Threat Intelligence Buyer s Guide

Similar documents
Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

After the Attack: RSA's Security Operations Transformed

Threat Intelligence is Like Three Day Potty Training

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Threat Intelligence Platforms: The New Essential Enterprise Software

The Third Rail: New Stakeholders Tackle Security Threats and Solutions

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

All about Threat Central

Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Automate the Hunt. Rapid IOC Detection and Remediation WHITE PAPER WP-ATH

Attack Intelligence: Why It Matters

FS-ISAC CHARLES BRETZ

A Primer on Cyber Threat Intelligence

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti)


The business Side of threat Intelligence. Cyber Squared Inc.

How to Use Cyber Threat Intelligence in my Workflows?

Data- Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti)

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Threat intelligence. A buyer s guide

Can We Become Resilient to Cyber Attacks?

How To Manage Threat Intelligence On A Microsoft Microsoft Iphone Or Ipad Or Ipa Device

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Cyber Intelligence Workforce

Symantec Cyber Security Services: DeepSight Intelligence

Cymon.io. Open Threat Intelligence. 29 October 2015 Copyright 2015 esentire, Inc. 1

Cybersecurity Awareness for Executives

STRATEGIC ADVANTAGE: CONSULTING & ISIGHT INTELLIGENCE

Security Business Intelligence Big Data for Faster Detection/Response

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

Obtaining Enterprise Cybersituational

WHITE PAPER: THREAT INTELLIGENCE RANKING

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Threat Intelligence is Dead. Long Live Threat Intelligence!

Cyber Security Metrics Dashboards & Analytics

Attackers are reusing attacks (because they work)

Open Source Threat Intelligence. Kyle R Maxwell (@kylemaxwell) Senior Researcher, Verizon RISK Team

5 Lines of Defense You Need to Secure Your SharePoint Environment SharePoint Security Resource Kit

How To Create An Insight Analysis For Cyber Security

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

Threat Intelligence: Friend of the Enterprise

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

Intelligence Driven Security

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Evolution and Revolution of Cyber Threat Intelligence

What is Cyber Threat Intelligence and why do I need it?

A Crisis Response, Information Sharing View of FFIEC Appendix J?

Advanced Threats: The New World Order

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Digital Evidence and Threat Intelligence

IBM: An Early Leader across the Big Data Security Analytics Continuum Date: June 2013 Author: Jon Oltsik, Senior Principal Analyst

The U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

100 Hamilton Avenue Palo Alto, California PALANTIR CYBER. An End-to-End Cyber Intelligence Platform

Testimony of. Mr. Anish Bhimani. On behalf of the. Financial Services Information Sharing and Analysis Center (FS-ISAC) before the

2011 Forrester Research, Inc. Reproduction Prohibited

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Accenture Cyber Security Transformation. October 2015

From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tidatasci)

RETHINKING ORC: NRF S CYBER SECURITY EFFORTS. OMG Cross Domain Threat & Risk Information Exchange Day, March 23, 2015

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

All statistics mentioned in this report were taken from the 2014 survey unless otherwise noted.

Cyber Threat Intelligence: Has to Be a Better Way

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

US-CERT Year in Review. United States Computer Emergency Readiness Team

THREAT INTELLIGENCE PLATFORMS Everything You ve Ever Wanted to Know But Didn t Know to Ask.

Detect, Contain and Control Cyberthreats

CyberReady Solutions. Integrated Threat Intelligence and Cyber Operations MONTH DD, YYYY SEPTEMBER 8, 2014

Threat Intelligence Sharing in a Connected World

The Benefits of an Integrated Approach to Security in the Cloud

SANS Top 20 Critical Controls for Effective Cyber Defense

Transcription:

Threat Intelligence Buyer s Guide SANS CTI Summit, 10 February 2014 Rick Holland @rickhholland Principal Analyst

Last year 2014 Forrester Research, Inc. Reproduction Prohibited 2

This year, Arnold s back!! 2014 Forrester Research, Inc. Reproduction Prohibited 3

Agenda Threat intelligence trends Evaluating threat intelligence Recommendations 2014 Forrester Research, Inc. Reproduction Prohibited 4

Forrester defines threat intelligence as: Details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence's primary purpose is to inform business decisions regarding the risks and implications associated with threats. 2014 Forrester Research, Inc. Reproduction Prohibited 5

Threat intelligence trends 2014 Forrester Research, Inc. Reproduction Prohibited 6

Actionable intel meet Terry Tate The leading provider of actionable intelligence... 2014 Forrester Research, Inc. Reproduction Prohibited 7

