Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72
stars
74
forks
source link
[RFC] Threat Intelligence in Security Analytics #671
Customers leverage threat intelligence data to more efficiently uncover blind spots, gain visibility, and improve their security posture. With threats proliferating every day, even a slight increase in efficiency could be the difference that prevents a data breach. OpenSearch Security Analytics is an open source intelligent threat detection service that helps customers protect their on-premise and cloud native application workloads by continuously monitoring application, network, system and other logs for malicious and unauthorized behavior. Security analytics is built on open source OpenSearch and comes pre-packaged with over 2200 open source Sigma security rules. These rules help users find potential security threats from security event logs in real time. Previously users needed to have prior security knowledge and expertise on multiple products to generate actionable security alerts and insights.
Currently, Security Analytics has a set of static pre-packaged rules which are not updated to keep up with the ever-changing ever-expanding landscape of cyber security malware and threats. As Sigma aims to detect specific behaviors modeled as rules, known threats will only be detected if its behavior is among the few ones for which there exist detection rules. Furthermore, the fewer Sigma rules and longer development cycle inherently means that recent and/or uncommon threats are often not detected timely.
The above feed is a list of malicious IPs maintained by abuse.ch. It is constantly updated with new IPs. With IP as an IoC we can create dynamic queries for security analytics detectors to execute against log data. If the feed based rule is used, we will create findings when log data has occurences of malicious IPs mentioned in feeds.
Threat intel feeds provide customers with a continuous stream of up-to-date information about emerging cyber threats, vulnerabilities, and attack patterns.
One primary way customers utilize these feeds is by integrating them into detectors in the form of queries/rules. By doing so, they can automatically flag IoCs containing malicious IP addresses, file hashes, DNS, block-listed emails seen in their logs data.
Customers want to be made aware of emerging malwares for windows, cloudtrail logs etc in feed visualization tab.
Customers want to integrate data from various threat intelligence sources(custom and pre-packaged), applying security analytics to automatically detect threats. That would not only drastically reduce the time and effort required for threat analysis but also provide customer with the critical context needed to make informed decisions promptly.
Customers want quickly analyze and investigate security events across their entire data and generate visualizations that represent the ways resources behave and interact over time. Today we create only findings from detectors. We would be able to provide a more tangible experience by showing visualizations of the findings by enriching with data from feeds.
Custom Access local and global security data going back years, applying integrated security analytics to automatically detect threats and enrich with context.
The time it takes to analyze a threat today is very high.
Customer has tons of information without context. Cx wants to deal with this noise and avoid having to sift through 1000s of alerts for their log data.
Sigma rules detecting known malware keywords won’t trigger on new variants unless someone manually improves the detection rules.
But threat intel sources are constantly being updated with new threat intel which customer wants his data shielded from. Integrating them into queries/rules will provide coverage on latest cyber threats
Customer wants to add their own threat intel feeds.
engechas
commented
7 months ago
Customers leverage threat intelligence data to more efficiently uncover blind spots, gain visibility, and improve their security posture. With threats proliferating every day, even a slight increase in efficiency could be the difference that prevents a data breach. OpenSearch Security Analytics is an open source intelligent threat detection service that helps customers protect their on-premise and cloud native application workloads by continuously monitoring application, network, system and other logs for malicious and unauthorized behavior. Security analytics is built on open source OpenSearch and comes pre-packaged with over 2200 open source Sigma security rules. These rules help users find potential security threats from security event logs in real time. Previously users needed to have prior security knowledge and expertise on multiple products to generate actionable security alerts and insights.
Currently, Security Analytics has a set of static pre-packaged rules which are not updated to keep up with the ever-changing ever-expanding landscape of cyber security malware and threats. As Sigma aims to detect specific behaviors modeled as rules, known threats will only be detected if its behavior is among the few ones for which there exist detection rules. Furthermore, the fewer Sigma rules and longer development cycle inherently means that recent and/or uncommon threats are often not detected timely.
What is a feed
Example: https://feodotracker.abuse.ch/blocklist/
The above feed is a list of malicious IPs maintained by abuse.ch. It is constantly updated with new IPs. With IP as an IoC we can create dynamic queries for security analytics detectors to execute against log data. If the feed based rule is used, we will create findings when log data has occurences of malicious IPs mentioned in feeds.
Threat intel feeds provide customers with a continuous stream of up-to-date information about emerging cyber threats, vulnerabilities, and attack patterns.
Custom Access local and global security data going back years, applying integrated security analytics to automatically detect threats and enrich with context. The time it takes to analyze a threat today is very high. Customer has tons of information without context. Cx wants to deal with this noise and avoid having to sift through 1000s of alerts for their log data.
Sigma rules detecting known malware keywords won’t trigger on new variants unless someone manually improves the detection rules. But threat intel sources are constantly being updated with new threat intel which customer wants his data shielded from. Integrating them into queries/rules will provide coverage on latest cyber threats Customer wants to add their own threat intel feeds.