Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


AbuseSA & SIEM

No description

Marko Laakso

on 14 October 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of AbuseSA & SIEM


Collecting, Monitoring and Sharing Indicators of Compromise (IoCs)
Abuse Situational Awareness
Indicators of Compromise
Actionable IoCs:
IP-addresses, DNS-names, URLs
Email-addresses, file hashes
IDS-rule identifiers

Infected hosts, defaced sites
Command and Control, drop sites
Bad guys, bad servers, bad domains
Trending APT attack patterns

Anything you can and should investigate if seen in context of your assets to be protected!
IoC Process Cycle
Codenomicon AbuseSA Collectors
Reliable collection of IoC intelligence feeds
Codenomicon AbuseSA Sensors
Triggering if IoCs are found from your:
Network traffic (packets, netflows, DNS)

Available as software and
appliance solutions.
Codenomicon AbuseSA
Response Services and Tools
Integration to helpdesk, ticketing, teleoperator CRM and other workflow systems.

Industry specific APT triage tools and forensic services.
Codenomicon AbuseSA Interface
Browser Based Situational Awareness for Collaborative Investigation
Codenomicon AbuseSA
Reporting, PR and sharing for decision makers, constinuency and IoC intelligence partners
AbuseSA Solution
Comprehensive Product Family:
AbuseSA for IoC Collection, Investigation and Sharing
AbuseSA Sensors for Network, IDS and SIEM
AbuseSA Services for Response, Forensics and Integration

National Cyber Defence
Critical Infrastructure Protection
Abuse and Incident response teams
Codenomicon AbuseSA
SIEM Sensor

AbuseSA SIEM sensor leverages your SIEM and logging investments through Indicators of Compromise (IoC) correlation. IoCs from external feeds are matched against your SIEM. This turns the mass of events from your environment into few actionable alerts. You gain added value from the threat intelligence through faster reaction times, less false positives and ability to identify malicious activity before it escalates to further damages.
Focus and Clarity

Correlation against IoCs adds focus and clarity to your log management. Does new event source include identities? If it does, you will get actionable data by IoC correlation.

Compatible Out-of-the-Box

With focus on network-level IoCs (IP addresses, domain names, URLs, email addresses, etc.), you are able to have simple rules and need not to worry about compatibility. You are compatible with all text-based data out-of-the-box.

Streamlined Process

AbuseSA SIEM sensors require little rule maintenance. You may either use fully automatic third party feeds, or choose to complement IoCs collected by forensics and APT analysts. Creating a new blacklist is a simple matter of creating a list of malicious identities.
Alerts Based on 3rd Party Intelligence and Your Private Blacklists

You can correlate automatically against abuse feeds and private blacklists. AbuseSA SIEM sensor gives actionable alerts when these identities are seen in logs. Can it be more simple?

3rd Party Cyber Intelligence

AbuseSA collects cyber intelligence from numerous sources. It is compatible with leading feeders, such as Shadowserver and Abuse.ch. You can collect your own indicators from spamtraps, honeynets, sinkholes, and more.

Your Private Blacklist

Do you read APT-reports from organizations such as Dell Secureworks, Mandiant, Kaspersky and CERT.lu? They share malicious domains, network ranges, IP-addresses etc. in a form of IoCs. Sometimes they share a machine readable IoC-file for your benefit. You can import these to AbuseSA and get alerts when ever your assets log events related to these identities.
AbuseSA SIEM sensor integrates with AbuseSA automation, as well as with your SIEM products. Distributed setup with a number of sensors is supported by design.
Full transcript