WHITE PAPER: THREAT INTELLIGENCE RANKING

Similar documents
THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Combating a new generation of cybercriminal with in-depth security monitoring

A Primer on Cyber Threat Intelligence

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Cisco Advanced Malware Protection for Endpoints

Critical Security Controls

Evolution Of Cyber Threats & Defense Approaches

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Concierge SIEM Reporting Overview

Symantec Cyber Security Services: DeepSight Intelligence

Unified Security, ATP and more

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Integrating MSS, SEP and NGFW to catch targeted APTs

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

QRadar SIEM and FireEye MPS Integration

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

QRadar SIEM and Zscaler Nanolog Streaming Service

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

The SIEM Evaluator s Guide

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

DYNAMIC DNS: DATA EXFILTRATION

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Towards Threat Wisdom


ORACLE SOCIAL ENGAGEMENT AND MONITORING CLOUD SERVICE

THE EVOLUTION OF SIEM

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

SANS Top 20 Critical Controls for Effective Cyber Defense

Unified Security Management and Open Threat Exchange

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Dealing with Big Data in Cyber Intelligence

APPLICATION PROGRAMMING INTERFACE

RSA Security Analytics

STRATEGIC ADVANTAGE: CONSULTING & ISIGHT INTELLIGENCE

Continuous Network Monitoring

Ty Miller. Director, Threat Intelligence Pty Ltd

End-user Security Analytics Strengthens Protection with ArcSight

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

The Benefits of an Integrated Approach to Security in the Cloud

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

BUILDING AN EFFECTIVE VULNERABILITY MANAGEMENT PROGRAM. Henrik Åkerstrand Account Executive Nordics

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

IBM Security Strategy

Cisco Advanced Malware Protection for Endpoints

ESG Threat Intelligence Research Project

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Cisco Advanced Malware Protection

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Can We Become Resilient to Cyber Attacks?

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

REPORT State of Vulnerability Risk Management

The Importance of Cyber Threat Intelligence to a Strong Security Posture

After the Attack: RSA's Security Operations Transformed

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Redefining SIEM to Real Time Security Intelligence

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

24/7 Visibility into Advanced Malware on Networks and Endpoints

Trend Micro. Advanced Security Built for the Cloud

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Speed Up Incident Response with Actionable Forensic Analytics

The Business Justification for Cyber Threat Intelligence. How advanced intelligence improves security, operational efficiency and strategic planning

CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

100 Hamilton Avenue Palo Alto, California PALANTIR CYBER. An End-to-End Cyber Intelligence Platform

IBM Security X-Force Threat Intelligence

How To Integrate Intelligence Based Security Into Your Organisation

Top 20 Critical Security Controls

SR B17. The Threat Landscape Continues to Change: How are You Keeping Pace? Dean Turner

Using SIEM for Real- Time Threat Detection

Analyzing HTTP/HTTPS Traffic Logs

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

IBM Security IBM Corporation IBM Corporation

Windows Server 2003 End of Support. What does it mean? What are my options?

Software that provides secure access to technology, everywhere.

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Vulnerability Management

Payment Card Industry Data Security Standard

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

POWERFUL SOFTWARE. FIGHTING HIGH CONSEQUENCE CYBER CRIME. KEY SOLUTION HIGHLIGHTS

1 Introduction Product Description Strengths and Challenges Copyright... 5

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization

81% of participants believe the government should share more threat intelligence with the private sector.

Detect & Investigate Threats. OVERVIEW

Symantec Enterprise Security: Strategy and Roadmap Galin Grozev

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Protecting the Infrastructure: Symantec Web Gateway

Transcription:

