OSSIM update enables cyber threat intelligence sharing

The latest update to the Open Source Security Information Management (OSSIM) base system includes a mechanism for sharing cyber threat intelligence.

The latest update to the Open Source Security Information Management (OSSIM) base system includes a mechanism for sharing cyber threat intelligence.

The AlienVault Open Threat Exchange (OTX) system is available free of charge to all users of OSSIM and the OSSIM-based AlienVault Unified Management platform (USM).

The OTX is designed to collect data and upload it to the cloud, where it is cleansed and analysed, before being shared with the user community by embedding new threat intelligence into the correlation engines of all OSSIM-based security information and event management (SIEM) systems.

Although OTX will be delivered as a standard update, any organisations that want to take part in the information sharing initiative will have to enable the feature by ticking a box to specifically opt-in.

"We decided to make it an opt-in system to give users confidence in using it by enabling them to control whether cyber threat data is collected from their systems," said Richard Kirk, AlienVault senior vice president international.

The OSSIM update provides full information on what data will be collected, but users are assured that it will be normalised and anonymised before being shared to ensure there is no way of identifying where the data came from, he told Computer Weekly.

As an open source initiative, OTX is designed to collect threat intelligence across more than 18,000 OSSIM and AlienVault deployments, the largest set of SIEM users in the world, and from many different parts of the information security infrastructure, including hardware such as firewalls and intrusion detection systems, and software such as identity and access management systems.

This broader approach contrasts with the more established threat intelligence gathering and sharing initiatives by security suppliers like McAfee, Symantec and Trend Micro, which are typically very narrow, being based on a single view of what is going on in the security landscape, said Kirk.

"National security organisations that have a broader view share this only with a small audience, and we saw the need to take a broader view of what is going on to all users to a wider audience," he said.

The OTX initiative was driven by user organisations that want to share threat intelligence across security operations centres in different parts of the world.

"For example, global telecommunications firm Telefonica has been looking for the ability to share threat intelligence between its security operations centres in South America and Europe," said Kirk.

"They realise that what is going on in Brazil is likely to hit Spain, and if they can anticipate that, they will be in a better position to manage it," he said.

According to Kirk, the OTX will enable industrial scale threat intelligence sharing to match the industrial scale operations of cyber criminals.

"When the data starts to come in, and as we collect more, there will be all sorts of things we will be able to do, and on a much broader front than existing initiatives by security suppliers," he said.

Jose Luis Gilperez, director of product development and security innovation at Telefonica, which made its data available for the OTX pilot, said global internet threats need to be countered from a global perspective.

"With OTX, an attack on any part of our network or any member of the OTX community alerts everybody in the community and helps us all to respond to threats more effectively," he said.

Commenting on the pilot implementation of OTX, Javier Diaz-Palacios, director of security and communications at Telefonica said, "We saved 90% of the license and implementation costs of other alternatives while achieving 35% more functionality."

Read more on IT suppliers

Data Center
Data Management