Blueliv has developed an input plugin for Logstash that, with the help of the ELK stack, provides real-time, actionable cyber threat intelligence to help organisations understand the scale of cyber threats currently aligned against them.
Why the ELK stack?
Most companies that are defending themselves against these attacks use some kind of Security Information and Event Management (SIEM) software that allows them to aggregate and correlate data. This kind of software allows them to set up dashboards in order to quickly visualise the information.
Elasticsearch, Logstash, and Kibana are a really great toolset for our clients:
- Logstash can parse and filter data from several cyber threat intelligence providers;
- Elasticsearch allows indexing and aggregating this data;
- And finally Kibana has the visualisation tools that make the threat analysis and prevention easier and faster.
Given these characteristics and how well these tools work seamlessly together, many companies take advantage of these technologies as a SIEM. Therefore, it makes a lot of sense to offer our cyber threat intelligence feeds via a Logstash input plugin that allows users to receive real-time insights about cyber threats in just a couple of minutes.
In order to get our data feeds into the ELK stack, we developed a Logstash Input plugin that periodically recollects them for you, letting you focus on the data analysis and making your company more secure. Logstash output configuration allows us to use different indexes to save different types of information (for instance, bot IPs and crime servers), which makes the dashboard visualisation and creation easier. Another critical characteristic of Elasticsearch, (taking into account that we currently analyse and collect information on millions of crime servers and infected IPs,) is its stunning performance. It indexes all this data and lets our clients search against it quickly.
Protect your network with the ELK stack and Blueliv
Every day, millions of people worldwide are affected by cyber attacks. This means that your company’s safety and, therefore, your privileged information, may be compromised. With Blueliv Logstash Input plugin, you can start to monitor and get insights about cyber threats. Our ELK users will be able to access Blueliv’s global intelligence such as malware distribution domains, C&Cs, phishing campaigns, exploit kits, backdoors, infected IPs, operating systems affected, and more at a glance using Kibana dashboards.
To get started, we offer a free API for crime servers that contains a sub-set of our unique cyberthreat intelligence, as well as a 14-day trial of our full-featured feeds.
A lot of companies (banks, insurance companies, pharmaceuticals, etc.) manage sensitive information about their clients and their own business. For such companies, these information leaks may have a huge impact at financial and costumer level, besides the damage to companies’ reputation and brand.
On the other hand, with hundreds of thousands of employees distributed across the world it is really difficult for companies to enforce security policies based on “common-sense”. Attackers know this very well, and will use social engineering techniques (such as phishing attacks that replicate legitimate websites) or other malware distribution techniques, in order to trick the users and thus obtaining information from the infected user, such as credentials, confidential documents, etc. The need to quickly identify, prevent, or mitigate this attacks arises.
Blueliv scours and analyses continuously hundreds of sources to provide unique intelligence about verified online crime server conducting malicious activity, infected bot IPs, malware hashes and hacktivism activities. The feeds are offered as an easy to buy solution that provides high-impact results rapidly. The user can understand what attack vectors malicious actors are using, understand potential indicators of compromise (IoC) and deploy mitigation solutions.
Although many of the above described companies performed some kind of log analysis, they do not have access to real-time cyber-threat insights that would allow them to take action. That is why we launched Logstash-Input-Blueliv. If our clients already used ELK stack for Log analysis it would be easier to install a plugin using the technologies they already know and are used to working with.
Taking action against malicious IPs and domains
One of our clients had the problem that we stated above. Although they had set-up security policies in their users’ machines and other classic security devices, they could not prevent users from inadvertently accessing insecure websites or from downloading insecure attachments from emails. So how could ELK and Blueliv plugin help with this? Having Blueliv’s cyber-threat data recollected by Logstash and stored in Elasticsearch, our clients could visualise cyber threats in real-time through Kibana and get alerts in order to react in time.
For them it was extremely important to visualise these IoCs because it allowed them to take action quickly. Updating the operating systems, blocking IPs and domains were some of the measures that were taken. This was only possible due to the ability to correlate Blueliv’s data with their own network logs, using Logstash and Elasticsearch. The correlation went even further: discovering what were the most affected departments and machine. This allowed for the creation of new security policies and the stricter enforcement of current ones. All of this would be a lot harder to discover without Blueliv’s data and the correlation and visualisation performed with the ELK stack.
You can find out more about Logstash-Input-Blueliv plugin and how to use it with the ELK stack here:
■ Documentation and configuration examples: https://github.com/Blueliv/elk-config-examples
■ Installation video tutorial: https://youtu.be/V3fMrSZYySE
Blueliv cyber threat intelligence data feeds have been available for major SIEMs and via REST API for some months. Currently we are working to bring emerging threats to our cyber threat intelligence platform engine. Our goal is to deliver focused, targeted Cyber Threat intelligence in a timely manner in order to look our clients take actions and avoid direct and indirect financial harm.
With the help of the ELK stack we have been able to establish a wide user-base and to deploy features in our cyber threat feeds more quickly. Moreover, the learning curve and installation complexity are nearly non-existent, which let users get started with our data without technical support.
Overall, we have been pleased with the ELK stack, how it works out-of-the-box and how easy it is to set-up and use a plugin in Logstash ecosystem.
Note: This post was originally published on Elastic’s blog.