Threat Intelligence Sharing in a Connected World
|
|
- Branden Bishop
- 8 years ago
- Views:
Transcription
1 a Cohort plc company Threat Intelligence Sharing in a Connected World Mass Consultants Ltd November 2015 Prepared by: MASS Enterprise House Great North Road Little Paxton St Neots Cambridgeshire PE19 6BN Tel: +44 (0) E: cyberessentials@mass.co.uk
2 Copyright 2015 Mass Consultants Limited. All Rights Reserved. The copyright and intellectual property rights in this work are vested in Mass Consultants Limited. This document is issued in confidence for the sole purpose for which it is supplied and may not be reproduced, in whole or in part, or used for any other purpose, except with the express written consent of Mass Consultants 2
3 Contents 1 EXECUTIVE SUMMARY 4 2 CURRENT SHARING LANDSCAPE 5 3 EMERGING STANDARDS OpenIOC (Mandiant Corperation) IODEF/RID (IETF) STIX/TAXII (Mitre Corporation) 6 4 CREATING A SHARING ECOSYSTEM 7 5 EFFICIENT STORAGE AND SHARING 9 6 BIG DATA DEVELOPMENTS 11 7 SUMMARY 12 8 REFERENCES 13 MASS 2015 All rights reserved WHP003/1 3
4 1 Executive Summary Over the last five years, cyber attackers have consistently achieved their objectives by re-using infrastructure and tools. Although their tactics, techniques and procedures (TTPs) are often well understood and documented, there has been no easy or consistent way to promulgate that information to network defenders. In response to this seemingly bleak picture, we have seen the emergence of number of communities where threat information is shared between those who observe attacks, and those who seek to defend against them. Unfortunately these communities often operate in isolation of each other, meaning that some network defenders spend their time de-duplicating information which is delivered in a variety of incompatible formats. The adoption of a common language to describe attacks, with a standardised mechanism for exchanging intelligence in real-time across organisational, product and security boundaries, will transform the UK s response to the growing barrage of threats from cyberspace. The challenges of sharing threat information safely and quickly are not unique to cyber intelligence, and have already been successfully overcome in other domains. MASS experience in the field of Electronic Warfare data management can be built upon to provide quick-wins and technology pull-through to the cyber domain. 4
5 2 Current Sharing Landscape Cyber threat intelligence expressed purely as atomic signatures or selectors can no longer provide adequate protection for network defenders. The sheer volume of new malware, the use of disposable infrastructure and increased use of anti-detection techniques (e.g. polymorphism) mean that these traditional, simple methods for describing and sharing threats are no longer viable. Early attempts at sharing enriched threat information have had mixed results.initiatives such as the Cyber-Security Information Sharing Partnership (CiSP ) have highlighted a clear desire from organisations to consume context-rich threat information, as witnessed by higher-than-anticipated enrolment (over 750 organisations and over 2000 individuals by December 2014). However, the CiSP environment does not lend itself to real-time information sharing. Users must log into a web-based portal and search for nuggets of actionable information buried within verbose prose. Whilst this approach does provide a mechanism to enrich atomic signatures with context and comment, there is no automated way of consuming information from CiSP, or sharing observations back to that community. CiSP is not alone in this regard. Globally there are a growing number of portals where network defenders are able to consume or share threat intelligence information, including CPNI Information Exchanges, MACCSA, Ops-T, nsp-security, InfraGard, NCFTA, ICASI, ISACs and Usual5. The mechanisms for sharing, the format in which information is presented and the ways in which it can be used, can vary greatly from portal to portal. Advisories and bulletins from vendors and CERTs are also inconsistent in their use of formatting, naming conventions, and descriptive vocabulary. Separately, within the intelligence community, multiple overlapping societies of trust exist, operating at a variety of classification levels and caveats, with disparate data often dispersed across multiple systems. This complex web of data sources and incompatible formats can lead to vital intelligence being missed, and network defenders not having the information required to protect against known threats. In order to ensure that the UK is one of the most secure places in the world to do business in cyberspace, Government needs to ensure it is able to share threat intelligence with network defenders and partners in a prompt, efficient manner, providing as much context and enrichment as possible to each distinct audience This can only be achieved by implementing a standard language to represent structured cyber threat information, together with a safe, secure, automated method for sharing and collaboration. MASS 2015 All rights reserved WHP003/1 5
