Cyber Threat Intelligence Sharing: Lessons Learned, ObservaMons, RecommendaMons

Similar documents
Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

Achieving Global Cyber Security Through Collaboration

Disrup've Innova'ons Track

Computer Security Incident Handling Detec6on and Analysis

Part 1 : STRATEGIC : But let s begin with WHY : Why are we doing this?

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

HIPAA Breaches, Security Risk Analysis, and Audits

Program Model: Muskingum University offers a unique graduate program integra6ng BUSINESS and TECHNOLOGY to develop the 21 st century professional.

Pu?ng B2B Research to the Legal Test

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

Reducing Cyber Risk in Your Organization

Obtaining Enterprise Cybersituational

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Cyber Information-Sharing Models: An Overview

Testimony of. Mr. Anish Bhimani. On behalf of the. Financial Services Information Sharing and Analysis Center (FS-ISAC) before the

Unifying Incident Response Teams Via Multi Lateral Cyber Exercise for Mitigating Cros Border Incidents: Malaysia CERT Case Study

Splunk and Big Data for Insider Threats

How Do You Secure An Environment Without a Perimeter?

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

CForum: A Community Driven Solution to Cybersecurity Challenges

Health Industry Implementation of the NIST Cybersecurity Framework

The Onslaught of Cyber Security Threats and What that Means to You

Top 5 Ways to Improve Your Billing & Collec=ons

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

Eight Essential Elements for Effective Threat Intelligence Management May 2015

State of New Hampshire Department of Safety Division of Homeland Security and Emergency Management

WSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons

Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M?

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

Privileged Administra0on Best Prac0ces :: September 1, 2015

Cyber Supply Chain Risk Management Portal

WHY ANALYSE? BOB APOLLO

Founda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework

Cyber Intelligence Workforce

SecureNinja. SecureNinja. The CyberSecurity Experts

U. S. Attorney Office Northern District of Texas March 2013

Information Technology in the Automotive Aftermarket

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

MISSION-ESSENTIAL INTELLIGENCE AND CYBER SOLUTIONS

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

How To Manage Threat Intelligence On A Microsoft Microsoft Iphone Or Ipad Or Ipa Device

Welcome. HITRUST 2014 Conference April 22, 2014 HITRUST. Health Information Trust Alliance

Data- centric Security: A New Information Security Perimeter Date: March 2015 Author: Jon Oltsik, Senior Principal Analyst

Introduc)on to the Joint Money Laundering Intelligence Taskforce (JMLIT Toolkit)

Splunk Cloud as a SIEM for Cybersecurity CollaboraFon

U.S.UCAN and its role in Wisconsin

IBM Enterprise Content Management Solu5ons Informa(on Lifecycle Governance

We are pleased to offer the following program to Woodstock Area Educators:

Managing the Unpredictable Human Element of Cybersecurity

Transcription:

Cyber Threat Intelligence Sharing: Lessons Learned, ObservaMons, RecommendaMons Bob Gourley, Partner, Cognitio September 9, 2015 How we think.

Disclaimer There is a great deal of text on these slides. Don t try to read them now, I ll verbally summarize and will email you a copy to read slowly later. 2 2 How we think.

About This Presentation Ø Cyber Threat Intelligence is informa:on on the adversary (capabili:es, inten:ons, ongoing ac:on) of use to enterprise defense. Ø Goal is to mi:gate risks by knowing your adversary, their intent and even their next move. Ø This session provides lessons in cyber threat intelligence from across government and industry in ways designed to help inform your approach to cyber threat intelligence 3 3 How we think.

Foreshadowing Ø There is cyber threat intelligence in both industry and government. If par:es on both sides could increase their sharing it would be good for collec:ve defense. Understanding the issues each face and some key percep:ons may help enhance this sharing. Ø There is info in government of value to enterprises, but when informa:on is provided it is usually provided too late or is not of value. Ø There are some cases where informa:on is shared to those with clearances and that has been called very valuable by some CISOs. Ø There is informa:on in industry that can help government bener defend itself and help government help industry. Ø A frequently overlooked challenge to info sharing is culture. 4 4 How we think.

Table of Contents Ø About This Presenta:on Ø Methodology Ø Observa:ons/Recommenda:ons for Industry Ø Observa:ons/Recommenda:ons for Government Ø Observa:ons/Recommenda:ons for Academia Ø Discussion 5 5 How we think.

Methodologies Know Cyber Intel Know the threat Know technology Know defensive concepts Know standards Know cultures of who is involved Know The Law and Gov Policy and Regulations Includes SOX, GLBA, SEC and FINRA guidance, HIPAA and many others (see business.usa.gov) Global privacy regulations Know What Info Is Available In Gov and Industry What might gov have that industry would want? What might industry have that gov might want? I discussed conclusions with many, but blame me for any faults here and let me know what you think. Draft Assessments and Lessons Learned Generate assessments, conclusions and recommendations Check assumptions by asking trusted CISOs with government and industry experience to review conclusions and comment Conclusions Seek to produce conclusions that can help people get things done Look for new insights vice just revamping old conclusions and assessments Keep iterating to ensure conclusions of value to real decision-makers This presenta:on was reviewed by over 150 security execu:ves in industry, government and academia. 6 6 How we think.

More On Our Bias and Background Ø TheCyberThreat.com Ø Lessons from history and current ops Ø Insights from companies under anack Ø Ways to Enhance Cyber Intelligence Support Ø Insaonline.org Ø Products resul:ng from government- industry partnership study of cyber intelligence issues Ø Best prac:ces and lessons learned from the IC Ø ThreatBrief.com Ø Free daily report on cyber threat actors and their strategic ac:ons and impact 7 7 How we think.

