17 août 2015 Cas Utilisateur

How Blueliv Uses the Elastic Stack to Combat Cyber Threats

Par João Alves

logo-blueliv.png Blueliv has developed an input plugin for Logstash that, with the help of the ELK stack, provides real-time, actionable cyber threat intelligence to help organisations understand the scale of cyber threats currently aligned against them.

Blueliv is a leading provider of targeted cyber threat intelligence and analytics for large enterprises, service providers, and security vendors. Our turnkey cloud-based platform addresses a comprehensive range of cyber threats to turn global threat data into predictive, actionable intelligence that detects, identifies, and helps stop cyber threats.

Why the ELK stack?

Most companies that are defending themselves against these attacks use some kind of Security Information and Event Management (SIEM) software that allows them to aggregate and correlate data. This software allows them to set up dashboards in order to quickly visualize the information.

Elasticsearch, Logstash, and Kibana are a really great toolsets for our clients:

  • Logstash can parse and filter data from several cyber threat intelligence providers
  • Elasticsearch allows indexing and aggregating this data
  • And finally Kibana has the visualization tools that make the threat analysis and prevention easier and faster.

Given these characteristics and how well these tools work seamlessly together, many companies take advantage of these technologies as a SIEM. Therefore, it makes a lot of sense to offer our cyber threat intelligence feeds via a Logstash input plugin that allows users to receive real-time insights about cyber threats in just a couple of minutes.

In order to get our data feeds into the ELK stack, we developed a Logstash input plugin that periodically collects them for you, letting you focus on the data analysis and making your company more secure. Logstash output configuration allows us to use different indexes to save different information (for instance, bot IPs and crime servers), which makes the dashboard visualization and creation easier. Another critical characteristic of Elasticsearch (taking into account that we currently analyze and collect information about millions of crime servers and infected IPs) is its stunning performance. It indexes all this data and lets our clients search against it quickly.

Protect your network with the ELK stack and Blueliv

Every day, millions of people worldwide are affected by cyber attacks. This means that your company's safety and therefore your privileged information may be compromised. With Blueliv Logstash input plugin, you can start to monitor and get insights about cyber threats. Our ELK users will be able to access the Blueliv's global intelligence such as malware distribution domains, C&Cs, phishing campaigns, exploit kits, backdoors, infected IPs, affected operating systems, and more at a glance using Kibana dashboards.

To get started, we offer a free API for crime servers that contains a subset of our unique cyber threat intelligence, as well as a 14-day trial of our full-featured feeds.

A lot of companies (banks, insurance companies, pharmaceuticals, etc) manage sensitive information about their clients and their own business. For such companies, these information leaks may have a huge impact at the financial and customer level, besides the damage to the company's reputation and brand.

On the other hand, for companies with hundreds of thousands of employees, distributed across the world, it is really difficult to enforce security policies based on “common-sense”. Attackers know this very well, and will use social engineering techniques (such as phishing attacks that replicate legitimate websites) or other malware distribution techniques, in order to trick the users and thus obtaining information from the infected user, such as credentials, confidential documents, etc. The need to quickly identify, prevent, or mitigate these attacks arises.

Blueliv continuously scours and analyses hundreds of sources to provide unique intelligence about verified online crime server conducting malicious activity, infected bot IPs, malware hashes and hacktivism activities. The feeds are offered as an easy to buy solution that provides high-impact results rapidly. The user can understand what attack vectors malicious actors are using, understand potential indicators of compromise (IoC) and deploy mitigation solutions.

Although many of the above described companies performed some kind of log analysis, they do not have access to real-time cyber threat insights that would allow them to take action. That is why we launched Logstash-input-Blueliv. If our clients already used the ELK stack for Log analysis it would be easier to install a plugin using the technologies they already know and are used to working with.

Taking action against malicious IPs and domains

One of our clients had the problem that we stated above. Although they had set-up security policies in their users' machines and other classic security devices, they could not prevent users from inadvertently accessing insecure websites or from downloading insecure attachments from emails. So how could the ELK and Blueliv plugin help with this? Having Blueliv's cyber threat data collected by Logstash and stored in Elasticsearch, our clients could visualise cyber threats in real-time through Kibana and get alerts in order to react in time.

For them it was extremely important to visualise these IoCs because it allowed them to take action quickly. Updating the operating systems, blocking IPs and domains were some of the measures that were taken. This was only possible due to the ability to correlate Blueliv's data with their own network logs, using Logstash and Elasticsearch. The correlation went even further: discovering what were the most affected departments and machines. This allowed for the creation of new security policies and the stricter enforcement of current ones. All of this would be a lot harder to discover without Blueliv's data and the correlation and visualisation performed with the ELK stack.

You can find out more about Logstash-input-Blueliv plugin and how to use it with the ELK stack here:

Future

Blueliv cyber threat intelligence data feeds have been available for major SIEMs and via REST API for some months. Currently we are working to bring emerging threats to our cyber threat intelligence platform engine. Our goal is to deliver focused, targeted cyber threat intelligence in a timely manner in order to look our clients take actions and avoid direct and indirect financial harm.

With the help of the ELK stack we have been able to get a wider user-base and to deploy features in our cyber threat feeds quicker. Moreover, the learning curve and installation complexity are nearly non-existent, which let users get started with our data without technical support.

Overall, we have been pleased with the ELK stack, how it works out-of-the-box and how easy it is to set-up and use a plugin in the Logstash ecosystem.

João Alves is a Software Engineer that works at Blueliv on cyber threat intelligence solutions.