6 3 Emerging Standards The challenge of sharing cyber threat information is no longer a problem faced by Governments, or the intelligence community, in isolation. In recent years, a number of separate projects have emerged to address this issue, and three open standards have risen to prominence. They are:. 3.1 OpenIOC (Mandiant Corporation) Originally developed as a proprietary schema by Mandiant, to allow their products to codify intelligence, OpenIOC was standardised and released under an open-source licence in November Whilst the extensible XML schema provides mechanisms to describe the technical characteristics of threats, methodologies, or evidence of compromise, there have been relatively few OpenIOC-compliant tools released to date. 3.2 IODEF/RID (IETF) The Incident Object Description Exchange Format (IODEF) was first defined by the Internet Engineering Task Force in RFC5070, published in Thus far it has had a limited adoption, the most high profile user being the Anti-Phishing Working Group (APWG) who implemented IODEF with specific anti-phishing extensions (as defined in RFC5901 ). 3.3 STIX/TAXII (Mitre Corporation) Overseen by the not-for-profit Mitre Corporation, Structured Threat Information expression (STIX) and Trusted Automated exchange of Indicator Information (TAXII) are standards specifically designed to enable automated information sharing for cybersecurity situational awareness, real-time network defence and sophisticated threat analysis. STIX (and its constituent components) is under active consideration for use and initial prototyping among a large variety of different public-public, public-private and private-private cyber threat information sharing communities and by several vendors supporting the domain. Of the three, the STIX/TAXII family of interrelated technical specifications are quickly becoming the de-facto standard for threat intelligence sharing. They are already being used to share operational data within the Financial Services sector, and have recently been incorporated into commercial offerings from HP (ThreatCentral ), Microsoft (MAPP ), FOX-IT (InTELL ), Bromium (LAVA ) and Lockheed Martin (Suricata ). By adopting an industry standard, rather than creating something bespoke, Government could leverage commercial off-the-shelf (COTS) tools for elements of cyber threat analysis and intelligence management. A standard structured format also provides opportunities to share threat data more easily, including automatic ingestion from trusted sources and vendors. 6
7 4 Creating a Sharing Ecosystem The ambitious goals set by the UK Cyber Security Strategy will only be achieved if numerous strands of cyber intelligence which exist across GCHQ, the wider security/intelligence community, UK industry and academia, can be pulled together to create a sharable coherent threat picture. By utilising STIX, intelligence would be presented in a common language and be easily understood (by humans and security technologies) thus reducing the time required to turn security intelligence into beneficial action. It is likely that some sources and legacy stores of intelligence will need to be translated into STIX format; this is a relatively simple task, as the XML schema for STIX is well documented and highly expansive. By translating legacy and bespoke formats, data obtained from multiple sources would become more synergistic and complementary, increasing the value of intelligence sharing. STIX achieves this by providing a unifying architecture, tying together a diverse set of cyber threat information including: Cyber Observables Indicators Incidents Adversary Tactics, Techniques, and Procedures (including attack patterns, malware, exploits, kill chains, tools, infrastructure, victim targeting, etc.) Exploit Targets (e.g., vulnerabilities, weaknesses or configurations) Courses of Action (e.g., incident response or vulnerability/weakness remedies or mitigations) Cyber Attack Campaigns Cyber Threat Actors Whilst each of these components exists independently of others, they are reusable and inter-relatable, with the ability to enhance content in detail within the XML schema. Figure 1 - STIX architecture (from STIX Project Documentation) MASS 2015 All rights reserved WHP003/1 7
8 STIX also leverages an abstract data-marking approach which cuts across all components. By enabling marking of content down to the field level, granular security labelling can be applied to data, including handling guidance or context tagging. The current STIX default model implements the Traffic Light Protocol (TLP ), Intelligence Community Enterprise Data Header (EDH ) and Terms of Use. This could easily be expanded to implement UK Government Security Classifications or any other protective markings and caveats as required. Alongside STIX, TAXII delivers a secure transport mechanism which standardises the automated exchange of threat information. By traversing organisational and product/service boundaries, TAXII offers an elegant solution for sharing information with a number of diverse communities whilst leveraging existing relationships and technologies. Implemented together, STIX and TAXII could help accelerate security intelligence sharing, improve threat prevention controls, and even automate defences. Other emerging standards including Cyber Observable Expressions (CybOX ) and the Malware Attribute Enumeration and Characterization (MAEC ) language would provide an additional level of granularity for describing specific elements of observed threats. Work is also ongoing to merge the existing Digital Forensics XML (DFXML ) standard into CybOX. 8
