Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.
AbuseSA & SIEM
Transcript of AbuseSA & SIEM
Collecting, Monitoring and Sharing Indicators of Compromise (IoCs)
Abuse Situational Awareness
Indicators of Compromise
IP-addresses, DNS-names, URLs
Email-addresses, file hashes
Infected hosts, defaced sites
Command and Control, drop sites
Bad guys, bad servers, bad domains
Trending APT attack patterns
Anything you can and should investigate if seen in context of your assets to be protected!
IoC Process Cycle
Codenomicon AbuseSA Collectors
Reliable collection of IoC intelligence feeds
Codenomicon AbuseSA Sensors
Triggering if IoCs are found from your:
Network traffic (packets, netflows, DNS)
Available as software and
Response Services and Tools
Integration to helpdesk, ticketing, teleoperator CRM and other workflow systems.
Industry specific APT triage tools and forensic services.
Codenomicon AbuseSA Interface
Browser Based Situational Awareness for Collaborative Investigation
Reporting, PR and sharing for decision makers, constinuency and IoC intelligence partners
Comprehensive Product Family:
AbuseSA for IoC Collection, Investigation and Sharing
AbuseSA Sensors for Network, IDS and SIEM
AbuseSA Services for Response, Forensics and Integration
National Cyber Defence
Critical Infrastructure Protection
CERTs and CSIRTs
Abuse and Incident response teams
AbuseSA SIEM sensor leverages your SIEM and logging investments through Indicators of Compromise (IoC) correlation. IoCs from external feeds are matched against your SIEM. This turns the mass of events from your environment into few actionable alerts. You gain added value from the threat intelligence through faster reaction times, less false positives and ability to identify malicious activity before it escalates to further damages.
Focus and Clarity
Correlation against IoCs adds focus and clarity to your log management. Does new event source include identities? If it does, you will get actionable data by IoC correlation.
With focus on network-level IoCs (IP addresses, domain names, URLs, email addresses, etc.), you are able to have simple rules and need not to worry about compatibility. You are compatible with all text-based data out-of-the-box.
AbuseSA SIEM sensors require little rule maintenance. You may either use fully automatic third party feeds, or choose to complement IoCs collected by forensics and APT analysts. Creating a new blacklist is a simple matter of creating a list of malicious identities.
Alerts Based on 3rd Party Intelligence and Your Private Blacklists
You can correlate automatically against abuse feeds and private blacklists. AbuseSA SIEM sensor gives actionable alerts when these identities are seen in logs. Can it be more simple?
3rd Party Cyber Intelligence
AbuseSA collects cyber intelligence from numerous sources. It is compatible with leading feeders, such as Shadowserver and Abuse.ch. You can collect your own indicators from spamtraps, honeynets, sinkholes, and more.
Your Private Blacklist
Do you read APT-reports from organizations such as Dell Secureworks, Mandiant, Kaspersky and CERT.lu? They share malicious domains, network ranges, IP-addresses etc. in a form of IoCs. Sometimes they share a machine readable IoC-file for your benefit. You can import these to AbuseSA and get alerts when ever your assets log events related to these identities.
AbuseSA SIEM sensor integrates with AbuseSA automation, as well as with your SIEM products. Distributed setup with a number of sensors is supported by design.