Towards Threat Wisdom

Transcription

1 Towards Threat Wisdom Duncan

2 What our world looks like Incidents Threats 48% 1 1mpd 2 Infections x14 3 Sources: 1. PwC, The Global State of Information Security Survey Symantec, 2015 Internet Security Threat Report 3. ENISA Threat Landscape 2014

3 The promise of Threat Intelligence Experience Predictive Contextual

4 What s wrong with Threat Intelligence?

5 What is your understanding of the term threat intelligence? Security incident and event management Risk-based analysis of threats and recommended remediation Data feeds from vendors on vulnerabilities, attacks and other threats Automated remediation of attacks Shared information within the security community Intrusion Monitoring platforms Behaviour analysis of activity Analytics and/or correlation on security data such as events and logs Cloud-based intelligence sharing platform 3% 6% 11% 35% 33% 64% 61% 73% 77%

6 Threat Intelligence is a Service In your view, is Threat Intelligence 82% 93% 89% 92% 62% 67% 88% 17% 1% All 7% 11% 8% Technology, Telco & Media Financial Services Professional Services & IT Services 36% 31% 2% 2% Manufacturing & Construction Transport, Travel & Leisure 12% Retail a combination of products and services a managed service a product or suite of products

7 Threat Intelligence means faster response What benefits do you see threat intelligence providing? Faster detection and response of attacks Understanding threats and attacks facing my organisation Finding new or unknown threats Improved visibility on threats and attacks Compliance monitoring or management Seeing threats and attacks in my organisation's context Detecting insider threats Visibility into network and endpoint behaviours Reducing false positives Identifying compromised credentials Creating fraud detection baselines Detecting policy violations Detecting external malware-based threats Baselining systems for exception-based monitoring 6% 5% 5% 2% 1% 13% 10% 20% 30% 29% 43% 42% 40% 55%

8 What s wrong with this picture?

9 Are CISOs myopic? Do you correlate information within a threat intelligence platform? SIEM technologies and systems Vulnerability management tools Open source data analysis tools (Hadoop) Network-based antimalware User behaviour monitoring Third-party analytics platform Host-based antimalware Unstructured data analysis tools 99% 99% 98% 97% 96% 95% 95% 92% Network Access Controls (NAC) Log management platforms 84% 87% Firewalls/IPS/UTM devices 59% Endpoint security MDM 47% Application security 38% Base: Technology users

10 Are CISOs myopic? Do you correlate any non-it data, such as physical or application security data, into your threat intelligence platform? Yes 44% 33% 33% 25% 20% 13% 9% All Tech, Media & Telco Financial services Professional services & IT services Manufacturing & Construction Transport, Travel & Leisure Retail

11 It s more a case of maturity than myopia Where do you plan to invest in relation to threat intelligence? Vulnerability management Big Data analytics engines SIEM tools Incident response capabilities Personnel/Training Endpoint threat detection and visibility Intelligence products or services Application protections and visibility Monitoring for cloud-based applications Network packet-based detection Network protections Detection/Security operations centre upgrades Managed security service providers User behaviour monitoring 5% 5% 4% 4% 4% 4% 25% 19% 45% 45% 43% 72% 66% 60%

12 Firms outsource Do you use managed security services, or outsource some part of your security operations to a third party? 87% 84% 77% 55% 33% 30% 22% All Tech, Media & Telco Financial services Prof. services & IT services Manufacturing & Construction Transport, Travel & Leisure Retail

13 for better performance What is the main motivation to outsource security? 35% 21% 15% 14% 8% 4% 2% 1% Better visibility, monitoring & control of security Better (or earlier) threat detection Vulnerability management Better incident response Better attack prevention Lower costs Data protection Compliance

14 Thank You

15 Backup slides

16 Which parts of your security operations do you outsource to a third party? Incident response 27% Patch management 24% Vulnerability scanning/management 24% Log analysis / SIEM 18% Security-related projects on an ad hoc basis 14% Firewall management 13% Network monitoring 7% Device management 4% Outsource SOC (security operations centre) 2% All of our security is outsourced 1% I don't outsource any of my security operations 43%

17 What are you biggest challenges today in utilising threat intelligence? Ability to identify compromised credentials and phishing attacks Performance and response time Costs for tools, maintenance and personnel Training/expertise required to operate intelligence systems/conduct Ability to quickly correlate events to users Reduction of false positives and/or false negatives Integration of intelligence with security response systems for Single consistent view across disparate systems and users, Producing or having a library of appropriate queries/meaningful Visibility into actionable security events across disparate systems Relevant event context (intelligence) to separate and observe Ability to alert based on exceptions to what is 'normal' 15% 13% 8% 7% 7% 31% 36% 59% 54% 52% 49% 75%

18 Why do you not use managed security services? I have the resources I need internally 66% Security is too important to outsource 31% There is no perceived need 30% It's too expensive to outsource 2% Base: Managed security service users