Security Officers/CISOs We Spoke With Ø We spoke with security execu:ves In several industries Ø Finance Ø Retail Ø Food and Beverage Ø Automo:ve Ø State/Local/Federal Government Note: we did not speak with and large DIB members on this, they may well have different views if they get classified info. Ø We asked the readership of ThreatBrief.com to provide inputs on lessons learned and observa:ons on the current state of cyber intelligence informa:on sharing Results Follow 8 8 How we think.

The Rise Of Cyber Intelligence Ø Legacy firms are enhancing their cyber intel prac:ces and offerings Ø New startups are anrac:ng significant investments Ø Data feeds of threat intelligence are growing and hard to track (see ThreatIntelligenceReview.com) Ø Most firms now leveraging managed security service providers in some capacity, providing new ways to make intel ac:onable. Ø Secure collabora:on spaces and managed service providers are very hot topics 9 9 How we think.

Now For The Meat Ø The slides that follow capture relevant lessons and recommenda:ons for Ø Industry Ø Government Ø Academia 10 10 How we think.

Observations For Government Ø Many in industry see value in cyber threat intel from gov. But many others view it as not relevant. Many view sharing with government as a one way street. Ø Many big company security professionals have doubts that the situa:on will ever improve. Ø Some government info is helpful to industry, but there is nothing government had that could have prevented anacks on Sony, Home Depot, JP Morgan, Anthem etc Ø Many companies (especially mid- sized ones) find informa:on from law enforcement (FBI and Secret Service) useful. Ø The commercial trend towards managed security services is one to watch and leverage. Ø There are many legal and contractual reasons why industry cannot share some key cyber threat intel informa:on. 11 11 How we think.

Recommendations For Government Ø It may be sub- op:mal to spend too much energy to try to enhance info sharing, so focus on what is important (see comment below on speed). Share what you are best at, like standards, methods, models, experiences. And hold more events like this one. Ø Understand that info has a :me value. If sent too late it will have zero impact on defense. If you find ways to speed info release, that might help you help industry. Ø Understand that industry is prevented from sharing some cyber threat info due to law, regula:ons and contractual issues. Be empathe:c. Ø Consider how you can leverage commercial managed service providers and commercial threat intel feeds. This will enhance your cyber intelligence capabili:es. Ø When industry shares informa:on with government that must be well protected. Loss of data in a breach will hurt trust and hurt future informa:on sharing efforts. Ø Con:nue your support and encouragement for ISACs. Support ISACs for the good they do the na:on. 12 12 How we think.

Observations For Industry Ø The government is larger than you realize. No single agency, department or branch speaks for en:re government. Ø For many in industry best source of gov cyber threat intel is NCICC and their US CERT (us- cert.gov) Ø Greatest sources of ac:onable informa:on for business are groups like the ISACs, commercial cyber intelligence firms and managed security service providers. Informal Info sharing between industry is also important. Spend more :me on this than you spend seeking info from gov. Ø Cyber informa:on shared by the FBI and Secret Service can be helpful to small to mid- sized businesses. Ø There are risks to sharing info with government. If done wrong you can violate law, industry regula:ons and your contracts with others. There are also risks to your business that you need to mi:gate. 13 13 How we think.

Recommendations For Industry Ø Since you cannot expect any one office to speak for the en:re government on issues of informa:on sharing you need to know the facts about who you are working with and how they work with others. Ø If you had to pick just one organiza:on in government to share with, pick the US CERT. But it is also advisable to establish rela:onships with either the FBI or Secret Service. When you get breached you will wish you knew your local agents by first name. Ø Since there are risks to sharing informa:on with government, engage your CRO and GC in your informa:on sharing strategy. If they are not involved you may be puhng yourself in danger of viola:ng law, government regula:ons, or contracts, even if you are sharing with good inten:ons. You may also be puhng your firm at risk. Ø If you are not involved in your sector ISAC engage with them now. Also cri:cal to build trust- based rela:onships with your peers for informal sharing. Find the right managed services provider for your firm. 14 14 How we think.

For Academia Ø Observa:ons: Ø The na:on would benefit from more educa:on and training around cyber intelligence. Large companies need a workforce educated in cyber intelligence methodologies and trained in technologies that make up the modern enterprise. Government needs this too. Ø Work by INSA is a huge start in outlining what is needed for a cyber intelligence curriculum. Ø Recommenda:ons: Ø Cyber intelligence is a mul:- disciplinary ac:vity, and educa:on/training in that should be as well. Ø Engage with INSA to accelerate development of cyber intelligence curriculum development Ø This field gets technical quick. Ensure you are teaching details of policy, technology and informa:on sharing standards 15 15 How we think.

Concluding Recommendation Knowing The Threat Will Help You Share Intelligence On The Threat and Will Help You Crak The Best Intelligence Sharing Programs, So, Never Stop Studying The Threat ThreatBrief.com Insaonline.org TheCyberThreat.com 16 16 How we think.

Contact Us Bob Gourley bob.gourley@cogni&ocorp.com TwiMer: @bobgourley TwiMer: @Cogni&oCorp On- line: ThreatBrief.com On- line: CTOVision.com Cogni&o Corp 1750 Tysons Blvd, Ste 1500 McLean, VA 22102 (703)738-0068 17 17 How we think.

How we think.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information