9 5 Efficient Storage and Sharing Once cyber threat intelligence is stored in a standardised format (STIX, additionally enriched with CybOX, MAEC or DFXML descriptions as necessary) the challenge of real-time, large-scale sharing becomes a more manageable undertaking. The issues of data management and secure sharing are certainly not unique to cyber intelligence. MASS have decades of experience in the Electronic Warfare (EW) domain, where the THURBON next-generation data management system provides an internationally-connected, flexible, scalable, XML-based platform. THURBON was designed to deliver high levels of automation, ease of use and integration with existing tools, fully supporting the drive for increased efficiency and reduced operating costs. These drivers are equally present within the cyber domain. 2 nd /3 rd parties Other sources Collection Fleet Industry relationships Cyber threat analysis (CDO) Cyber threat information Observables and context Courses of action and context Operational cyber threat observations Cyber Analyst signatures Create signatures/ selectors for cyber threats signatures Sharing communities Protect Detect TAXII Cyber threat database Policy / Equities Respond CDO/GovCertUK Internal to GCHQ Figure 2 - Proposed UK cyber threat sharing Building on lessons learnt from EW operations, the implementation of a master cyber threat database (or multiple federated databases), using STIX for description and TAXII for transport, could provide the UK with a world-leading cyber threat information sharing ecosystem. GCHQ is the natural location to house such a database in the UK, due to its ability to enrich cyber threat information with observations from other sources and wider collection. The multi-stakeholder model in the UK allows the same cyber threat information to be shared directly, or out via numerous channels (CPNI, CERT-UK, CiSP, Cyber Streetwise, etc) to different audiences at differing levels of classification. Access to the same threat information data could be made available to second and third parties, as well as national and international partners. By replicating the successful THURBON EW model and using Oracle Label Security (OLS) to provide multi-level access to the same data source, the current issues of creating multiple separate ad-hoc data exports would be avoided. OLS mediates users access to data via their assigned authorities and labels allowing data separation by sensitivity within a single database. This approach could allow a single authoritative database of cyber threat information to be exposed across multiple domains, with each consumer receiving access only to a permitted subset of threat information. MASS 2015 All rights reserved WHP003/1 9
10 Figure 3 - threat information context Threat intelligence data becomes more useful as the amount of context and detail increases. This typically corresponds to increases in protective marking the further up the pyramid (Figure 3) you go, the more highly protected that information becomes. The adoption of a standardised STIX/TAXII format would increase the usefulness of information shared at all levels, but particularly at the lower tiers where current threat intelligence products are difficult to digest and consume automatically. It is at these tiers where the vast majority of network defenders operate. 10
11 6 Big Data Developments Recent work by MASS has advanced the development of a STIX database using modern, low cost technology. Prototyping of a big data solution has confirmed that STIX can be implemented readily on a low cost database stack as a complement to a high-security Oracle installation. With the volume, origin, target and nature of attacks rapidly morphing over time, visualisation has become key to understanding and assessing the data gathered. The screenshots below show two possible views developed by MASS. The first (Figure 4) shows a view of data gathered over a year (left hand pie chart), and on the day of capture (right hand pie), the origin (inner pie), target (outer target), and nature of attacks (table). The second (Figure 5) shows a colour-defined heat map, indicating the number of vulnerabilities for given products running on given platforms, over time. Figure 4 - visualisation of attack origins and targets over time Figure 5 - visualisation of attack types, weaknesses attacked and target operating systems Such a solution would be very suitable for use by, for example, the Home Office or Borders Agency, allowing a practical, heterogeneous implementation of STIX using homogeneous TAXII-based data sharing. MASS 2015 All rights reserved WHP003/1 11
12 7 Summary The sheer volume of cyber threat information being shared has increased exponentially over last five years. Unfortunately many network defenders still find themselves manually searching across multiple disparate data feeds, cutting and pasting items of interest into different security products, and dealing with a variety of different naming conventions. Initiatives such as CiSP have created an effective conduit to share with a wide variety of threat intelligence consumers, although typically at an unclassified level. Existing higher-classification sharing relationships with law enforcement, international intelligence community and industry partners must co-exist alongside this new audience. In order for threat information to flow effectively and efficiently, an interoperable, cross-domain solution for describing and sharing cyber threat intelligence is required. At the FIRST Conference in June 2014, Richard Struse, Chief Advanced Technology Officer at US Department of Homeland Security: Truly interoperable, automated information sharing is a key capability for our shared success as cybersecurity responders and defenders. While each organisation s circumstances will drive different implementations with unique features and restrictions, a common message exchange and representation language will allow every CSIRT and SOC to realize new opportunities for more advanced analysis, faster response, and most importantly, more chances to deploy preventative measures before new attacks affect your constituency. The rapidly maturing STIX and TAXII standards provide robust mechanisms to describe and transfer threat intelligence. By fusing operational experience gained in the Electronic Warfare domain, with Government s unrivalled threat intelligence data, an accreditable multi-domain sharing infrastructure could be quickly created in the UK. 12
