Detect malicious communications with threat intelligence and SIEM

The threat landscape

The World Wide Web has countless malicious actors trying to breach corporate networks. In this colossal threat landscape, security teams need to keep track of malicious actors on the internet in order to stay one step ahead. An efficient threat intelligence system helps you stay on top of the latest known threats by keeping you up to date on blacklisted IPs, domains, and URLs on the internet.

Dynamic threat feeds

Threat feeds are databases of the latest threat information collated by cybersecurity researchers who continuously scan the internet for emerging malicious actors. For example, if a new phishing domain is discovered, the details are validated and added to the threat database. These details are used by enterprise security teams to monitor for communications with these blacklisted sources in their network.

Threat information is made available to security teams as dynamic feeds that are regularly updated with the latest threats reported. This information empowers security teams to identify and block malicious activity at an early stage. This is why threat intelligence has become a vital component of security operations centers (SOCs) in recent years. Because of the rapid adoption of threat intelligence, globally accepted standards such as STIX/TAXII make it easy for threat researchers to share information that security teams can leverage.

How does threat intelligence work with a SIEM solution?

Information from threat feeds can be ingested into security solutions such as security information and event management (SIEM) tools. Because new threats emerge every day, the latest data from threat feeds must be fetched regularly, which can be done by configuring a syncing schedule. Threat information can then be used to enrich log data during analysis, and provide more context to security events.

A SIEM solution monitors network traffic by analyzing logs from firewalls and other network perimeter devices. With the help of threat intelligence, you can instantly identify traffic to and from malicious IPs, URLs, and domains.

ManageEngine Log360's augmented threat intelligence platform

Log360 is a comprehensive SIEM solution that organizations use to monitor and secure their networks. Log360's threat intelligence platform is designed to help you flag and block malicious communications in your network. The solution comes with three key features for this purpose:

• Default threat intelligence platform that comes bundled with the solution: Log360 has integrations with open-source threat feeds by default. This global list of blacklisted IPs is used to check network traffic for malicious communications.
• STIX/TAXII feeds processor that allows you to easily ingest and make use of custom feeds.
• Advanced threat analytics add-on that provides deeper insights into threats that have been flagged; know important details such as the reputation score of the domain to take appropriate action such as blocking the source.