All about Threat Central

Transcription

1 All about Threat Central Ted Ross & Nadav Cohen #HPProtect

2 Forward-looking statements This is a rolling (up to three year) Roadmap and is subject to change without notice. This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Hewlett Packard's predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions. 3

3 HP confidential information This is a rolling (up to three year) Roadmap and is subject to change without notice. This Roadmap contains HP Confidential Information. If you have a valid Confidential Disclosure Agreement with HP, disclosure of the Roadmap is subject to that CDA. If not, it is subject to the following terms: for a period of 3 years after the date of disclosure, you may use the Roadmap solely for the purpose of evaluating purchase decisions from HP and use a reasonable standard of care to prevent disclosures. You will not disclose the contents of the Roadmap to any third party unless it becomes publically known, rightfully received by you from a third party without duty of confidentiality, or disclosed with HP s prior written approval. 4

4 Agenda Threat Central journey Why HP Threat Central? Offering vision What is Threat Central? Use cases Technical walkthrough Questions 5

5 Threat Central journey Building a high fidelity threat intelligence sharing community for our customers! Automate and correlate crowd-source threat intelligent feeds Innovation Project: 2013 Alpha: 2013 Beta: Today Target GA: Soon! Project out of HP Innovation Initiative Interview and validate use cases with many ArcSight Security Operation Center customers Multiple Iterations of Alpha testing with customers Announced & demo d at Protect2013 Beta testing with HP internal customers ArcSight customers beta testing Threat intelligence partners beta testing Building community with ArcSight customers, ESP customers, partners, security researcher, open source threat intelligence community Please join Protect724 ArcSight product announcement forum for Threat Central product launch updates. Join Threat Central community to advance the cause for cyber threat defense for your company! 6

6 Why HP Threat Central? Crowd-source actionable threat intelligence Industry is still learning how to collaborate effectively Companies spend time combatting the same threat The adversary collaborates in an effective eco-system Feedback regarding existing sharing models: Limited participation not comfortable sharing Data is not actionable lacks context Overly manual not timely Government alone can t fix the problem Can t hire resources fast enough Limited visibility: Need intelligence/data from industry Threat Central Threat Central enables Automated bi-directional sharing Ability to analyze the data Actionable derived results Existing community of advanced security customers Product-agnostic sharing 7

7 Vision An open and automated cloud based platform for high fidelity threat intelligence that enables ArcSight and enterprise customers to consume and share community driven threat intelligence. Threat Central differentiates itself by providing near real-time analyzed, correlate, and actionable threat intelligence to ArcSight customers and members of the Threat Central community. 8

8 Threat Central community HP ESP leads to create an open threat intelligence sharing community! ArcSight customers Threat intelligence partners HP Security Research ESP customers Threat intelligenc e community 9

9 Customer benefits Actionable intelligence Confidence Feedback Anonymous sharing Community 10

10 What is Threat Central?

11 Threat Central HP Security Research SIEM, STIX & Portal Private community Privacyenhanced TC forum Sector community Threat Central Threat DB Partners feeds Open source SIEM STIX SIEM Global community STIX SIEM Portal SIEM 12

12 Automated action influenced by context Collect Normalize Analyze/correlate Distribute/ACT Actionable intel TC community Open source ESM Connector, STIX, TAXII, CSV, etc. IP address \ Domain File hash Signature URL Contextual intel Compare & Correlate IP address match? Domain match? \ File Hash match? Signature match? TC Portal ArcSight ESM Feeds STIX, TAXII, CSV, etc Actor \ Campaign Tools Techniques URL match? CHANGE SCORE HP TippingPoint HP Security Research Procedures 13

13 Threat Central use cases

14 Use case: Automated actions Brute force login Invalid login Attacker Invalid login IPS Key assets 15

15 Use case: Automated actions Current approach Invalid login Company A Attacker Invalid login IPS Invalid login Company B Attacker Invalid login IPS Invalid login Company C Attacker Invalid login IPS 16

16 Use case: Automated actions New approach Attacker Invalid login Invalid login IPS Company A SCORE 1 Threat Central SCORE 13 9 Attacker Invalid login Invalid login IPS Company B SCORE 1 Company D If score > 5, push IP to IPS Invalid login Company C SCORE 1 SCORE 9 Attacker Invalid login IPS HP TippingPoint 17

17 Use case: Proactive block lists recon Current approach Recon source IPS Source X Key assets Attack source(s) 18

18 Use case: Proactive block lists recon With Threat Central Threat Central Recon source IPS Recon IP Attack IPs Source X Key assets Attack IP List Attack source(s) 19

19 Use case: Leveraging the community Zero day Company A New event Malware variant Company B New event MALWARE ZERO BAD DAY IP Threat Central Malicious IP address Company C New event 20

20 Threat Central walkthrough

21 Screenshot tour Create case Distribute Collaborate Get results Mitigate In the following example we will see how TC can be used to Query about an incident Distribute indicator information to communities Collaborate with security experts Get derived intelligence directly into SIEM Mitigate risks 22

22 Create a case This is a rolling (up to 3 year) roadmap and is subject to change without notice CaptnProton runs into suspicious behavior with LGCScanner.exe 23 All product views are illustrations and might not represent actual product screens

23 Distribute indicators This is a rolling (up to 3 year) roadmap and is subject to change without notice CaptnProton submits the case. Indicators are now extracted and sent to community members 24 All product views are illustrations and might not represent actual product screens

24 This is a rolling (up to 3 year) roadmap and is subject to change without notice Distribute indicators (2) ESM customers benefit from direct integration and targeted intelligence 25 All product views are illustrations and might not represent actual product screens

25 Collaborate with experts HP Security Researcher enhances indicators with contextual information This is a rolling (up to 3 year) roadmap and is subject to change without notice 26 All product views are illustrations and might not represent actual product screens

26 Get results This is a rolling (up to 3 year) roadmap and is subject to change without notice By the end of the process, CaptnProton s case is filled out with relevant and contextual information 27 All product views are illustrations and might not represent actual product screens

27 Mitigate This is a rolling (up to 3 year) roadmap and is subject to change without notice Easily quarantine bad IPs/domains using ESM and TippingPoint SMS 28 All product views are illustrations and might not represent actual product screens

28 For more information Attend these sessions TB3169, Correlating advanced threat information feeds Visit these demos Threat Central Demo Booth 307 After the event Web: Blog: hp.com/go/hpsrblog Whitepaper: Your feedback is important to us. Please take a few minutes to complete the session survey. 29

29 Questions?

30 Please give me your feedback Session TB3013 Speakers Ted Ross & Nadav Cohen Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. 31

31 Thank you

32