AlienVault, creator and manager of the OSSIM open source SIEM platform, has launched the AlienVault Open Threat Exchange (AV-OTX); a cloud-based threat intelligence sharing system. The potential security value of this development comes from the combination of cloud sourcing, the combined number of OSSIM and AlienVault users, and the very nature of open source SIEM technology.
Cloud makes it globally available. The combined number of existing OSSIM and AlienVault SIEM users is in excess of 18000. The nature of SIEM means that threats aren’t limited to one particular type. And it’s “free to all who share,” says AlienVault’s CTO Roger Thornton.
“There is some sharing already going on in the security world,” explained Richard Kirk, a senior vice president at AlienVault. “It happens with viruses. One anti-virus company, say Symantec, will share threat data with another anti-virus company – say McAfee. But that’s only one piece of the puzzle. What a SIEM platform does,” he continued, “is to look across the board at everything related to security: viruses, vulnerabilities, intrusion detection, firewalls, and many many things that connect to the platform.” But right now there are no systems or companies that provide a consolidated view of all the different threat intelligence.
“That is what the AV-OTX is all about,” he added, “it’s about taking advantage of the 18000 users we have of our open source platform and making it easy for them to decide to opt in and collaborate with us to help share that information for the greater good of the whole community.” AV-OTX doesn’t just gather the data, it cleanses, aggregates, validates and publishes threat data provided by more than 18,000 OSSIM and AlienVault deployments, making intelligence received from one source available to all other users.
It is just a start, “but it’s a good start,” says Kirk. It has the potential to provide an information sharing model in line with government recommendations. Because it is threat data, it is not personal information. Because it is cloud and free, it is effectively global. Because it is SIEM-based, it has the potential to include any type of security threat. And because it is based on an open source platform, end users have the ability to integrate any third party device they use. What AlienVault is doing is taking a model already used by large multinational corporates with multiple security operations centers, and making it open. Large companies already share threat data between their different SOCs. AlienVault, by using the cloud model and an open source SIEM, is widening that model to the global market.