Challenges Gleaning intelligence from a multitude of feeds and data Dealing with variances in data quality and relevancy Validating third-party intelligence Tactical focus of intelligence programs 2014 Forrester Research, Inc. Reproduction Prohibited 8

Operationalizing intelligence = cat herding 2014 Forrester Research, Inc. Reproduction Prohibited 9

Operationalizing intelligence 2014 Forrester Research, Inc. Reproduction Prohibited 10

Threat intelligence sharing We share at about the same speed that George R.R. Martin writes novels, which is slow Quid pro quo and relationship driven You cannot automate trust 2014 Forrester Research, Inc. Reproduction Prohibited 11

Sharing standards adoption FS-ISAC & DHS are driving adoption of STIX/TAXII STIX (Structured Threat Information expression) TAXII (Trusted Automated Exchange of Indicator Information) FS-ISAC members are pushing vendors to support them 2014 Forrester Research, Inc. Reproduction Prohibited 12

My threat intel can beat up your threat intel 2014 Forrester Research, Inc. Reproduction Prohibited 13

Crowded market place research preview 2014 Forrester Research, Inc. Reproduction Prohibited 14

Intelligence providers deliver Examples: Examples: Threat indicator feeds (host/network) Cryptolocker analysis Tactical/ope rational intel Strategic intel Executive briefs Campaign analysis Industry specific threat assessments 2014 Forrester Research, Inc. Reproduction Prohibited 15

Agenda Threat intelligence trends Evaluating threat intelligence Recommendations 2014 Forrester Research, Inc. Reproduction Prohibited 16

Before we start 2014 Forrester Research, Inc. Reproduction Prohibited 17

Before we start, STOP 2014 Forrester Research, Inc. Reproduction Prohibited 18

You have to have an actual strategy Jerry the owner isn t happy with Jerry the general manager 2014 Forrester Research, Inc. Reproduction Prohibited 19

Before we start, stop What is your mission? What are your intelligence requirements? Develop requirements: What threat actors target you? What are they after? Do you know your organization's priorities? Do you know the risks to your business? 2014 Forrester Research, Inc. Reproduction Prohibited 20

Align with business risks 2014 Forrester Research, Inc. Reproduction Prohibited 21

The Intelligence Cycle Use the Intelligence Cycle as a framework to evaluate intelligence sources 2014 Forrester Research, Inc. Reproduction Prohibited 22

1) Planning and direction How does the provider develop intel requirements? How do the provider s intelligence requirements align with yours? Threat actor, vertical specific, malware, geopolitical How does the provider work with you? What feedback mechanisms exists? 2014 Forrester Research, Inc. Reproduction Prohibited 23

2) Collection What are providers collection capabilities? OSINT, HUMINT, language coverage, geos P2P, honeypots, Tor, crawlers, professional service engagements, vendor products footprint Do collection capabilities align with your intelligence requirements? Overcome the sources and methods challenge 2014 Forrester Research, Inc. Reproduction Prohibited 24

2) Collection continued Collection management should be a function within your intelligence team You must be able to identify your collection gaps Then you can make a build versus buy decision 2014 Forrester Research, Inc. Reproduction Prohibited 25

3) Processing Raw data is transformed into information for analysis What platform is used for processing? How does processing enable timely intelligence production? How do you prioritize processing based on intelligence requirements? 2014 Forrester Research, Inc. Reproduction Prohibited 26

4) Analysis and production Understand the analytic methodology used to derive intelligence (Diamond) What analysis platform is used? (Is it available to customers?) Who is doing the analysis? Background and skillsets? Intelligence community Incident responders Malware analysts 2014 Forrester Research, Inc. Reproduction Prohibited 27

4) Analysis and production continued Vulnerability analysis Campaign analysis Periodic summaries (weekly/monthly) Brand monitoring Custom products Common intelligence products Malware analysis Threat actor analysis High value target alerting Executive briefings Threat feeds 2014 Forrester Research, Inc. Reproduction Prohibited 28

Measuring intelligence Characteristics of valuable intelligence Accurate Pretty obvious Timely Meh, stale indicators Relevant Aligned with intelligence requirements Tailored Audience appropriate (tactical/strategic) Predictive Anticipates threat activity Actionable Can be easily integrated into security controls 2014 Forrester Research, Inc. Reproduction Prohibited 29

Measuring intelligence Characteristics of valuable intelligence Accurate Pretty obvious Timely Meh, stale indicators Relevant Aligned with intelligence requirements Tailored Audience appropriate (tactical/strategic) Predictive Anticipates threat activity Actionable Can be easily integrated into security controls Do you actually get hits? Compare with peer orgs. 2014 Forrester Research, Inc. Reproduction Prohibited 30

