cancel
Showing results for 
Search instead for 
Did you mean: 
feeeds
Level 9
Report Inappropriate Content
Message 1 of 8

External Threat Feeds

Does anyone have any experience with bringing in (prefer automated) external threat feeds such as dshield.org or other similar free threat feed services to Nitro ?

7 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: External Threat Feeds

Hi Feeeds


I don't have anything on automating feeds but there is a very good post by Scott Taschler which descibes using Watchlists for emerging threats - http://mcaf.ee/3uek1

Sites such as dshield supply good information such as block lists (http://dshield.org/block.txt) which could be easlily added to a watchlist

There is of course McAfee GTI which is automated and available withing SIEM. If you are interested in getting a subscription for that you would need to talk to your sales representative

Regards


Chris

artek
Level 11
Report Inappropriate Content
Message 3 of 8

Re: External Threat Feeds

Hi Chris,

Yes, it is very good to use McAfee GTI with ESM, but there is a small problem: what we can tell to customers buying small system (like combo)? Please compare the small combo price with the minimal price of GTI...

Regards,

Artur Sadownik

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: External Threat Feeds

Hi Artur

I recommend that you talk with your McAfee Sales Representative to see if they can offer any suggestions on the pricing.


Regards

Chris

Re: External Threat Feeds

Hi Artur,

As far as I know, minimum number of GTI licenses has been changed in the latest price book. Things should be a bit easier for us to deliver GTI with McAfee SIEM.

Best regards,

Parinya

artek
Level 11
Report Inappropriate Content
Message 6 of 8

Re: External Threat Feeds

Hi Parinya,

yes - you have the right - it is very good news

In this year there is possible to buy GTI only for 1000 nodes - not for 10000.

Best Regards,

Artur Sadownik

feeeds
Level 9
Report Inappropriate Content
Message 7 of 8

Re: External Threat Feeds

So I am getting back to this after letting it flounder for a while.  I set up an automated process where my linux server pulls about 5 threat feeds in from various sites. Nitro then grabs these flat files.  The problem I have is that the data becomes stale very quickly. It would be nice if Nitro could purge the log before it pulls a new file, since the threat feed services are clearing certain IP's and no longer an issue, I don't want to be chasing a bunch of false positives.

dcobes
Level 9
Report Inappropriate Content
Message 8 of 8

Re: External Threat Feeds

Feeeds,

Like Chris metioned, watchlists are great to use, also another option is data enrichment (but only if you can get a set format and find a key field that can be linked to a parsed field for any events)

-d