HOW TO INVESTIGATE THREAT ALERTS IN SPICEWORKS

PRESENTED BY TOM D’AQUINO AND BILL SMARTT

SpiceHead Benefit:Identify compromised hosts in a monitored network without having to deploy Anti-Virus or any other agentRemediation advice from world’s largest crowd sourced threat intelligence database

ALIENVAULT THREAT ALERTS FOR SPICEWORKS

HOW IT WORKS – THREAT MONITORING

Internet

Customers’ Internal Assets In SpiceWorks

Search for connections with known malicious hosts

HOW IT WORKS – ALERT TRIGGERED

Customers’ Internal Assets In SpiceWorks

Alert on connection with known malicious host

THREAT ALERTS IN SPICEWORKS:DASHBOARD & DEVICE DETAILS PAGE

“SpiceWorks has found a connection with a potentially suspicious IP Address 77.240.191.89 on device tmg-mbh.

“

AlienVault Threat Analysis for suspicious IP

ALIENVAULT THREAT ANALYSIS - SUMMARY

ALIENVAULT THREAT ANALYSIS - REMEDIATION

ALIENVAULT THREAT ANALYSIS – FURTHER INVESTIGATION

Look at the AlienVault threat details page - what type of threat is it?

A suspected exploit-kit serving website is more concerning than a scanning host

Has the activity reported stopped or is it ongoing?

Check the comments section and discuss your investigation with the community

Dig into your environment and see if you can draw any conclusions about the host affected

Is it a workstation or server that the alert is associated with?

If it’s a server, is there a legitimate reason that it would be communicating with the external threat?

If it’s a workstation, is the user reporting any unusual issues with their system?

If you have Intrusion Detection/Prevention System(s), search the alerts for the malicious IP

Query your SIEM or log management system, etc.

If you conduct security investigations without the help of any tools at all, you might try:

Searching network device logs for indications of prolonged activity with the external threat

Searching system logs for indications of suspicious activity originating from the asset

WHAT ABOUT FALSE POSITIVES?

False positives occur on occasion

The system purges old records and false positives we identify every 30 minutes.

A common false positive is bloggers who document the specifics of how malware and attacks work – it’s very hard for our automated systems to detect this benign intent.

…So what should you do?

WHAT TO DO WHEN YOU GET A FALSE POSITIVE?

Within AlienVault: FLAG IP FOR REVIEWProvide any evidence of a false positive that you can. It will be sent to the security research team for review.

WHAT IS THE OPEN THREAT EXCHANGE?

World’s largest crowd-sourced repository of threat intelligence

Threat intelligence from a diverse install base greatly limits attackers’ ability to isolate targets by industry, location, size, etc:

500,000 malware samples analyzed per day

100,000 malicious IPs validated per day

8,000+ Global Connection Points in 140+ countries

OPEN THREAT EXCHANGE AND USM

Enhance your security visibility through threat intelligence

UNIFIED SECURITY MANAGEMENT

“Security Intelligence through Integration that we do, NOT you”

USM Platform• Bundled Products - 30 Open-Source Security tools to plug

the gaps in your existing controls• USM Framework - Configure, Manage, & Run Security

Tools. Visualize output and run reports

• USM Extension API - Support for inclusion of any other data source into the USM Framework

• Open Threat Exchange –Provides threat intelligence for collaborative defense

NOW FOR SOME Q&A…

Three Ways to Test Drive AlienVault

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Site

http://www.alienvault.com/live-demo-site

Join us for a live Demo

http

://www.alienvault.com/marketing/alienvault-u

sm-live-

demo

Questions? hello@alienvault.com