The Business Justification for Cyber Threat Intelligence. How advanced intelligence improves security, operational efficiency and strategic planning

Similar documents
WHITE PAPER: THREAT INTELLIGENCE RANKING

A Primer on Cyber Threat Intelligence

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

Combating a new generation of cybercriminal with in-depth security monitoring

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Cisco Advanced Malware Protection for Endpoints

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Cisco Advanced Malware Protection

Endpoint Threat Detection without the Pain

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Advanced Threat Protection with Dell SecureWorks Security Services

Extreme Networks Security Analytics G2 Vulnerability Manager

Integrating MSS, SEP and NGFW to catch targeted APTs

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

A Case for Managed Security

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Speed Up Incident Response with Actionable Forensic Analytics

INTRUSION PREVENTION SYSTEMS: FIVE BENEFITS OF SECUREDATA S MANAGED SERVICE APPROACH

CyberArk Privileged Threat Analytics. Solution Brief

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

What is Cyber Threat Intelligence and why do I need it?

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

The Importance of Cybersecurity Monitoring for Utilities

Symantec Cyber Security Services: DeepSight Intelligence

IBM Security QRadar Vulnerability Manager

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

The SIEM Evaluator s Guide

Symantec Enterprise Security: Strategy and Roadmap Galin Grozev

Zak Khan Director, Advanced Cyber Defence

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Cybersecurity: What CFO s Need to Know

Perspectives on Cybersecurity in Healthcare June 2015

Palo Alto Networks. October 6

Cisco Advanced Malware Protection for Endpoints

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

RSA Security Analytics

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Agenda , Palo Alto Networks. Confidential and Proprietary.

Cyber Security Metrics Dashboards & Analytics

FIVE PRACTICAL STEPS

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

PENETRATION TESTING GUIDE. 1

Anti-exploit tools: The next wave of enterprise security

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

The Symantec Approach to Defeating Advanced Threats

Understanding the Advanced Threat Landscape an MSPs Guide. IT Security: Enabled

Advanced Threats: The New World Order

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Getting Ahead of Malware

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Defending Against. Phishing Attacks

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Cyber and Operational Solutions for a Connected Industrial Era

AppGuard. Defeats Malware

How to Use Cyber Threat Intelligence in my Workflows?

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

The Hillstone and Trend Micro Joint Solution

Overcoming Five Critical Cybersecurity Gaps

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Security Analytics for Smart Grid

Security Services. 30 years of experience in IT business

Content Security: Protect Your Network with Five Must-Haves

After the Attack. The Transformation of EMC Security Operations

Eight Essential Elements for Effective Threat Intelligence Management May 2015

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

Gaining the upper hand in today s cyber security battle

Security and Privacy

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

Unified Security, ATP and more

The Future of the Advanced SOC

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

1 Introduction Product Description Strengths and Challenges Copyright... 5

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

STRATEGIC ADVANTAGE: CONSULTING & ISIGHT INTELLIGENCE

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

10 Things Every Web Application Firewall Should Provide Share this ebook

Connected Threat Defense Strategy. Eva Chen, Co-Founder and CEO

Things To Do After You ve Been Hacked

ALERT LOGIC FOR HIPAA COMPLIANCE

EY Cyber Security Hacktics Center of Excellence

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

Bridging the gap between COTS tool alerting and raw data analysis

Transcription:

The Business Justification for Cyber Threat Intelligence How advanced intelligence improves security, operational efficiency and strategic planning

What Executives Need to Know about Cyber Threat Intelligence Enterprise security teams are increasingly facing off against smart, well-funded attackers with very specific agendas and targets. These attackers are adept at varying their methods and hiding their activities amidst the vast flow of information and transactions businesses generate every day. Sophisticated IT security executives have realized that cyber threat intelligence is an essential weapon for detecting and preventing advanced attacks. Yet the meaning of threat intelligence is often obscured by the claims of vendors and security services companies, and even experienced IT executives may not know all of the advantages of cyber threat intelligence. In this document we will clarify the differences between threat data feeds and genuine cyber threat intelligence. We will then outline several business justifications for cyber threat intelligence: Greater visibility into threats. Faster response to targeted attacks. Better executive communication. Improved strategic planning and investment for the security organization. 2014 All rights reserved. isight Partners, Inc. 2