5) Dissemination How do you help me make the intelligence actionable? 2014 Forrester Research, Inc. Reproduction Prohibited 31

5) Dissemination How do you help me make the intelligence actionable? A.pdf file? An email list? A portal I have to login to? 2014 Forrester Research, Inc. Reproduction Prohibited 32

5) Dissemination How do you help me make the intelligence actionable? A.pdf file? An email list? A portal I have to login to? Terry Tate is still out there 2014 Forrester Research, Inc. Reproduction Prohibited 33

5) Dissemination How do you help me make the intelligence actionable? A.pdf file? An email list? A portal I have to login to? Terry Tate is still out there XML, JSON, STIX, IODEF, OpenIOC are better answers 2014 Forrester Research, Inc. Reproduction Prohibited 34

5) Dissemination continued Vendors must make APIs available to: Permit enterprises with development skills/bandwidth customization capabilities (1%ers) Better living through integrations Those without software development skills will have to rely upon product integrations NetCitadel has an interesting offering that automates (or semi-automates) responses to firewalls and proxies 2014 Forrester Research, Inc. Reproduction Prohibited 35

The Intelligence Cycle repeats 2014 Forrester Research, Inc. Reproduction Prohibited 36

Agenda Threat intelligence trends Evaluating threat intelligence Recommendations 2014 Forrester Research, Inc. Reproduction Prohibited 37

Recommendations 1) Avoid Expense in Depth 2014 Forrester Research, Inc. Reproduction Prohibited 38

2014 Forrester Research, Inc. Reproduction Prohibited 39

Expense in Depth Are you more secure? 2014 Forrester Research, Inc. Reproduction Prohibited 40

The 80s called, they want their security strategy back Don t blindly invest in intelligence Instead: Let intelligence requirements drive investment Invest based on collection gaps Measure your intelligence sources effectiveness And continue to do so periodically 2014 Forrester Research, Inc. Reproduction Prohibited 41

Recommendations 2) Focus on the Intelligence Analysis Platform 2014 Forrester Research, Inc. Reproduction Prohibited 42

Orchestrate your intelligence activities Quarterbacks orchestrate on the field 2014 Forrester Research, Inc. Reproduction Prohibited 43

Orchestrate your intelligence activities Quarterbacks orchestrate on the field 2014 Forrester Research, Inc. Reproduction Prohibited 44

Orchestrate your intelligence activities Quarterbacks orchestrate on the field 2014 Forrester Research, Inc. Reproduction Prohibited 45

An Intelligence Analysis Platform is your quarterback 2014 Forrester Research, Inc. Reproduction Prohibited 46

Intelligence Analysis Platform capabilities Rate intelligence source value Manage threat indicators Asset aware Have an API for making intelligence actionable Enables analysis (visualization, pivoting) Provide enrichment Active DNS, GeoIP, Maltego, Passive DNS, VirusTotal 2014 Forrester Research, Inc. Reproduction Prohibited 47

Intelligence Analysis Platforms Solutions Cyber Squared ThreatConnect Detica CyberReveal IBM i2 Analyst's Notebook Lockheed Martin Palisade Lookingglass ScoutPlatform Maltego MITRE CRITs (Collaborative Research Into Threats) Palantir 2014 Forrester Research, Inc. Reproduction Prohibited 48

Recommendations 3) Have an actual strategy 2014 Forrester Research, Inc. Reproduction Prohibited 49

Final thoughts Don t be Jerry Jones, proceed wisely Develop intelligence requirements that focus both internally and externally Manage collection capabilities 2014 Forrester Research, Inc. Reproduction Prohibited 50

You must demonstrate value An intelligence led defense has significant operating costs: $100k analysts (How many does your org have?) Hundreds of thousands to millions of dollars in technology investment How to show value Produce strategic intelligence products for executives Use intelligence for portfolio management Decrease dwell time metrics Communicate cost avoidance (Leverage financial impact data from public companies in your sector i.e. TGT 10K) 2014 Forrester Research, Inc. Reproduction Prohibited 51

Free research Follow me on Twitter for updates on upcoming research Previewed today: Market Overview: Threat Intelligence Service Providers (May) Forrester's Targeted Attack Hierarchy Of Needs (April) Participate in a research interview and get the final report for free (anonymous) Provide input that can drive vendor strategy 2014 Forrester Research, Inc. Reproduction Prohibited 52

My favorite 2014 Forrester Research, Inc. Reproduction Prohibited 53

Thank you Rick Holland +1 469.221.5300 rholland@forrester.com @rickhholland

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information