threat Intelligence Feed

Product Manager

Over the last few months, the Log & Event Manager (LEM) team has been working hard on a not so short list of features. I'm excited to announce that a major feature of the upcoming release of LEM 6.2 will be something that you all have asked for time and again: Threat Intelligence Feed integration. And so, I decided to take a moment to show off a bit of what the feature will look like and provide a chance to test the new functionality.

So before I get started, feel free to click below to be included in the LEM 6.2 beta program to test out new features such as the Threat Intelligence Feed and more.

download button.png

What's in the Threat Intelligence Feed for me?

The concept of Threat Intelligence is one that has been covered in the world of security news for some time now. Problem is that, generally speaking, the term opens itself to a broad range of implementations and thus can mean something different to any vendor. So why should you care about the feature as it applies to SolarWinds? LEM 6.2's Threat Intelligence Feed will allow your organization to be prepared to recognize and handle already known and proven threats. With LEM analyzing your environment for activity against a list of known malicious threats, you will be able to easily incorporate the shared knowledge of top, reputable threat lists into your own workflows to prevent yourself from the risk these threats pose. Since that is a lot of words, let's jump into some screenshots that will help to better clarify what the new feature brings.

From Reactive to Proactive

LEM's new Threat Intelligence Feed is what allows your organization to move from reactive detection, looking around your environment as best you can hoping to surface suspicious activity, to the world of proactive detection - creating workflows that will ensure you know right away when known bad actors have made the way to your own environment.

We've all been there before - pulling down a list of threat indicators and manually searching for traces of them throughout our environment. Well with the Threat Intelligence Feed, that won't be necessary because the part that we know our customers will delight in most is the ease of implementation. All you have to do is check a box in your LEM console's Appliances Properties screen and you've enabled automatic coverage of some of the top threat lists available today.

threat_intelligence_enable.png

Search and Filters and Rules - Oh my!

Once enabled, LEM will automatically begin detecting threats in your environment. And if it finds something, it's readily available to you throughout LEM. The first place you'll be able to find it is through an nDepth search (see below - the highlighted event has been flagged by LEM as a known threat).

ndepth.png

Of course we know that search isn't the ideal way to consume such critical security information, so of course we will include out-of-the-box functionality that will help you get the most value out of this feature. This includes pre-built Filters, such as the one for All Threat Events seen in the screenshot below.

filters.png

And, finally, who would we be if we didn't provide out-of-the-box correlation rules, allowing you to take action and alert whenever a threat event is found in your environment (just in case you don't spend your whole day in the LEM console - which is how I spend mine). See the image below for a rule to take action on a potential threat flagged by the Threat Intelligence Feed.

ootb correlation rule.png

In summary

While there's more in store for the release of LEM 6.2, the Threat Intelligence Feed is a feature we are excited about and hope that you are excited about too. As such, we want to get this into your hands ASAP so we can get your thoughts on it while we still have time to make fixes and improvements.

So if you're a current LEM customer interested in testing out LEM 6.2 and getting your hands on new features such as the Threat Intelligence Feed, sign up for the beta here.

10 Comments
Level 12

A Past TriGeo, and not a current LEM client. Looking forward from feed back from others that sign up for the beta.

I'm looking for more inclusion of custom threat feeds I already subscribe to, and manually review a number of active threats per day. It would be nice to pull in for instance feeds from community partners in our industry, and have the option to share anonymously back into the communities we share common security issues via ISACs.

We'll likely be in the market next year for a solution like LEM that show potential in this area of threat intelligence.

Product Manager
Product Manager

We're looking to add some dashboard widgets and reports in an upcoming release that should help with things like the "active threats per day".

A "Bring Your Own Feed" approach is also something we're interested in doing, so your input will be most helpful as we start working on the next iterations. Interestingly recent threat intelligence feed research shows not as much overlap across feeds as you'd expect, so there's a lot of opportunity to just keep layering them on.

Level 9

I have been doing a great deal of work with threat intelligence feeds over the past 6 months. Most of the issues come from flash and java,  which tend to be adds embedded from 3rd party websites (If not already using the EFF's Privacy Badger install it and force the companies to change the bad practices)

My tool of choice up to this point has been pfSence with PfblockerNG and Suricata plugins.  The latest updates added a few cool features, one of them is feed sources in different formats, normalising and deduplicating   Version 2.0 of PfblockerNG will add the support for URLs vs just IP lists at the moment, when then allows tracking / blocking of pages vs sites.

Screenshot.png

Also just starting testing https://intel.criticalstack.com/. ‌At last count had 104 feeds, free by the way,  that uses a simple command line tool to export the "Collections" of feeds to lists that can then use locally.  It's already integrated into the Bro Network Security Monitor and Security Onion.  Once LEM allows a feeds from an external source this could simplify the formatting for an import.

Thanks

Tony

Level 21

It's probably needless to say that I am super excited about this feature since I opened one of the original feature requests for Threat Intelligence Feed integration!

I am curious, where is the IP Reputation feed being sourced from?  I apologize if this details was covered and I missed it; it's been a long day..er make that long week.

Product Manager
Product Manager

I'm pretty sure from my research (granted, this is from memory) the Emerging Block IPs list includes a couple of those (spamhaus, malcode, abuse.ch?), but this is a handy list. Part of the problem is parsing how each list is formatted (IPs, subnets, one on each line, etc), but this is great input.

Interesting data on threat intelligence lists as of late is that the data doesn't overlap much, so the more the merrier.

Product Manager
Product Manager

I think there is going to be a KB up on this soon as the team gets closer to release, but initially we chose the Emerging Threats Block list (which is in Tony's list above) as it's an accumulation of several other sources that is regularly maintained and didn't require any additional licensing on our/your behalf. It's definitely intended to be a list of highly confident known bad IPs, not so much the gray area in the middle.

Level 11
Level 9

Anyone looking for a complete lists of blocklists should take a look at the import script for pfSence

https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975

Thanks

Tony

Level 21

Thanks for the info.  Is there anywhere in LEM where configurations can be managed with regard to the IP Reputation feed or is this something completely hidden on the back-end of the product?

Level 11

At this time they are not configurable.