Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

Similar documents

These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

Next Generation IPS and Reputation Services

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Requirements When Considering a Next- Generation Firewall

Defending Against Cyber Attacks with SessionLevel Network Security

Unified Security Management and Open Threat Exchange

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

APPLICATION PROGRAMMING INTERFACE

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

IBM Advanced Threat Protection Solution

Modular Network Security. Tyler Carter, McAfee Network Security

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

Unified Security, ATP and more

Cisco RSA Announcement Update

10 Things Every Web Application Firewall Should Provide Share this ebook

Symantec Advanced Threat Protection: Network

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

End-user Security Analytics Strengthens Protection with ArcSight

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

The Importance of Cyber Threat Intelligence to a Strong Security Posture

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

Cisco Remote Management Services for Security

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

REVOLUTIONIZING ADVANCED THREAT PROTECTION

24/7 Visibility into Advanced Malware on Networks and Endpoints

Analyzing HTTP/HTTPS Traffic Logs

ClearSkies SIEM Security-as-a-Service (SecaaS) Infocom Security Athens April 2014

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

NASCIO 2015 State IT Recognition Awards

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

CYBEROAM UTM s. Outbound Spam Protection Subscription for Service Providers. Securing You. Our Products.

Bridging the gap between COTS tool alerting and raw data analysis

Doris Yang Vectra Networks, Inc. June 16, 2015 The World Ahead

WildFire. Preparing for Modern Network Attacks

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

Security Analytics for Smart Grid

Modern Approach to Incident Response: Automated Response Architecture

Cisco Security Intelligence Operations

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

The Hillstone and Trend Micro Joint Solution

Redefining SIEM to Real Time Security Intelligence

SPEAR PHISHING AN ENTRY POINT FOR APTS

McAfee Network Security Platform

Personal Security Practices of the CAO

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Using SIEM for Real- Time Threat Detection

DYNAMIC DNS: DATA EXFILTRATION

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Security strategies to stay off the Børsen front page

The Importance of Cybersecurity Monitoring for Utilities

E-Guide. Sponsored By:

IBM Security IBM Corporation IBM Corporation

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

1 Introduction Product Description Strengths and Challenges Copyright... 5

IBM Security QRadar Vulnerability Manager

Types of cyber-attacks. And how to prevent them

ThreatSpike Dome: A New Approach To Security Monitoring

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

SourceFireNext-Generation IPS

THE BEST WAY TO CATCH A THIEF. Patrick Bedwell, Vice President, Product Marketing

Botnet Detection by Abnormal IRC Traffic Analysis

Protecting the Infrastructure: Symantec Web Gateway

Memory Forensics & Security Analytics: Detecting Unknown Malware

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

Cyber Security Metrics Dashboards & Analytics

WHITEPAPER. Designing a Secure DNS Architecture

Q1 Labs Corporate Overview

Architecture Overview

White Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible

MEETING CSIP OBJECTIVES WITH AN AUTOMATED AND PREVENTIVE SECURITY APPROACH

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Host-based Intrusion Prevention System (HIPS)

Extreme Networks Security Analytics G2 Vulnerability Manager

Enterprise Buyer Guide

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

QRadar SIEM and FireEye MPS Integration

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

What is Security Intelligence?

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

Securing Your Business with DNS Servers That Protect Themselves

Transcription:

Threat Intelligence for Dummies Karen Scarfone Scarfone Cybersecurity 1

Source Material Threat Intelligence for Dummies ebook Co-authored with Steve Piper of CyberEdge Group Published by Wiley Sponsored by Norse Available for free download athttp://www.norsecorp.com/resources/threatintelligence-for-dummies/index.htm (registration required) Today s talk is vendor agnostic 2

Agenda Understanding Threat Intelligence (TI) Gathering TI Scoring TI Using TI To support incident response To strengthen threat mitigation TI Purchasing Criteria 3

Basic Terminology Threat: the IT entity performing attacks Person behind a threat is an attacker Attack: the malicious activity Threat indicator: data that indicates higher risk IP address, URL, domain name Threat intelligence: threat indicators plus associated metadata The result of analyzing potential threat indicators 4

Threat Indicator Metadata Timestamp: when the TI was collected Risk score: relative maliciousness of the TI Source: the origin of the TI Geolocation: the physical location of the host that presents the threat Threat category: anonymous proxy, bogon, bot, botnet, malware, passive DNS, etc. 5

Why Does TI Matter? Incident prevention, detection, and response Supported by next-generation firewalls, intrusion prevention systems, unified threat management appliances, web proxies, load balancers, and security information and event management (SIEM) systems Forensic investigations Risk assessment 6

TI Delivery Often think of machine-readable TI (TI feeds) as being the only form of TI Human-readable TI reports Console-based TI TI appliances 7

TI Data Gathering Primary locations Existing data feeds Often free Concerns about data integrity Internal customer networks Can significantly speed threat detection Can inadvertently expose sensitive information External networks Most comprehensive picture of threats More costly than using other locations 8

Automated TI Sources Anonymous proxies Crawlers Free services Geolocation Honeypots Internet registries Internet Relay Chat (IRC) Peer-to-peer (P2P) networks And others 9

TI Scoring Basics Quality differs among TI sources and potentially within a single source Confidence, timeliness Subjective nature of risk measurement Dozens or hundreds of variables Score aging Score history Score threshold Based on risk tolerance Acceptable levels of false positives and negatives 10

Using TI in Incident Response Improves incident detection Provides insights into the sources of observed events Lists internal hosts that are compromised Enables proactive attack detection and blocking by reusing information on current and recent attacks elsewhere Reduces workloads for existing devices Facilitates forensic investigations 11

Sample Architecture 12

Using TI to Strengthen Threat Mitigation Stopping threats before they succeed Reducing impact of successful threats by detecting their compromises much faster Manual mitigation Potentially minimizes false positives Slow, easy to evade Automatic mitigation IPS blocking network traffic SIEM reconfiguring firewalls and IPSs 13

Threat Mitigation Strategies Blocking attacks Community immunity Anonymous proxy, bot, and botnet connection attempts Improving catch rates How likely it is for your security controls to identify an attack in progress Stopping advanced attacks before compromise when possible Can evade inclusion in TI feeds Generally ineffective at stopping insider threats 14

Feeding TI into Existing Controls Firewall, unified threat management (UTM), or other device with firewall capabilities 15

Using TI with Existing Controls Pros Block connection attempts and terminate existing connections Reduce load on other security controls Cons Not supported by all controls Limited indicator processing and/or storage Inability to keep up with frequent updates 16

Using a Dedicated TI Appliance 17

Using a Dedicated Appliance Pros All the same pros as using an existing control Reduces workload on existing controls Designed to fully use the TI Cons Cost 18

Ten Criteria for Evaluating TI Solutions Automation Integration and interoperability Frequency of updates Metadata richness Scoring sophistication Threat coverage Darknet visibility Geolocation accuracy Variety and number of sources Source quality 19

Recap Understanding Threat Intelligence (TI) Gathering TI Scoring TI Using TI To support incident response To strengthen threat mitigation TI Purchasing Criteria 20

Thank you! Karen Scarfone karen@scarfonecybersecurity.com http://scarfonecybersecurity.com https://www.linkedin.com/in/karenscarfone 21