Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Similar documents
Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Can We Become Resilient to Cyber Attacks?

Threat Intelligence Buyer s Guide

WHITE PAPER: THREAT INTELLIGENCE RANKING

After the Attack: RSA's Security Operations Transformed

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

Active Response: Automated Risk Reduction or Manual Action?

Eight Essential Elements for Effective Threat Intelligence Management May 2015

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

Unified Security Management and Open Threat Exchange

Evolution Of Cyber Threats & Defense Approaches

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

SANS Top 20 Critical Controls for Effective Cyber Defense

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

IBM QRadar Security Intelligence April 2013

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

IBM Advanced Threat Protection Solution

ESG Threat Intelligence Research Project

Practical Threat Intelligence. with Bromium LAVA

Stay ahead of insiderthreats with predictive,intelligent security

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

Symantec Cyber Security Services: DeepSight Intelligence

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Cymon.io. Open Threat Intelligence. 29 October 2015 Copyright 2015 esentire, Inc. 1

Concierge SIEM Reporting Overview

The Future of the Advanced SOC

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

IBM Security X-Force Threat Intelligence

Security Intelligence Services.

A Primer on Cyber Threat Intelligence

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

All Information is derived from Mandiant consulting in a non-classified environment.

Performing Advanced Incident Response Interactive Exercise

The Importance of Cyber Threat Intelligence to a Strong Security Posture

The Benefits of an Integrated Approach to Security in the Cloud

RSA Security Analytics

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Threat Intelligence Platforms: The New Essential Enterprise Software

IBM Security Strategy

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

The Role of Security Monitoring & SIEM in Risk Management

The Third Rail: New Stakeholders Tackle Security Threats and Solutions

Critical Security Controls

Q1 Labs Corporate Overview

The SIEM Evaluator s Guide

THE EVOLUTION OF SIEM

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

What is Security Intelligence?

Software that provides secure access to technology, everywhere.

APPLICATION PROGRAMMING INTERFACE

Hunting for the Undefined Threat: Advanced Analytics & Visualization

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

SIEM is only as good as the data it consumes

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

The webinar will begin shortly

Leverage security intelligence for retail organizations

Big Data and Security: At the Edge of Prediction

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Advanced Threats: The New World Order

IBM Security QRadar Risk Manager

DYNAMIC DNS: DATA EXFILTRATION

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Metrics that Matter Security Risk Analytics

Redefining Incident Response

Protecting against cyber threats and security breaches

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

All about Threat Central

Under the Hood of the IBM Threat Protection System

Security Analytics for Smart Grid

GOOD PRACTICE GUIDE 13 (GPG13)

Security Business Intelligence Big Data for Faster Detection/Response

Things To Do After You ve Been Hacked

How To Create An Insight Analysis For Cyber Security

Integrating MSS, SEP and NGFW to catch targeted APTs

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Transcription:

SESSION ID: SPO2-T09 Separating Signal from Noise: Taking Threat Intelligence to the Next Level Doron Shiloach X-Force Product Manager IBM @doronshiloach

Agenda Threat Intelligence Overview Current Challenges Solutions X-Force Questions 2

The Threat Intelligence Market is growing SANS Cyber Threat Intelligence Summit 2014 3 Courses, 2 Instructors SANS Cyber Threat Intelligence Summit 2015 5 courses, 6 instructors Threat Intelligence services market size 2013* Threat Intelligence services market size 2018* $250M in 2013 $1.5B in 2018 *Gartner, Competitive Landscape: Threat Intelligence Services, Worldwide, 2015, October 2014 G00261001

and maturing from an industry perspective Definition of threat intelligence Evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject s response to that menace or hazard. * Importance as part of any organization s suite of tools The criteria for evaluation is coalescing, for example Where is it sourced from? How often is it updated? Is it vetted by humans? Does it focus on a specific industry? *Gartner, Definition: Threat Intelligence, Rob McMillan, May 2013, refreshed September 3, 2014, G00249251

Threat intelligence does help Utilization of threat intelligence can yield a significant reduction in security incidents, as well as speed to respond Security events Annual 91,765,453 Monthly 7,647,121 Weekly 1,764,121 Security Intelligence Correlation and analytics tools Security attacks Annual 16,857 Monthly 1,405 Weekly 324 Security Intelligence Human security analysts Security incidents Annual 109.37 Monthly 9.11 Weekly 2.10 Events: up 12% year on year to 91m Attacks: Increased efficiencies achieved Incidents: up 22% year on year Observable occurrences in a system or network More efficiency in security processing to help clients focus on identified malicious events Attacks deemed worthy of deeper investigation 5

Security teams are using multiple sources of intelligence to identify cyber threats 65 % of enterprise firms use external threat intelligence to enhance their security decision making * Analysts can glean insights from a wide variety of sources Data allows analysts to generate alerts Time spent on analysis can be applied to implementation * Source: ESG Global

Agenda Threat Intelligence Overview Current Challenges Solutions X-Force Exchange Questions 7