Distinguishing Cyber Threat Intelligence from Threat Data Feeds It Don t Mean a Thing (If It Ain t Got That Swing) ~ Duke Ellington and Irving Mills To understand the justification for cyber threat intelligence, it is important to have a clear picture of the spectrum that runs from signature and reputation feeds at one end, to threat data feeds in the middle, to cyber threat intelligence at the other end. (Figure 1) At one time or another all of these have been called cyber intelligence or threat intelligence, but the value to a business is very different. Figure 1: A spectrum of "threat intelligence" services Signature and Reputation Feeds Signature and reputation feeds typically provide a stream of malware signatures (file hashes), URL reputation data, and intrusion indicators, sometimes supplemented by basic statistics (e.g., Today s top 10 malware threats ). This data can be sourced from non-profit and industry clearinghouses, from vendor security devices at customer sites, and from sensors distributed around the web. 2014 All rights reserved. isight Partners, Inc. 3

The primary value of signature and reputation feeds is to improve the effectiveness of nextgeneration firewalls (NGFWs), intrusion prevention systems (IPSs), secure web gateways (SWGs), anti-malware and anti-spam packages, and other blocking technologies. Up-to-date security data helps them to recognize and stop malware and network traffic from web sites known to be controlled or compromised by attackers. A secondary value is to provide raw data to help security information and event management (SIEM) systems detect known threats. Although signature and reputation feeds are one facet of a defense-in-depth strategy, their limitations are quite clear: They help block mass attacks, but miss targeted attacks for which no signature exists, as well as malware that has been morphed, encrypted, included in downloaded apps, or otherwise disguised (a Symantec executive recently estimated that antivirus products now detect only 45% of attacks 1 ). They provide data on individual threat indicators, but no context to help organizations understand how to put those indicators together to identify a real attack, or what action to take. They cause NGFWs, IPSs, SWGs, anti-malware packages and SIEM systems to generate more warnings and alerts than the security operations center (SOC) staff and incident response (IR) team can possibly evaluate, in effect concealing important warnings in a barrage of noise. Threat Data Feeds Most information security vendors now boast of a threat lab or intelligence network staffed by a small team of researchers who monitor threat data from the vendors devices and sensors and may provide a basic level of human analysis. This analysis usually includes more detailed statistical breakdowns on the prevalence, source and targets of malware and attack activities. Sometimes the lab staff also publishes anatomy of an attack discussions that enumerate the actions taken by a specific piece of malware, or the sequence of actions observed in an advanced, multi-stage attack. Threat data feeds are useful for SOC and IR teams, because they help the teams identify patterns associated with attacks, rather than simply isolated indicators. The information can also provide an understanding of how to remediate compromised systems. But most analysis from threat labs suffers from key handicaps: 1 The Wall Street Journal: Symantec Develops New Attack on Cyberhacking, May 4 2014. 2014 All rights reserved. isight Partners, Inc. 4

Data gathering is passive ( what did we see on our firewalls and network sensors? ) and often skewed to the geography and industry profile of the vendor s customer base. Analysis is backward-looking ( here is what we observed attacking networks over the past six months ). There is no intelligence that can be used to recognize when actors are preparing to attack, or new tactics and techniques they may employ. There is no intelligence indicating successful but undetected breaches (e.g., a mass dump on underground hacker web sites of credit card numbers or customer information associated with the enterprise). Analysis is generalized across the entire customer base of the vendor, or at best across very broad industry groups like finance, healthcare and manufacturing. Usually these handicaps are a function of the economics of information security product vendors. A threat lab or intelligence network is a nice way of differentiating one NGFW or SWG from another, especially since the passively collected data is essentially free to the vendor. But product vendors would not be able to recover the significant additional investment in staff and expertise required for active human and sophisticated technical data gathering, forward-looking analysis, and customized threat intelligence. Cyber Threat Intelligence Genuine cyber threat intelligences (CTI) often includes signature and reputation feeds and threat data feeds, but goes beyond them in several critical areas. CTI includes active human and technical information gathering on a global scale. That means not just aggregating data from industry clearing houses and network sensors, but continuously monitoring hacking groups and underground sites where cybercriminals and hacktivists share ideas, techniques, tools and infrastructure. It requires systematically collecting data based on the location of threats and targets, not the vendor s offices or customer locations. It also involves building a staff with diverse language skills and cultural backgrounds who can understand the motives and relationships of adversaries in China, Russia, Eastern Europe and other hacker havens. CTI is adversary-focused and forward looking, providing rich contextual data on attackers and their tactics, techniques and procedures (TTPs). This requires a comprehensive understanding of the character and motivation of emerging adversaries, the business initiatives of enterprises that increase their attack surface, the vulnerabilities of new technologies and business practices (mobile devices, virtualization, cloud and SaaS solutions), and how those factors interact. This might include, for example, determining the motivation and targets of a new variety of 2014 All rights reserved. isight Partners, Inc. 5

