How to Improve Security with OTX Threat Data
Watch this video for an overview of AlienVault OTX, its functions, and the best ways to leverage threat intelligence with AlienVault USM.
With the constant evolution of today’s threat landscape, it is becoming more and more challenging for mid-market organizations to detect attacks simply because they lack the resources traditionally required for complete security awareness. The AlienVault Open Threat Exchange, or “OTX” changes the game, providing deep insight into threats researched by experts around the world. You can use this information in a multitude of ways, several of which I will be demonstrating today.
When you log into OTX and click ‘browse’, you are presented with all threats researched by members of the community, starting with the most recent. This includes pulses from members with varying skill and reputation levels so its important to consider the source. OTX includes mechanisms to help track this reputation, namely follower and subscriber count so its easy to tell the pros from the novices. If you come across a pulse that is related to your environment, your industry, or just piques your interest, you can subscribe to that pulse and receive updates to it in your feed. You can also subscribe to the account itself and receive updates on all pulses created by that user. By default, though, you are subscribed to the official AlienVault OTX account that, alone, is a great source of threat research. The AlienVault Labs security research team publishes their threat research via this feed, so users of the AlienVault Unified Security Management, or USM platform as well as the Open Source SIEM platform, OSSIM benefit from out-of-the-box integration of this feed.
You also have the ability to share your own research, whether that is a blog you read online, a security analyst’s report, or even your own findings, by creating your own pulses. OTX makes it as easy as pasting a link and/or filling in fields for IPs, domains, or file hashes related to the threat you are reporting on. This allows even users who are new to security research to share their findings with the rest of the OTX community.
If you come across a pulse that interests you and/or directly impacts your organization or industry, you have the ability to export the Indicators of Compromise (or IoCs) into several formats including OpenIOC, STIX, and csv. This allows you to instrument them into your security architecture (SIEM, access control devices) or aid in your investigation.
However, the best way to leverage this threat intelligence is with AlienVault’s Unified Security Management platform and well as our Open Source offering, OSSIM.
AlienVault USM combines asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring and SIEM in a single platform to accelerate threat detection and compliance. OTX pulse data is then integrated into USM to provide additional context to log data, security events as well as alarms, giving you more visibility into the activity or intent related to potential threats you encounter in your environment.
Any event, alert or even log file that includes an IoC related to researched threats in OTX is highlighted and called out by either a bullseye or the OTX ‘atom’ icon. Clicking on that icon takes you to the OTX site where you are presented with all related intelligence for that IoC. If it is associated with a known and researched threat in OTX, you will see that as well.
Most threat data sharing products or services have limited ability to export threat data from one tool to another. OTX provides several methods for your security tools to ingest threat data, allowing you to react quickly and more efficiently to any threats.