13 8 References [1] Cyber-security Information Sharing Partnership - [2] CISP sharing environment [3] CPNI Information Exchanges - [4] Multinational Alliance for Collaborative Cyber Situational Awareness - [5] Operations Security Trust - [6] nsp-security - [7] InfraGard - [8] National Cyber-Forensics & Training Alliance - [9] Industry Consortium for Advancement of Security on the Internet - [10] Information Sharing and Analysis Centers - [11] Objective 1 of the UK Cyber Security Strategy - uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf [12] OpenIOC - [13] RFC5070: The Incident Object Description Exchange Format - [14] RFC5901: Extensions to the IODEF-Document Class for Reporting Phishing - [15] Mitre Corporation - [16] DTCC and FS-ISAC launch cyber threat beacon system - [17] All about Threat Central - [18] Microsoft Active Protections Program (MAPP) - [19] Fox-IT InTELL - [20] Bromium Live Attack Visualisation and Analysis (LAVA) - [21] Lockheed Martin Integrates Cyber Security Standards into Open Source Platform - [22] STIX Data Model - [23] Traffic Light Protocol [24] IC-Enterprise Data Header [25] UK Government Security Classifications - attachment_data/file/251480/government-security-classifications-april-2014.pdf [26] Cyber Observable expression (CybOX) - [27] Malware Attribute Enumeration and Characterisation (MAEC) - [28] Digital Forensics XML (DFXML) - [29] THURBON - Management.pdf [30] Centre for the Protection of National Infrastructure (CPNI) - [31] CERT-UK - [32] Cyber Streetwise - MASS 2015 All rights reserved WHP003/1 13
14 [33] Oracle Label Security (OLS) CESG EAL4 certification - [34] Implementers Workshop: Automated Information Sharing with TAXII and STIX - conference/2014/program#pimplementers-workshop-automated-information-sharing-with-taxii-and-stix [35] 14
81% of participants believe the government should share more threat intelligence with the private sector.
Threat Intelligence Sharing & the Government s Role in It Results of a Survey at InfoSec 2015 Section 1 1.1 Executive summary The last few years has seen a rise in awareness regarding security breaches
More informationInformation Sharing Use Cases
Information Sharing Use Cases Effective Information Sharing: Lessons learned from Operator Experience Kathleen M. Moriarty Global Lead Security Architect EMC Office of CTO 1 What s New Text Is Title Case
More informationMachine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense
Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense By: Daniel Harkness, Chris Strasburg, and Scott Pinkerton The Challenge The Internet is an integral part of daily
More informationStandardizing Cyber Threat Intelligence Information with the Structured Threat Information expression (STIX )
THREAT-BASED DEFENSE Standardizing Cyber Threat Intelligence Information with the Structured Threat Information expression (STIX ) 2012. The MITRE Corporation. All rights reserved. IT IS BECOMING INCREASINGLY
More informationSOLUTION PRIMER. Rafal Los Director, Solutions Research Office of the CISO, Accuvant. James Robinson Director, Information Security, Accuvant
THREAT INTELLIGENCE Rafal Los Director, Solutions Research Office of the CISO, Accuvant James Robinson Director, Information Security, Accuvant Jason Clark Chief Strategy and Security Officer, Accuvant
More informationSymantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape
WHITE PAPER: SYMANTEC GLOBAL INTELLIGENCE NETWORK 2.0.... ARCHITECTURE.................................... Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Who
More informationA Funny Thing Happened On The Way To OASIS: From Specifications to Standards
A Funny Thing Happened On The Way To OASIS: From Specifications to Standards Richard Struse Chief Advanced Technology Officer, NCCIC US Department of Disclaimer This presentation is intended for informational
More informationEight Essential Elements for Effective Threat Intelligence Management May 2015
INTRODUCTION The most disruptive change to the IT security industry was ignited February 18, 2013 when a breach response company published the first research that pinned responsibility for Advanced Persistent
More informationCoordinating Attack Response at Internet Scale (CARIS)
Coordinating Attack Response at Internet Scale (CARIS) Overview and Summary Report July 2015 Kathleen Moriarty Security Area Director, IETF Kathleen.Moriarty.ietf@gmail.com Agenda Coordinating Attack Response
More informationAttackers are reusing attacks (because they work)
The Problem Attackers are reusing attacks (because they work) Defenders are collecting and/or sharing information, but Often a manual process (copy-paste from a PDF) Different sources provide different
More informationThe Cyber Threat Profiler
Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are
More informationdeveloping your potential Cyber Security Training
developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company
More informationFS-ISAC CHARLES BRETZ
FS-ISAC CHARLES BRETZ Information Sharing To be forewarned is to be fore-armed MISSION: Sharing Timely, Relevant, Actionable Cyber and Physical Security Information & Analysis A nonprofit private sector
More informationThe New ROI: Results Oriented Intel. David Amsler, Founder
The New ROI: Results Oriented Intel David Amsler, Founder Foreground Security Dedicated Security services firm Founded in 2000 with offices in Florida, Virginia, and Maryland Federal and commercial clients
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationSecure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?