cybercriminal, the vulnerabilities they target, the domains, malware and social engineering methods they use, the structure and evolution of their campaigns, and the techniques they are likely to employ to evade current security technologies and practices. CTI is customized for each client. A genuine cyber threat intelligence service gathers situational data and intelligence requirements from each client, and provides analysis tailored to the industry, technologies and specific situation of that organization. Top-quality CTI companies provide direct access to analysts, so clients can receive in-depth clarification on intelligence. They also allow clients to submit malware samples for analysis. Customized information gives enterprises the extra context to set priorities and make optimal decisions based on their specific needs and risk profiles, rather than broad industry averages. Justifications for Cyber Threat Intelligence "Distrust and caution are the parents of security." ~ Benjamin Franklin For the reasons described above, cyber threat intelligence is more costly than threat data feeds. Does detecting a few more threats justify the investment? In fact, CTI does much more than help detect more threats. It allows enterprises to become proactive and prepare themselves for tomorrow s adversaries and threats, rather than reacting to last year s news stories. Advantages include not only greater visibility into threats, but also faster response to targeted attacks, better executive communication, and improved strategic planning and investment by the security organization. Greater visibility into threats Clearly one of the advantages of CTI is greater visibility into threats. Researchers who are native language speakers, knowledgeable about different cultures, and familiar with slang and colloquial terms can uncover new threat actors (cybercriminal gangs, hacktivist organizations and statesponsored actors), in new locations, who use new malware variants and new social engineering techniques, and create new campaigns with new modus operandi. This type of intelligence: 2014 All rights reserved. isight Partners, Inc. 6

Gives the security staff insight into new indicators of compromise (IOCs) and other clues so they can prevent and detect more attacks. Gives IT managers, security analysts and others insight into what applications, systems, and user populations are most likely to be attacked and how, so investment efforts can be focused on protecting those high-risk targets from actual threats. Although it is very hard to estimate the probability of preventing one or more data breaches with CTI (or any other technology), the value of preventing even one is clearly very great. A recent study by the Ponemon Institute calculated a mean cost per cyber crime of $7.2 million, ranging from an average of $3.0 million for the smallest quartile of companies in the survey to $13.8 million for the largest quartile. Another study found an average cost of $145 per record for lost or stolen records containing sensitive and confidential information. 2 Faster response to targeted attacks At major enterprises, NGFWs, IPSs, SIEM system and other security tools typically generate thousands of alerts and notifications each day. The vast majority of these are unimportant, consisting of potentially suspicious files and activities that turn out to be benign. Many represent real threats but only to organizations in a specific industry (e.g., finance, retailors, government, healthcare), with specific applications (SAP, WordPress), or specific equipment (POS or SCADA systems). Yet it is impossible for most SOC and IR teams to sort through all these alerts, or even to perform triage on them intelligently. This means that when attackers gain a foothold inside the network, it typically takes weeks or months to detect them. Statistics paint a distressing picture. According to one study 68% of web app attacks take weeks or longer to discover. Another study found that threat groups were present on a victim s network an average of 229 days before detection. 3 CTI services improve the operational efficiency of SOC and IR teams by giving them detailed information on which threats are most likely to affect the industry and situation of their firm. This shrinks the problem by allowing the teams to focus on the small number of alerts and notifications tied to attacks that represent real threats to that specific company. The threat analysis provided by CTI services enables SIEM tools to automatically raise the priority of truly meaningful alerts. It also provides the context required for team members to recognize patterns of events that point to attack campaigns. 2 Ponemon Institute: 2014 Global Report on the Cost of Cyber Crime, October 2014; Ponemon Institute: 2014 Cost of Data Breach Study: Global Analysis, May 2014 3 Verizon: 2014 Data Breach Investigations Report (DBIR); Mandiant: 2014 Threat Report 2014 All rights reserved. isight Partners, Inc. 7