WHITE PAPER: THREAT INTELLIGENCE RANKING SEPTEMBER 2015

2 HOW WELL DO YOU KNOW YOUR THREAT DATA? HOW THREAT INTELLIGENCE FEED MODELING CAN SAVE MONEY AND PREVENT BREACHES Who are the bad guys? What makes them tick? What are they thinking? What are they doing? This is the stuff of threat intelligence feeds a growing area of the $75 billion cyber security tech market. According to research from Enterprise Strategy Group (ESG), 41% of companies with more than 1,000 employees subscribe to six to ten threat intelligence feeds. 21% buy eleven to twenty feeds, and 7% buy more than twenty-one feeds. 41% of companies with more than 1,000 employees have six to ten threat intelligence feeds. 21% have eleven to twenty feeds, and 7% have more than twentyone feeds. MOST FEEDS ARE REDUNDANT Even though most enterprises have such a large number of intelligence feeds, and plans to subscribe to more, analysts think most feeds are redundant. According to the same study from ESG, 72% of enterprise security analysts consider at least half of their feed information redundant regardless of its source. Nearly three out of four security professionals think it s at least somewhat difficult to determine the efficacy of each feed. 72% of enterprise security analysts consider at least half of their feed information redundant regardless of its source. CONTROLLING YOUR BUDGET Private threat intelligence subscription feeds are typically over $100,000+ and can easily get to over $200,000+ per year so deciding which are most valuable is important as the costs can quickly add up - with six or more feeds. As you decide which feeds are most useful, ask these three questions: 1. Does the feed help you detect threats faster? 2. Does the feed find what you d otherwise miss? Does it make you better at detecting threats? 3. Does the feed integrate easily into your environment? Is it simple to utilize this feed, and is it compatible with existing systems and your information security analytics platform? Before paying for a feed, take advantage of trial periods to measure the feed s performance. Learn all you can about how they detect threats, and assemble a portfolio of feeds covering all bases including OSINT, honeypots, DNS mining, forum monitoring and more.

3 Also, until you re absolutely sure a feed offers value, don t commit to a long-term agreement. This strategy gives you flexibility to unsubscribe from redundant feeds, cuts your spending and eliminates data noise. HOW ANALYTICS REVEAL YOUR MOST USEFUL FEEDS Threat intelligence analysis from IKANOW uncovers which feeds deliver the most value. By labeling threat data with the feed delivering the data, it can answer important questions, including: Which feed recognizes threats first Which feed delivers the fewest false positives Which feed gives the best detail about attacks IKANOW brings multiple feeds together, including commercial, OSINT and ISAC feeds, alerting you to some threats before they happen, helping to prioritize attacks in progress, and discover previously unidentified incidents. In addition, IKANOW correlates feeds with enterprise data to compare and measure each feed s value. As a result, you can identify which feeds deliver value and which feeds are filled with redundancies and false positives. You can then unsubscribe from feeds that don t deliver results. These functions collectively serve to increase the efficiency and effectiveness of your security efforts. THREAT INTELLIGENCE MODELING WITH IKANOW Without information security analytics from platforms such as IKANOW, it s almost impossible to make sense of information coming from threat intelligence streams. Manually analyzing intelligence streams, enterprise logs and SIEM alerts, creates an unmanageable information tsunami and make it impossible to find and prioritize threats to your enterprise. Cutting unnecessary stream subscriptions is just one benefit of investing in IKANOW s platform. FIND OUT HOW IKANOW analytics protects data, slashes incident response times and makes the most of your security resources. In the enterprise, you probably receive information from multiple feed sources including commercial, OSINT, open source data, and ISAC streams. 1. COMMERCIAL Threat intelligence feeds from commercial companies contain proprietary research determined by how the company detects threats. Their strategies include luring attackers with honeypots, mining DNS data for new domains and conducting cloud-based malware sandboxing. Depending on your needs, a commercial threat intelligence company might assign dedicated analysts to your organization. These analysts visit gray markets, search for botnets, and monitor forums on your behalf. Some companies focus mainly on threat intelligence streams, like isight and its ThreatScape intelligence platform. Other companies like FireEye and Symantec offer threat intelligence streams as part of an integrated suite of security services. Symantec s three DeepSight feeds, for example, provide information about reputation, vulnerabilities and security risks. The first step in improving an organization s security, is improving awareness. However, in order to improve overall security awareness,

