A few months ago I wrote a post detailing how Anomali Enterprise helped me to identify a malware threat to my home network. Many have since emailed me asking how they can do the same (please keep them coming!).
Since writing that post, my router has generated millions of logs that have been ingested by Anomali Enterprise (thankfully still no major threats). As a new "threat analyst" for my family's home network I've learned a number of things along the way, especially the challenges and frustrations when it comes to performing security investigations.
In the interest of sharing my, albeit basic, knowledge to the community (I am a Product Manger by trade!), I wanted to highlight a few things I've come up against, and the what I've found most useful.
Knowing a new threat has been observed is good. Knowing where a threat is in the Kill Chain is much more useful. Learning where the threat is in the process of achieving its objective allows me to not only defend against it, but also to understand the activity of the threat prior to it becoming known (what has been compromised).
Threat intelligence products are great at identifying threats as they happen. For example, Anomali ThreatStream integrations with SIEM products -- Arcsight, QRadar, or Splunk to name a but few -- can match recent log data against thousands of threat indicators.
However, this only answers the first of the two questions I want to ask as an analyst once a threat has been identified;
As threats, by their very nature, are reported after-the-fact, there can often be a delay (sometimes weeks) before it is shared more widely. When a threat is identified, it is vitally important to know its behaviour and what it has potentially breached in the days it was left unreported.
Considering the data from my home network noted in the previous blog post, the calculations required for matching logs to threat intelligence result in some big numbers:
100,000 logs per day x 1 year of data x 10 indicators = 365,000,000
That's three hundred sixty-five million calculations that need to be performed for just one investigation!
At enterprise scale the 0's dramatically increase:
1 billion logs per day x 365 days x 3 years of data = 10 trillion (10,000,000,000,000) matches need to be performed, for one investigation!
Existing security log repositories (I'm using Splunk) are not designed to process queries matching such a large intel database against huge volumes of historic data. Not only are they limited by the ability to process archived data but often the cost of storing such data means much of it is filtered, and thus impossible to forensically search against.
I wasn't the only one suffering some of these pains - our own security team here at Anomali experienced these problems day-in-day-out. In search of a solution we built Anomali Enterprise. Some of the functional and design goals of the product included:
Analysts want to focus on the most serious threats, not more threats in their already never-ending workload. Anomali Enterprise helps me to do this by comparing threat indicators -- domains, URLs, emails, file-hashes etc. -- against new and historic data from all devices in my home network, automatically. I can see what has been compromised, when it was comprimised and if the threat made any lateral movement. Within an hour of malware being identified (as in the previous post), I can assess the damage, detected affected assets, and take measures to secure them.
This post covers Anomali Enterprise's real-time and forensic capabilities. It can do much more. Check out the Anomali Enterprise product page on our site to find out more about what it can do.
David is a Product Manager at Anomali. He's responsible for developing and executing strategy for integrations to and from the ThreatStream platform, working closely with Anomali customers to help them realize the value that threat intelligence can deliver to their business.