More informationThreat Intelligence Buyer s Guide
Threat Intelligence Buyer s Guide SANS CTI Summit, 10 February 2014 Rick Holland @rickhholland Principal Analyst Last year 2014 Forrester Research, Inc. Reproduction Prohibited 2 This year, Arnold s back!!
More informationSHARING THREAT INTELLIGENCE ANALYTICS FOR COLLABORATIVE ATTACK ANALYSIS
SHARING THREAT INTELLIGENCE ANALYTICS FOR COLLABORATIVE ATTACK ANALYSIS Samir Saklikar RSA, The Security Division of EMC Session ID: CLE T05 Session Classification: Intermediate Agenda Advanced Targeted
More informationCPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
More informationSoltra edge open cyber intelligence platform report
Soltra edge open cyber intelligence platform report Prepared By: Alan Magar Sphyrna Security 340 Ridgeside Farm Drive Kanata, Ontario K2W 0A1 PWGSC Contract Number: W7714-08FE01/001/ST Task 33 CSA: Melanie
More informationSafety by trust: British model of cyber security. David Wallace, First Secretary, Head of of the Policy Delivery Group British Embassy in Warsaw
Safety by trust: British model of cyber security David Wallace, First Secretary, Head of of the Policy Delivery Group British Embassy in Warsaw Strategy Structure Campaign Partnerships Strategy The UK
More informationSeparating Signal from Noise: Taking Threat Intelligence to the Next Level
SESSION ID: SPO2-T09 Separating Signal from Noise: Taking Threat Intelligence to the Next Level Doron Shiloach X-Force Product Manager IBM @doronshiloach Agenda Threat Intelligence Overview Current Challenges
More informationAchieving World-Class Security in Today s Cost-Conscious Business Climate
WHITE PAPER Achieving World-Class Security in Today s Cost-Conscious Business Climate Bringing Real InfoSec to Regular Companies 1 About Confer Confer developed the world s first cyberthreat prevention
More informationEnterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security
More informationSOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness
SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper Safeguarding data through increased awareness November 2015 1 Contents Executive Summary 3 Introduction 4 Martime Security 5 Perimeters Breached
More informationCYBER SECURITY Audit, Test & Compliance
www.thalescyberassurance.com CYBER SECURITY Audit, Test & Compliance 02 The Threat 03 About Thales 03 Our Approach 04 Cyber Consulting 05 Vulnerability Assessment 06 Penetration Testing 07 Holistic Audit
More informationIMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE
IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE Solution Brief SUMMARY New security threats demand a new approach to security management. Security teams need a security analytics architecture that can handle
More informationCyber Threat Intelligence Move to an intelligencedriven cybersecurity model
Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model Stéphane Hurtaud Partner Governance Risk & Compliance Deloitte Laurent De La Vaissière Director Governance Risk & Compliance
More informationCyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis
Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis An analogue approach to a digital world What foundations is CDCAT built on?
