The business Side of threat Intelligence 1
WhoAm I? CEO of CyberSquared Inc., the company behindthreatconnect TM. Founding member of the company, started in 2011. Experience inprogramming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. 2
BusinessNeed Every other part of the business has evolved to necessitate a Enterprise Security platform to increase productivity and measure effectiveness. Marketing 2015 Support/Helpdesk Finance/HR ERP/Manufacturing CRM/Sales 1980 s 3
TM ForumCatalyst Phase 2 Goingbeyond: ThisThreat Intelligence stuffis a greatidea! : AT&T, Bell Canada, Birmingham City University,cVidya,ThreatConnect,Edge Technologies, EMC/RSA, MITRE, Orange, Security Fabric Alliance, Symantec, Telecom New Zealand, Telstra, and the UK MOD sdefencescience and Technology Laboratory (DSTL). TM ForumSharing Threat Intelligence Catalyst Phase 2 Phase 1: Sharing Threat IntelligenceArchitecture &Whitepaper Phase 2:Defined SecurityPersonnel Personas Phase 2: Produced Threat Intelligence ROI Calculator Phase 2: Demonstration showing successful implementationof ThreatIntelligence sharing in support of asophisticated Distributed Denial of Service (DDoS)use case. 4
What Makes goodthreat Intelligence? Lifecycle Attributes to Measure Threat Intelligence: Accurate Aligned with your requirements Integrated Predictive Relevant Tailored Timely Source: Rick Holland (Principal Forrester Analyst) Blog Post Titled Actionable Intelligence, Meet Terry Tate, Office Linebacker 5
Day in the life Infrastructure Discovery Open Source Shared Threat Intelligence TTP Awareness Reports to Executives Analysis Asset Tracking Persona SIEM Adversary Tracking Data Geopolitical Context Data Correlation Incident Response Courses of Action Analyst Mitigation Planning Exploit Email Vector Analysis Protocol Analysis Signature Management Security Controls Malware Analysis 6
More than a feed:platform & Process Analyst Aggregate Analyze Act Diamond Methodology Multiple Sources Knowledge Management Communities Automation Robust API Workflow Data Visualization Enterprise Integrations Control 7
ROIof Threat Intelligence Threat Intelligence Security Investment Cost Knowledge Assumptions + = Existing Automate Collaborate 8
Securityprocesses Calculator Example: 8 Step Incident Response Process: Identify the Intrusion Step 1:Create and task defensive signatures Step2:Maintainawareness of adversary changes to Threat Activity/Infrastructure Scope the Intrusion Step3:Performexploit/malware analysis Step4:Updatesignature base Step5:Linkactivity to any known groups of related activity Mitigate/Step the Intrusion Step6:Take action to cut off intruder access to the network Step7:Monitor for changes inthreat Activity Strategically React to Threats Step8:Generate reports on Threat trends for executives 9
Find morethreats,faster Analyst IR and Threat Correlation Tasks Time Comparison: withand without TI Threat Discovery andfocusedpursuitactivities 4x/Day Spearphish Email Analysis and Conviction 1x/Day Malware Correlation with past targeting 4x/Day Analyze, Correlate, Database New Domains, IP Addresses,RegistrantInfo 5x/Day Track Malicious Domains, IP addresses, Registrant Info 100x/Day 10
UserTypes I need to protect corporateassetsbut don t have the resources I need to make my organization better and reduce my risk I need to find what I m looking for faster I need to coordinate what I m finding with everyone else I need to make my threat analysis faster, easier, and morethorough 11
Assumptions Process Assumptions: PersonaCosts What is the hourly cost per Persona? Steps What are steps of the security process? Personas Involved Who are the actors of the process? Knowledge Assumptions (Defined Per Process Step): Existing How likely is it that you will find knowledge in a finished state when you need it? Automation How much efficiency is gained via automation? Collaboration What is the efficiency gained by working with others? Cost Assumptions: Incidents per Year How many events will you have that require process? Average Cost of anintrusion What is the average cost of an intrusion? 12
Modeling Hourly Cost per Persona Collaboration Automation Make Assumptions Existing Model & Measure Potential Cost of Compromise V1.0 contributed to TM Forum for incorporation to Fx13.5 release 13
Results (from sample) Measurement Topics Type Value Time Commitment to understand Threat to business operations Hours 200 Lower Costs to obtain a larger understanding of the threat $$ Savings $33,450 Obtain insights that would not be otherwise obvious (from existing knowledge) Insights 37% Increase Automation to increase efficiencies Efficiency 45% Increase insights due to collaboration Additional Insights 2% Total Efficiencies from applying CTI Total Efficiency/Insights 84% Number of Incidents per Year 5 Projected Annual Cost without CTI $199,000 Projected Annual Cost with CTI $31,750 Projected Annual Savings $167,250 Savings Percentage 84% 14
Collaboration is powerful! Each Organization hastheir own Peer to private data Peercollaborationbetweenorganiza tions MultipleTrustedCommunities 15
Taking Action Prioritize Understand Threats to your Organization Learn Defend Plan 16
ThreatIntelligencePlatform Aggregate Act Commercial SOC SIEM Incid Open Source CISO/ CIO Analyze ent Resp onse IPS/IDS, Firewalls Communities Malw are Threa t Gateways Analy Analy Sharing sts IT/ Compli sts Endpoint, Response Internal ance DLP, NAV Automate 17
Take away Youdon thave a choice Cyber Threat Intelligence starts withunderstanding Your Needs Sharing is a newparadigmin cyber security This calculatorhelps you measuresomething that historically has not been measured Youneed apowerful platformtomanage allthe data 18
Thank you & Questions Download the Threat Intelligence Sharing ROI Calculator from: http://bit.ly/threatcalc Visit www.threatconnect.com for more information. Adam Vincent,CEO, avincent@cybersquared.com 19