4 organizations need to first take a hard look at how they are gathering threat intelligence. The best way to do this is to measure and model, or forecast, their threat intelligence content and the value it provides. Robust information security analytics allows users to customize and automate this modeling process for targeted impactful results - making the most of threat intelligence and allowing information security analysts to focus on actions to enhance network security instead of just keeping up with the constant flow of data. IKANOW s Information Security Analytics (ISA) platform is specially suited to this task. It can analyze and correlate multiple, disparate data sources, including social media, RSS feeds, threat intelligence feeds, enterprise applications, logs and more. The platform can use all of these sources to identify Indicators of Compromise (IOCs), exploits and vulnerabilities. The steps to conduct this advanced threat intelligence modeling are outlined below. CONNECTING THREAT When it comes to connecting to private threat intelligence feeds, IKANOW integrates with many of the most popular threat feeds out-ofthe-box. If out-of-the-box integration isn t yet available, we can build a new plugin for our customers in a matter of days. IKANOW has created a streamlined three-step process to add the appropriate data sources and threat feeds. 2. OSINT Open source intelligence (OSINT) providers comb through a multitude of information sources, looking for intelligence about possible threats against your company. OSINT is less about detecting presently occurring network activity and more about performing open source research. It goes beyond the organization s domains to scour social networks, forums, media, blogs and even deep Web resources, looking out for potential threats brewing against your organization. OSINT feeds give you needed intelligence to prevent attacks before they happen. When a hacktivist mentions your company in a tweet or a forum, an OSINT feed like SenseCy alerts you to potential danger. With information security analytics, your company can combine OSINT feeds with commercial feeds for better results. For instance, you can crossreference SIEM-detected IPs with OSINT scans of public IP reputation databases. Figure 1 - Connecting Your Data Source

5 Figure 2 - Configuring Your Data Source Figure 3 - Saving & Publishing Your Data Source 3. OPEN SOURCE DATA Open source data is inherently what drives OSINT. There are many free sources of open source data available on the that can provide useful IOCs and threat indicators, it simply requires further investigation and correlation after an alert is generated. The key difference between open source data and OSINT is that open source data has not been previously evaluated for intelligence value such as attribution to an APT, while OSINT is open source data which has been evaluated or met strict rules of correlation. Unattributed malicious domains and IP addresses derived from a honeypot and published to the web are a great example of useful open source data. An enterprise should certainly be aware is there is network traffic to these malicious domains and IP addresses. After adding the necessary threat feeds, the IKANOW ISA platform will correlate that data with other data sources (i.e. log files) already added to the platform. VISUALIZING THREAT FEEDS Visualization enables Threat Intelligence Managers to track threat feed spending by the utility of feeds within their network. Our threat feed algorithms allow decision makers to focus threat intel spending on the sources that provide the most meaningful intelligence and the most usable and relevant information for security analysts. The figure below shows how IKANOW compares threat intelligence sources. APT Alerts display the number of alerts associated with

6 a known hacking group from the contextual information provided with IOCs. Exploit Kit Alerts display the number of alerts which are attributed to known Exploit Kits. Total IOCs displays the total number of IOCs detected from the threat feed. Scan detected Common Vulnerabilities and Exposures (CVE) is the total number of unique CVEs detected in your network scan. EVALUATING PATCHING COSTS (VULNERABILITY TABLE) Vulnerability patching and cost calculations are easily made from the platform s vulnerability table function. The vulnerability table allows analysts to view how many hosts are affected by vulnerabilities and assign levels of effort and cost information to these vulnerabilities. Analysts are able to adjust fields with in this table along with sorting and filtering fields of data to assist in deriving patch prioritization. This data is generated from common enterprise scanning solutions such as Nessus and Qualys. This information is critical to a CISO in making decisions to patch vulnerabilities across the enterprise. 4. ISAC Information sharing and analysis centers (ISAC) provide threat intelligence to specific industries. Again, when used in concert with commercial and OSINT feeds, information security analytics tools can identify which signals are your biggest priority. Before using an ISAC feed, clarify whether the center requires you to send your own data back to the ISAC. Let a CISO or other manager make the final decision about releasing company data. DASHBOARDS IKANOW designed the ISA platform to provide critical information in easy to understand and view dashboards. These dashboards allow a CISO or analyst to quickly view how their network is affected by IOCs, vulnerabilities, and exploits extracted from threat intelligence reports.

7 CONCLUSION Only by thoroughly understanding the usefulness of individual threat intelligence feeds can an organization take steps to maximize ROI from these valuable, but expensive tools. Further, information security analysis can ensure that threat intelligence modeling is applied consistently and efficiently to identify, prioritize and report on threats to your specific network environment. @ikanowdata facebook.com/ikanow ikanow.com info@ikanow.com You probably use information security analytics tools to try to make sense of these feeds, but it s not easy to bring disparate feeds together and eliminate duplicate data. Your IKANOW platform can do more than interpret threat signals. It can also identify which feeds offer the most value, helping you slash your security spending. Instead of paying for extra data, you spend money on feeds that deliver results. Your investment in analytics pays off by helping you eliminate useless feeds.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information