More informationA Cyber Security Integrator s perspective and approach
A Cyber Security Integrator s perspective and approach Presentation to Saudi Arabian Monetary Agency March 2014 What is a Cyber Integrator? Security system requirements - Finance Building a specific response
More informationPALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management
PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management INTRODUCTION Traditional perimeter defense solutions fail against sophisticated adversaries who target their
More informationAfter the Attack: RSA's Security Operations Transformed
After the Attack: RSA's Security Operations Transformed Ben Smith, CISSP RSA Field CTO (East), Security Portfolio Senior Member, ISSA Northern Virginia 1 The Environment ~ 2,000 security devices ~55M security
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationA Guide to the Cyber Essentials Scheme
A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane
More informationASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES
ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming
More informationAdvanced Threat Protection with Dell SecureWorks Security Services
Advanced Threat Protection with Dell SecureWorks Security Services Table of Contents Summary... 2 What are Advanced Threats?... 3 How do advanced threat actors operate?... 3 Addressing the Threat... 5
More informationThreat Intelligence: STIX and Stones Will Break Your Foes
Copyright 2014 Splunk Inc. Threat Intelligence: STIX and Stones Will Break Your Foes Fred Wilmot Director, Global Security PracCce Brad Lindow a.k.a. Superman Global Security Strategist, Splunk Disclaimer
More informationSPEAR PHISHING UNDERSTANDING THE THREAT
SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business
More informationReport on CAP Cybersecurity November 5, 2015
Agenda Number 7. Report on CAP Cybersecurity November 5, 2015 Phil Cook CISSP, CISM Manager, Information Technologies Risk #1 External Attacks PR 81 Protect and secure CAP's Information Technology assets
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
More informationRethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council
Rethinking Information Security for Advanced Threats CEB Information Risk Leadership Council Advanced threats differ from conventional security threats along many dimensions, making them much more difficult
More informationWhite Paper. What the ideal cloud-based web security service should provide. the tools and services to look for
White Paper What the ideal cloud-based web security service should provide A White Paper by Bloor Research Author : Fran Howarth Publish date : February 2010 The components required of an effective web
More informationISO27032 Guidelines for Cyber Security
ISO27032 Guidelines for Cyber Security Deloitte Point of View on analysing and implementing the guidelines Deloitte LLP Enterprise Risk Services Security & Resilience Contents Foreword 1 Cyber governance
More informationREQUEST FOR INFORMATION
Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services 3 September 2015 6506 Loisdale Rd, Ste 325
More informationMaking Windows Secure by Design
Making Windows Secure by Design Bromium and Microsoft Partner to Advance Security With Micro-Virtualization Introduction Bromium has reinvented endpoint security by using a new approach to defeating breaches
More informationThe MANTIS Framework Cyber-Threat Intelligence Mgmt. for CERTs Siemens AG 2014. All rights reserved
B. Grobauer, S.Berger, J. Göbel, T. Schreck, J. Wallinger Siemens CERT The MANTIS Framework Cyber-Threat Intelligence Mgmt. for CERTs Note MANTIS is available as Open Source under GPL v2+ from https://github.com/siemens/django-mantis
More informationSERVICE DEFINITION G-CLOUD 7 SECURE FILE TRANSFER DIODE. Classification: Open
SERVICE DEFINITION G-CLOUD 7 SECURE FILE TRANSFER DIODE Classification: Open Classification: Open ii MDS Technologies Ltd 2015. Other than for the sole purpose of evaluating this Response, no part of this
More informationCybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015
Cybersecurity Kill Chain William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015 Who Am I? Over 20 years experience with 17 years in the financial industry
More informationSecuring business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security
Securing business data CNS White Paper Cloud for Enterprise Effective Management of Data Security Jeff Finch, Head of Business Development, CNS Mosaic 2nd July 2015 Contents 1 Non-Disclosure Statement...
More informationManaged Incident Lightweight Exchange (MILE)
Managed Incident Lightweight Exchange (MILE) Overview and Particpation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office 1 Agenda IETF s Managed Incident Lightweight Exchange (MILE)
More informationTestimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology
Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber
More informationBT Assure Threat Intelligence
BT Assure Threat Intelligence Providing you with the intelligence to help keep your organisation safe BT Assure. Security that matters At all times, organisations are vulnerable to all kinds of cyber attacks
More informationNational Cyber Security Policy -2013
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
More informationOpen Source Software for Cyber Operations:
W H I T E P A P E R Open Source Software for Cyber Operations: Delivering Network Security, Flexibility and Interoperability Introduction For the last decade, the use of open source software (OSS) in corporate
More informationCompliance Guide: ASD ISM OVERVIEW
Compliance Guide: ASD ISM OVERVIEW Australian Information Security Manual Mapping to the Principles using Huntsman INTRODUCTION In June 2010, The Australian Government Protective Security Policy Framework
More informationActions and Recommendations (A/R) Summary
Actions and Recommendations (A/R) Summary Priority I: A National Cyberspace Security Response System A/R 1-1: DHS will create a single point-ofcontact for the federal government s interaction with industry
More informationSophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC
WHITE PAPER Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC www.openioc.org OpenIOC 1 Table of Contents Introduction... 3 IOCs & OpenIOC... 4 IOC Functionality... 5
More informationCYBER SECURITY TRAINING SAFE AND SECURE
CYBER SECURITY TRAINING KEEPING YOU SAFE AND SECURE Experts in Cyber Security training. Hardly a day goes by without a cyber attack being reported. With this ever-increasing threat there is a growing need
More informationCSM-ACE 2014 Cyber Threat Intelligence Driven Environments
CSM-ACE 2014 Cyber Threat Intelligence Driven Environments Presented by James Calder Client Services Manager, Singapore 1 CONTENTS Digital criminality Intelligence-led security Shylock case study Making
More informationA Funny Thing Happened On The Way To OASIS: From Specifications to Standards
A Funny Thing Happened On The Way To OASIS: From Specifications to Standards Tom Millar Chief of Communications, US-CERT FIRST Berlin, June 18 th, 2015 Disclaimer This presentation is intended for informational
More informationSymantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team
Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................
