Cyber Threat Intelligence Start Seeing The Threats Before ...€¦ · Enable Hunting explore the SIEM data in a different way, uncovering patterns of interest and unseen events Light

© 2015 IBM Corporation

i2 User Group Conference 2016

Cyber Threat IntelligenceStart Seeing The Threats Before They Hit You

Andrew HawthorneUK&I i2 Financial Services Lead



Why wait to get punched…

2



…When you could see it coming and defend…

3



…Or even dodge it entirely!

4



Both security and analysis must address the problem

5

80%

90%

99.9%

Level of Effort / Investment

Perc

en

t o

f T

hre

ats

Sto

pp

ed

Implement a Security Framework

Advanced SecurityIntelligence

CyberAnalysis

Non-Linear Relationship Between Effectiveness and Cost

Tier One SOC Analyst

IncidentResponders

CyberAnalysts

Example of Personnel

High Effort

Information Security Cyber Analysis

Tier TwoSOC Analyst

Threat Researchers

TACTICAL OPERATIONAL STRATEGIC

FirewallSIEM i2 Intelligence

Example of Product



Cyber Analysis Results

• Integrated data feeds

• Enterprise awareness

• Compliance monitoring

• Threat discovery

• Risk management

• Enable decisions

Elements of Cyber Analysis

6

Leveraging an analytical platform and internal and external information feeds, Cyber Analysts can help form a deep understanding of the threats

targeting your organization

CommunityInfo

ThreatIndicators

GovernmentAlerts

Social MediaHacker Forums

Mostly External Sources

PCAP

SystemLogs

Alerts

SIEM

VulnerabilityScans

SSO/AD

Traditional IT Sources

Human Enabled

IntelVendors

Access Logs

AccountCreation

Badge Logs

Dark Web

Behavioral Data

Non-Traditional Sources

HR Data

Security Intelligence

Threat Intelligence

Persona Data

Threat Intelligence

Analysis



Fuse Siloed Data for Comprehensive Insight

7

SIEM,Infrastructure

& Systems

OSINT, Intel Feeds &

Dark Web

Devices & Applications

Customer/KYC

Payments & Transactions

Physical

Staff &Corporate

Data



Tactical Cyber Intelligence Operations Example

8

Extending Investigations and Function

On Demand Access to SIEM data, notable

events, and alerts:

� Expand on an Alert analysts can tie together an alert to multiple previous events, opening up the investigation

� Enable Hunting explore the SIEM data in a different way, uncovering patterns of interest and unseen events

� Light Weight Deployment i2 EIA takes advantage of the SIEM data warehouse and seamlessly connects 10 analysts to the system getting up and running in less than 30 days

SIEM

On Demand

“An investigation that would have taken me all day in Splunktook me 10 clicks with i2.”-Brian Olson, VP Security Operations & Architecture



Catching the Wave…

9



10

Fraud & AMLFIU

Security & Internal Investigations

InsiderThreat

Enterprise & CorpRisk Management

Cyber Threat Intelligence

Incident Response

WatchOfficer

Fusion Centre – Concept of OperationsConsolidated

Information Store: Single Object Model

Fusion Center Key Points:

• LNO’s represent separate teams

• i2 merges disparate data sources

• Tactical operations take place in center

• External teams handle strategic issues

• Place where Enterprise Intel comes together

0 -24 HourCycle



Thank you11

Documents

Cyber Threat Intelligence Start Seeing The Threats Before ...€¦ · Enable Hunting explore the SIEM data in a different way, uncovering patterns of interest and unseen events Light