Security teams are using multiple sources of intelligence to identify cyber threats the other side 65 % of enterprise firms use external threat intelligence to enhance their security decision making * However, security teams lack critical support to make the most of these resources Analysts can t separate the signal from the noise Data is gathered from untrusted sources It takes too long to make information actionable 1 Source: ESG Global

Operationalizing it can be costly and complex When shopping for intelligence sources, organizations can be overwhelmed by choices as well as the cost and complexity to operationalize and gain a return on investment Firewall logs Proxy logs Internal IDS/IPS logs Endpoint security logs Employee directory Ever increasing proliferation of cyber threat intelligence feeds Top tier phishing indicators Brand abuse phishing indicators External Malware campaigns/ indicators Fraud payment logs Actor intel/indic ators Web logs Application logs Authentication logs Malware detection logs SSO/ LDAP context Staff asset / credentials Customer asset / credentials Threat landscape intel (TTPs) Intel as a service (IaaS) Human Intel (HUMINT) Email logs CSIRT incidents Network Security logs Vulnerability patch mgmt Building access logs DNS/ DHCP logs Fraud payment logs Call/ IVR logs Application inventory Website marketing analytics Law enforcemt threat intel IP reputation intel Industry threat intel sharing Passive DNS intel Public sector threat intel OSINT sentiment analysis ISAC threat intel Undergd dark Web intel Technical Intel (TECHINT) Malware Hashes / MD5 Advanced analytics and human intelligence must be applied and integrated into the organization to leverage the value of all the data 9

Agenda Threat Intelligence Overview Current Challenges Solutions X-Force Questions 10

Key capabilities in a solution Know everything about the particular observable that starts your investigation, i.e. historical information Know everything your colleagues in the same industry know about that particular observable Apply everything you and your colleagues know to the controls that exist in your infrastructure in order to better protect your organization

Threat intelligence sharing has become essential The bad guys are doing it It helps provide insight, context, and confidence with respect to the information that is being observed, i.e. an isolated attack or part of a broader industry-wide attack It benefits both the organization and the broader community Ranges from technical information on a particular piece of malware to more strategic, unstructured content 12

The current state of threat intelligence sharing E-mail and informal gatherings ISACs Information Sharing and Analysis Center Financial Services, National Health, Information Technology Threat Intelligence Platforms Dynamic market with both established players and startups Machine Readable Threat Intelligence STIX - Structured Threat Information Expression TAXII Trusted Automated Exchange of Indicator Information Cybox common structure for cyber observables 13

The real value of threat intelligence lies in its application to your business to turn insight into action Without insight, organizations struggle to understand and stay ahead of the threat Potential attacks can be overlooked if the attacker s methods and motives are unknown Armed with this intelligence, organizations can take action ahead of threat to proactively adapt security strategy, remediate vulnerabilities and monitor for impact By applying intelligence upfront, an organization can optimize security resources, increase efficiencies, reduce costs and improve risk management 14

Agenda Threat Intelligence Overview Current Challenges Solutions X-Force Questions 15

X-Force: Advanced Security & Threat Research The mission of X Force Monitor and evaluate the rapidly changing threat landscape Research new attack techniques and develop protection for tomorrow s security challenges Educate our customers and the general public Distribute Threat Intelligence to make IBM solutions smarter 16

Access to a broad range of threat intelligence data Threat indicators IPs, URLs, vulnerabilities, web applications, malware Additional context Passive DNS, historical information Pivoting on each observable Anonymized customer information Sources Machine-generated intelligence from crawler robots, honeypots, darknets, and spamtraps Multiple third party and partner sources of intelligence

Additional correlation is key to insights Cross-reference the following information Customers targeted Industries affected, i.e. % of healthcare, financial, manufacturing, etc. Attack sequence and tools Vulnerabilities affected Benefits Reduction of false positives by validating against multiple criteria Prioritization of attacks 18

An integrated solution helps tie information to action Endpoint Protection Network Protection SIEM STIX / TAXII API The foundation for integration Threat intelligence dynamically updated on a minute by minute basis Each product/service can access information from the others Examples SIEM products can act on and get context from threat intelligence APIs provide technical users the ability to build the proper solutions, with the most flexibility

Share information among teams Collects latest new indicators of compromise INCIDENT RESPONDER SECURITY ANALYST Applies IOC information to products to remediate and prevent intrusions Human intelligence is the difference Different perspectives on the same set of information Each user has own requirements/use cases MSSP Threat Intelligence Platform Communicate with clients and provide information CISO Understands high-level threat landscape and status of issues via dashboard of information

Steps you can take today on tools Understand your threat intelligence Relevance Integration Efficiency in sharing among products and teams Understand machine readable threat intelligence STIX stix.mitre.org TAXII taxii.mitre.org Cybox cybox.mitre.org APIs RESTful, JSON, XML, etc.

Steps you can take today on processes At a security team level Identify information you have Collaborate effectively Within the organization With other colleagues in the industry, i.e. ISACs At a company level Team with CIO/CISO Understand and address silos and legal issues *Source: Rick Holland, Forrester Research

Agenda Threat Intelligence Overview Current Challenges Solutions X-Force Questions 23

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information