Last Updated: 2015-12-24 10:37:10 UTC
by Xavier Mertens (Version: 1)
I'm living in Belgium where our motto is "Unity Makes Strength". It means that small entities can join together to build a bigger and stronger one. If this was the case in 1830 when the unified Belgium was born, it's also true in information security.
The exchange of information with your peers is a key point to protect yourself. When Alice is under attack, Bob would be very happy to learn about it and to get some details to improve his security defenses and better protect himself (and vice-versa). For a while, we have SIEM systems in place to collect logs and events from multiple sources and search for interesting patterns. But, still today, it remains a passive process in most cases. The information is available but not used to pro-actively improve our exposure to threats.
Our classic infrastructures are still working in silos. Even if we have multiple layers of defense, each of them is taking actions based on its own knowledge and work in its own ecosystem. This approach has some weaknesses:
- Solutions are independent
- There is a lack of global protection
- No shared knowledge
- No real-time protection
We collect so many IOC's today ("Indicators of Compromise"):
- IP addresses
Those are coming from multiple sources, internal as well as external. Many vendors implemented their own system to build collaborative clouds to exchange information between their own customers (think about the FireEye DTI - "Dynamic Threat Intelligence"). To improve our security, why not re-use this information across devices from multiple brands or types? To achieve this, they are multiple ways to talk to devices: via JSON, XML or simple text files. Today, most of the solution have protocols and interfaces available to exchange information with others. Based on its DShield database, the SANS ISC provides a top-20 of attackers IP address. A few months ago, Richard posted a tutorial to use this list in a Palo Alto Networks firewall. Another tools that can be used to export very useful data is MISP ("Malware Information Sharing Platform"). It offers an API to receive new IOC's or to generate Snort/Suricata IDS rules and feed other tools.
Another concrete example I'm working on: The integration of FireEye and Palo Alto Network firewalls. FireEye boxes being quite expensive, the idea is to deploy one on a central site, to extract IOC's and push them to firewalls running on remote sites. The flow of information is: FireEye > Splunk > Palo Alto Networks. To achieve this, I wrote a small Python tool to manage customer URL categories in PAN firewalls (link). Automation is nice but keep in mind that strong controls must be implemented (basically to avoid DoS'ing yourself).
ISC Handler - Freelance Security Consultant