CTI services can help organizations make informed use of information from signature and reputation feeds and threat data feeds. SOC and IR teams can focus on the data and threat reports that are most relevant to their situation and put aside the data and analyses that don t apply. In fact, some CTI services offer threat data feeds of their own. The best CTI vendors link threat data with context, including adversaries, campaigns, targets and other information that makes intelligence actionable. This rich, contextual intelligence data can be fed into SIEM systems and other security products through APIs. For example, this type of integration might allow a SIEM system to correlate events generated by network security tools with indicators of compromise provided by the CTI service. The SIEM system could also use intelligence provided by the CTI service to increase the priority of alerts associated with threats that target the company s industry, geographic locations, and major software applications. Vulnerability patching is another area where CTI can help organizations respond faster to immediate threats. Many enterprises prioritize their patching efforts based on generic critical/important/moderate/low ratings. But an organization can prioritize patches much more effectively if it receives rich information about each vulnerability, such as how it works, how hard it is to exploit, and whether exploit tools are currently available or under development in the wild. It is also very valuable to know if a specific vulnerability is actually being exploited by adversaries targeting the organization s industry. Better prioritization means closing the window faster on immediate threats, rather than wasting time on vulnerabilities labelled as critical that in fact pose little risk. In short, by helping prioritize alerts, CTI services increase the operation efficiency of security and incident response staffs and allow them to respond faster to the most serious attacks. Improvements in response can pay big dividends. One of the studies cited earlier found the cost of cyber attacks averaged $20,758 for each day they were active on the network. At that rate, helping an IR team focus better and identify a threat one week earlier would result in cost savings of over $145,000. Better executive communication CISOs often face serious challenges communicating information security issues to business managers, top executives and Boards of Directors. This makes it extremely difficult to obtain the cooperation and the funding justified by actual security threats. A Chief Financial Officer, for example, is unlikely to be moved to increase a budget after hearing a statement like: last week we evaluated 1,000 alerts and blocked 200 pieces of malware, but the frequency of zero-day attacks is increasing. 2014 All rights reserved. isight Partners, Inc. 8

CTI provides information that can put a face on adversaries and translate cyber threats into business risks, using terms that are meaningful to non-technical executives. It is much easier to have a productive discussion with a CFO, or a division general manager, based on statements like: last week we thwarted attacks by a hacktivist group in Eastern Europe bent on degrading our web site and damaging the corporate brand, or companies in our industry are facing a wave of attacks by state-sponsored hackers in Asia targeting engineering designs and trade secrets. Improved strategic planning and investment CTI services can provide concrete evidence and informed analysis about emerging adversaries and new types of threats. This information can direct enterprises toward planning and investment decisions that improve their security posture while reducing unnecessary risk and spending. For example, intelligence about new malware types or DDoS attacks can guide investments toward the right technologies to block those new threats. Intelligence about new adversaries and their targets can help security groups allocate their actives more effectively toward protecting the right information assets, monitoring targeted user groups, or scanning certain web traffic. Intelligence about the techniques behind new multi-stage attacks can help incident response teams focus on tools and methods that correlate disparate events to expose APTs. Conversely, intelligence can show that some threats are not relevant to specific industries or company types, saving enterprises from investing scarce resources in the wrong places. By improving strategic planning and investment, and by making security teams more effective, CTI services help IT security groups deliver more bang for the buck. The positive impact can be equivalent to a significant increase in the IT security budget. 2014 All rights reserved. isight Partners, Inc. 9

Summary "Strong reasons make strong actions" ~ Shakespeare, King John Today almost every information security vendor offers some flavor of threat intelligence. Although every form of threat intelligence has value, it is important to recognize the limitations of each. Signature and reputation feeds can make blocking technologies more effective, but they don t provide enough information to identify advanced attacks. They often cause security devices to generate more warnings, alerts and false positives than SOC and IR teams can possibly evaluate. Threat data feeds help SOC and IR teams understand the anatomy of advanced attacks, but the information is backward-looking and generalized across the entire customer base of the vendor. Genuine cyber threat intelligence includes active monitoring of underground forums by a staff with diverse language and cultural skills. It provides forward-looking analysis and robust, highlycontextual information based on the threats, actors and methods that provide the greatest risk to specific companies, in specific industries, at a specific point in time. Authentic CTI fuses a diverse set of technical and human-derived data sources into intelligence that is actionable across strategic, operational and technical risk management levels. Cyber threat intelligence services: Provide visibility into new types of advanced attacks that could potentially result in multimillion dollar data breaches. Help organizations respond faster to real threats and reduce the window for damage, by allowing security teams to put aside the vast majority of alerts and focus attention on real threats to the specific business processes of the organization. Help IT managers communicate real security risks and business issues to non-technical business managers and top executives. Allow managers to plan risk management strategies and security investments based on current and emerging adversaries and threat types. These advantages not only reduce the risk of costly security breaches, they also help organizations align security spending with the requirements and risks of the organization. To learn more about how real cyber threat intelligence can help you change the game, contact isight Partners at info@isightpartners.com. Want to set up a free consultation? Send us a request at www.isightpartners.com/acttoday/request-consultation. 2014 All rights reserved. isight Partners, Inc. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information