More informationElegantJ BI. White Paper. The Enterprise Option Reporting Tools vs. Business Intelligence
ElegantJ BI White Paper The Enterprise Option Integrated Business Intelligence and Reporting for Performance Management, Operational Business Intelligence and Data Management www.elegantjbi.com ELEGANTJ
More informationCESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS
CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS QUESTION General What is the Cyber Security Incident Response (CSIR) Scheme? What is the Cyber Incident Response (CIR) scheme? Why have
More informationTop 5 Global Bank Selects Resolution1 for Cyber Incident Response.
MAJOR FINANCIAL SERVICES LEADER Top 5 Global Bank Selects Resolution1 for Cyber Incident Response. Automation and remote endpoint remediation reduce incident response (IR) times from 10 days to 5 hours.
More informationThe U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter
The U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter 1. In what ways do private entities currently share with, and receive from, the government cyber threat information?
More informationRetail Security: Enabling Retail Business Innovation with Threat-Centric Security.
Retail Security: Enabling Retail Business Innovation with Threat-Centric Security. 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco public information. (1110R) 1 In the past
More informationCyber Security Summit 2015
Cyber Security Summit 2015 Threat Intelligence 101: Introduction and Foundations Matthew J. Harmon IT Risk Limited, LLC Matthew J. Harmon IT Risk Limited, Principal Consultant DFIR, Pen Testing, Risk Management,
More informationFull-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform
Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Solution Brief Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Finding
More informationOUTCOME OF PROCEEDINGS
Council of the European Union Brussels, 18 November 2014 15585/14 COPS 303 POLMIL 103 CYBER 61 RELEX 934 JAI 880 TELECOM 210 CSC 249 CIS 13 COSI 114 OUTCOME OF PROCEEDINGS From: Council On: 17 18 November
More informationEffective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention
Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention Your Security Challenges Defending the Dynamic Network! Dynamic threats 䕬 䕬 䕬 䕬 Many threats
More informationNational Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009
National Security & Homeland Security Councils Review of National Cyber Security Policy Submission of the Business Software Alliance March 19, 2009 Question # 1: What is the federal government s role in
More informationAchieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR
Achieving Actionable Situational Awareness... McAfee ESM Ad Quist, Sales Engineer NEEUR The Old SECURITY Model Is BROKEN 2 Advanced Targeted Attacks The Reality ADVANCED TARGETED ATTACKS COMPROMISE TO
More informationThe Sophos Security Heartbeat:
The Sophos Security Heartbeat: Enabling Synchronized Security Today organizations deploy multiple layers of security to provide what they perceive as best protection ; a defense-in-depth approach that
More informationENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency
ENISA s Study on the Evolving Threat Landscape European Network and Information Security Agency Agenda Introduction to ENISA Preliminary remarks The ENISA report Major findings Conclusions 2 ENISA The
More informationCyberSecurity Solutions. Delivering
CyberSecurity Solutions Delivering Confidence Staying One Step Ahead Cyber attacks pose a real and growing threat to nations, corporations and individuals globally. As a trusted leader in cyber solutions
More informationNetwork Security Deployment Obligation and Expenditure Report
Network Security Deployment Obligation and Expenditure Report First and Second Quarters, Fiscal Year 2015 June 16, 2015 Fiscal Year 2015 Report to Congress National Protection and Programs Directorate
More informationCybersecurity on a Global Scale
Cybersecurity on a Global Scale Time-tested Leadership A global leader for more than a century with customers in 80 nations supported by offices in 19 countries worldwide, Raytheon recognizes that shared
More informationPractical Threat Intelligence. with Bromium LAVA
Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful
More informationOperational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel
Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel @Ben_Smith Ben Smith, CISSP Field CTO (US East), Security Portfolio A Security Maturity Path CONTROLS COMPLIANCE IT RISK BUSINESS
More informationFROM INBOX TO ACTION EMAIL AND THREAT INTELLIGENCE:
