How to Investigate Threat Alerts in Spiceworks!
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

How to Investigate Threat Alerts in Spiceworks!

on

  • 1,842 views

If you've upgraded to the latest version of Spiceworks, you've probably noticed the new Threat Alerts, powered by AlienVault. AlienVault Threat Alerts notify you if devices in your network have been ...

If you've upgraded to the latest version of Spiceworks, you've probably noticed the new Threat Alerts, powered by AlienVault. AlienVault Threat Alerts notify you if devices in your network have been communicating with known malicious hosts. This is usually a sign of malware infection, but not always.

So, what should you do when you receive a Threat Alert in Spiceworks? Join AlienVault network security experts Tom D’Aquino and Bill Smartt to learn key troubleshooting steps to help you quickly investigate connections with malicious hosts and determine what to do next.

In this session, Tom and Bill will cover:

-How to use the information provided by AlienVault Threat Alerts
-Best practices to investigate and mitigate threats
-How Threat Alerts leverage crowd-sourced threat intelligence from the AlienVault Open Threat Exchange (OTX)
-Tactics for simplified threat detection and incident response with AlienVault Unified Security Management (USM)

Statistics

Views

Total Views
1,842
Views on SlideShare
1,837
Embed Views
5

Actions

Likes
0
Downloads
25
Comments
0

1 Embed 5

http://www.slideee.com 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • In fact, AlienVault offers the only unified security management solution to unify the five essential security capabilities you need for complete security visibility. This translates into rapid time to value – faster and easier audits, targeted remediation, and more seamless incident response.

How to Investigate Threat Alerts in Spiceworks! Presentation Transcript

  • 1. HOW TO INVESTIGATE THREAT ALERTS IN SPICEWORKS PRESENTED BY TOM D’AQUINO AND BILL SMARTT
  • 2. SpiceHead Benefit: Identify compromised hosts in a monitored network without having to deploy Anti-Virus or any other agent Remediation advice from world’s largest crowd sourced threat intelligence database ALIENVAULT THREAT ALERTS FOR SPICEWORKS
  • 3. HOW IT WORKS – THREAT MONITORING Internet Customers’ Internal Assets In SpiceWorks Search for connections with known malicious hosts
  • 4. HOW IT WORKS – ALERT TRIGGERED Customers’ Internal Assets In SpiceWorks Alert on connection with known malicious host
  • 5. THREAT ALERTS IN SPICEWORKS: DASHBOARD & DEVICE DETAILS PAGE “SpiceWorks has found a connection with a potentially suspicious IP Address 77.240.191.89 on device tmg-mbh. “ AlienVault Threat Analysis for suspicious IP
  • 6. ALIENVAULT THREAT ANALYSIS - SUMMARY
  • 7. ALIENVAULT THREAT ANALYSIS - REMEDIATION
  • 8. ALIENVAULT THREAT ANALYSIS – FURTHER INVESTIGATION Look at the AlienVault threat details page - what type of threat is it? A suspected exploit-kit serving website is more concerning than a scanning host Has the activity reported stopped or is it ongoing? Check the comments section and discuss your investigation with the community Dig into your environment and see if you can draw any conclusions about the host affected Is it a workstation or server that the alert is associated with? If it’s a server, is there a legitimate reason that it would be communicating with the external threat? If it’s a workstation, is the user reporting any unusual issues with their system? If you have Intrusion Detection/Prevention System(s), search the alerts for the malicious IP Query your SIEM or log management system, etc. If you conduct security investigations without the help of any tools at all, you might try: Searching network device logs for indications of prolonged activity with the external threat Searching system logs for indications of suspicious activity originating from the asset
  • 9. WHAT ABOUT FALSE POSITIVES? False positives occur on occasion The system purges old records and false positives we identify every 30 minutes. A common false positive is bloggers who document the specifics of how malware and attacks work – it’s very hard for our automated systems to detect this benign intent. …So what should you do?
  • 10. WHAT TO DO WHEN YOU GET A FALSE POSITIVE? Within AlienVault: FLAG IP FOR REVIEW Provide any evidence of a false positive that you can. It will be sent to the security research team for review.
  • 11. WHAT IS THE OPEN THREAT EXCHANGE? World’s largest crowd-sourced repository of threat intelligence Threat intelligence from a diverse install base greatly limits attackers’ ability to isolate targets by industry, location, size, etc: 500,000 malware samples analyzed per day 100,000 malicious IPs validated per day 8,000+ Global Connection Points in 140+ countries
  • 12. OPEN THREAT EXCHANGE AND USM Enhance your security visibility through threat intelligence
  • 13. UNIFIED SECURITY MANAGEMENT “Security Intelligence through Integration that we do, NOT you” USM Platform • Bundled Products - 30 Open-Source Security tools to plug the gaps in your existing controls • USM Framework - Configure, Manage, & Run Security Tools. Visualize output and run reports • USM Extension API - Support for inclusion of any other data source into the USM Framework • Open Threat Exchange –Provides threat intelligence for collaborative defense
  • 14. NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a live Demo http://www.alienvault.com/marketing/alienvault-usm- live-demo Questions? hello@alienvault.com