CYBER THREAT INTELLIGENCE: IS LESS MORE?

CYBER NEXT FORUM

Presented by Lance Dubsky

Copyright © 2018 CYBER OAK SOLUTIONS LLC. All rights reserved.

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 2

Agenda

• Active Cyber Defense

• Informing Active Defenses

• Fixing Vulnerabilities

• Tools, Tools, Tools

• Mission Impact and Security Posture

• The role of AI and Machine Learning

• Your SOC

• Recommendations

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 3

Active Cyber Defense

• A definition of active cyber defense?

• Action and remediation functions are in place

• Cyber Defense and Network Management closely work

together

• Ongoing situational awareness of all assets

• You have the ability to take in new information, rapidly

assess the risk, and take action

• Paths for adopting active cyber defense solutions?

COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED. 4

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 5

Informing Active Defenses

In 2017, several speakers

spoke of the need to leverage

cyber intelligence to inform

active defenses and accelerate

“hunt” capabilities.

• What is important regarding

the maturity of cyber

intelligence capabilities and

the ability to share intelligence

machine-to-machine?

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 6

Your SOC Team comes to work

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 7

Your SOC team fighting the good fight

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 8

Fixing Vulnerabilities

• Should cyber operations and investments be directed

more towards managing and fixing vulnerabilities or

identifying and mitigating threats?

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 9

Tools, Tools, Tools

• A growing problem, generally, for SOC operators relates

to the increasing number of tools, scripts, and

corresponding complexity / costs for accomplishing the

security mission.

• Are we maxed out in terms of tools a SOC can handle?

• To what extent will process automation help to relieve this

burden? AI/ML

• How will the workload shift for the SOC operator when

greater utilization of process automation is achieved?

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 10

So Many Solutions

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 11

Mission Impact and Security Posture

Tying security concerns to mission

objectives is a recurring theme these days.

Risk and resilience are often used as

metrics to tie these concerns together.

However, mission objectives and

operations and security posture can

change almost on a daily basis.

• What approaches are available to ensure

the metrics for mission impact and

security posture are reported accurately

and understood by stakeholders in such

a dynamic environment?

RE

SIL

IEN

CE

RIS

K

Security Posture

Mission Impact

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 12

The role of AI and Machine Learning

Artificial intelligence and machine learning are being

discussed as the next big thing to improve cyber security.

• What role does machine learning play or should play to

support active defenses?

• What about broad adoption of AI & ML technologies in

cyber defenses?

Credit: IBM

Smarter Algorithms

and Analytics

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 13

Internet of Things

The Internet of Things (IoT) promises to bring billions of

more devices to the network to be securely managed.

• What types of changes might a SOC need as the IoT

comes on line?

MACHINE LEARNING

Algorithms whose performance improve

as they are exposed to more data over time

ARTIFICIAL INTELLIGENCE

A program that can sense, reason,

Act, and adapt

Your SOC?

SECURITY CAPABILITY

SO

PH

IST

ICA

TIO

N O

F T

HE

TH

RE

AT

TOOLS-BASED

INTEGRATED FRAMEWORK

ADAPTIVE DEFENSE

RESILIENT

CONVENTIONAL THREATS

CYBERCRIME

CYBER ESPIONAGE

NATION STATE ATTACKS

COMPLIANT

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. Credit: FireEye

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED. 15

Recommendations

• For Threat Intelligence to be effective you need trusted sources.

• Need to have the foundational apparatus of cyber information management,

to include action/remediation (fixing).

• Need to have close integration between system/network management and

cyber defense.

• Need to have ongoing situational awareness of all assets (hardware and

software), the ability to take in new information (IOCs, alerts, bulletins, et.)

rapidly assess the applicability and risk, and take action.

• Need to decide “How Much” Cyber Threat Intelligence is enough for you to

effectively make use of

• Need to decide the cyber threat sharing model you will receive from and

possibly contribute to. Threat sharing can be useful and a burden.

COPYRIGHT © 2018 CYBER OAK SOLUTIONS LLC. ALL RIGHTS RESERVED.

THANK YOU

LANCE DUBSKY

FOUNDER & CISO

LANCE@CYBEROAKSOLUTIONS.COM

www.cyberoaksolutions.com