WHITE PAPER EMAIL AND THREAT INTELLIGENCE: FROM INBOX TO ACTION There is danger in your email box. You know it, and so does everyone else. The term phishing is now part of our daily lexicon, and even if
More informationPORTCULLIS. 2nd Annual Financial Services Cyber Security Summit. CBEST Workshop
PORTCULLIS 2nd Annual Financial Services Cyber Security Summit CBEST Workshop CBEST portcullis David Byrne CBEST Service Owner Introduction Portcullis has been established for over 23 years as an independent
More informationDefending Against Cyber Attacks with SessionLevel Network Security
Defending Against Cyber Attacks with SessionLevel Network Security May 2010 PAGE 1 PAGE 1 Executive Summary Threat actors are determinedly focused on the theft / exfiltration of protected or sensitive
More informationThreat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations
Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations September 2015 Copyright 2015 Deloitte Development LLC. All rights reserved. This presentation
More informationNext Generation Business Performance Management Solution
Next Generation Business Performance Management Solution Why Existing Business Intelligence (BI) Products are Inadequate Changing Business Environment In the face of increased competition, complex customer
More informationcyber Threat Intelligence - A Model for the 21st Century
HOW DO YOU CREATE A WORLD FINANCIAL COMMUNITY THAT IS RESILIENT IN THE FACE OF CYBER-SECURITY, CYBER-ESPIONAGE, AND HACKING? Biographies of Authors William Abbott Foster, PhD is a Senior Research Associate
More informationCyber Essentials Scheme
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
More informationCyber Security Organisational Standards. Guidance
Cyber Security Organisational Standards Guidance April 2013 Contents Contents...2 Overview...3 Background...4 Definitions...5 Presentation and Layout...6 Submissions Guidance...7 Acceptance Criteria...8
More informationCyber Security Information Exchange
Cyber Security Information Exchange Luc Dandurand NATO Communications and Information Agency Session ID: SECT-T08 Session Classification: General Interest Overview Cyber security in NATO Highlight of existing
More informationThreat Intelligence: Friend of the Enterprise
SECURELY ENABLING BUSINESS Threat Intelligence: Friend of the Enterprise Danny Pickens Principal Intelligence Analyst MSS FishNet Security DANNY PICKENS Principal Intelligence Analyst, FishNet Security
More informationDigital Evidence and Threat Intelligence
Digital Evidence and Threat Intelligence 09 November 2015 Mark Clancy CEO www.soltra.com @soltraedge External Threats Growing 117,339 incoming attacks every day The total number of security incidents detected
More informationPOWERFUL SOFTWARE. FIGHTING HIGH CONSEQUENCE CYBER CRIME. KEY SOLUTION HIGHLIGHTS
ADVANCED CYBER THREAT ANALYTICS POWERFUL SOFTWARE. FIGHTING HIGH CONSEQUENCE CYBER CRIME. Wynyard Advanced Cyber Threat Analytics (ACTA) is a Pro-active Cyber Forensics solution that helps protect organisations
More informationCyber Essentials Scheme
Cyber Essentials Scheme Assurance Framework January 2015 December 2013 Contents Introduction... 3 Change from June 2014 version... 3 Overview... 4 Stage Definitions... 5 Stage 1 Cyber Essentials: verified
More informationNew challenges in Data privacy.
New challenges in Data privacy. Zdravko Stoychev, CISM CRISC Information Security Officer Alpha Bank Bulgaria branch South East European Regional Forum on Cybersecurity and Cybercrime, 2013 11-13 Nov 2013
More informationWhite Paper. Advantage FireEye. Debunking the Myth of Sandbox Security
White Paper Advantage FireEye Debunking the Myth of Sandbox Security White Paper Contents The Myth of Sandbox Security 3 Commercial sandbox evasion 3 Lack of multi-flow analysis and exploit detection 3
More informationwww.pwc.co.uk Cyber security Building confidence in your digital future
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More informationPanel on Emerging Cyber Security Technologies. Robert F. Brammer, Ph.D., VP and CTO. Northrop Grumman Information Systems.
Panel on Emerging Cyber Security Technologies Robert F. Brammer, Ph.D., VP and CTO Northrop Grumman Information Systems Panel Moderator 27 May 2010 Panel on Emerging Cyber Security Technologies Robert
More informationBig Data Architectures: Concerns and Strategies for Cyber Security
Big Data Architectures: Concerns and Strategies for Cyber Security David Blockow Software Architect, Data to Decisions CRC david.blockow@d2dcrc.com.au au.linkedin.com/in/davidblockow Executive summary.
More information