OVERVIEW - HITRUST Alliance€œMy organization needs the ability to ... quality of the intel determine where best ... – Rather than focusing on the analysis analysts spent their

OVERVIEW March 13, 2015

Healthcare Solution for Automated Threat Exchange and Collaboration • Over 300 healthcare

organizations actively sharing

2 hitrustalliance.net/cyber-threat-xchange/

“Limit infiltration of my organization and exfiltration of data in an efficient and effective manner.”

−CISO, Health Plan

“My organization needs the ability to streamline processes and based on the quality of the intel determine where best to place capital and operating expenses in defense of the organization.”

−CISO, Hospital

Industry Challenge • Low quality intelligence combined with historical and low

Fidelity Data creates non-actionable alerts

– Intelligence sourced contained many false positives including hosting IP addresses and legitimate domain names

• Time to value – The timeliness of the data was a major concern as they discovered they were several days behind the industry

– Not Consumable because of inherent lack of automation

• Internal Development Cycles

– Rather than focusing on the analysis analysts spent their time fixing scripts and working on content in the SIEM

• Lack of Collaboration – Unable to automate the desired collaboration with other organizations in the industry

– Collaboration is limited to conference calls and back of napkin discussions lacking detection and response capability

• Threat data packaged for human consumption

– PDF reports are being manually collected and triaged by analysts who spend time copy and pasting observable data


Intelligence Driven Security •   Proactive Detection •   Situational Awareness •   Community Collaboration • Proactive • Robust Set of IOCs • Active and Timely • Relevant to Healthcare


Analysis

Enterprise Distribution

Security Operations Collaboration

Observable Acquisition

Information Sharing and Collaboration Proven benefits • Provides Situational Awareness and context across

organizational and geographical boundaries • Force multiplier – leverage your peers • Data Classifications Rules

– TLP Protocol

• Actor / Campaign Details • Automated distribution • Platform Agnostic • Anonymous and Secure


Collaboration in Action


Return on Investment Cost your organization?

• Worst Case: A breach

• Malware detection and response?

• Delayed access to threat observables from industry breaches?

• Inaccurate Intelligence?

CTX Provides:

• Analyst force multiplication

• Speed of identification and accuracy of information.

• Decrease time to detection of malware and targeted attacks

• Reduce SIEM content and use case building costs

• Indicator consolidation reduced the man-hours spent acquiring and operationalizing indicators

• External context and enrichment in a single pane of glass


“To more rapidly identify and subsequently eradicate active threats in my environment is extremely valuable and offers a much quicker ROI to the acquiring entity…”

−CISO, Major Healthcare

Summary Q&A Proactive Detection and Situational Awareness • Observables directly integrated into existing security infrastructure

Community Collaboration • CTX customers benefit from receiving threat details that have already been tested and vetted.

• Relevant to healthcare • Ability to share threat information in an efficient, managed and secure process

• CTX enables real-time controlled collaboration between trusted partners.

• Allows for organizational oversight and facilitation of sharing by CTX Actionable and Timely • Automated analytics removes invalid IOCs

Bi-Directional SIEM integration allows for threat validation by CTX


Appendix


Use Cases and Observables Broad range of use cases: Malware, APT, Fraud, Phishing, DDoS

Observable Types • User Agent String • URLs • MD5s • Email • IPs • Domains • File Names

Correlate With • HTTP • Email • DNS • Proxy • Firewall • IPS • Application


Legacy Process (1-2 weeks)

Threat IntelCollected

Threat Team

Manual Analysis

Threat Team

Data: Pre-Process/Format

Threat Team

Upload toInternal Site

Threat Team

Retrieval of Threat Intel

OPS Team

Manual Load to SIEM

OPS Team

Analysis and Feedback to Threat Team

OPS Team


Operational Intelligence (1 hour or less)


Threat IntelCollected Upload to CTX Security

Infrastructure Alert Analysis

Threat TeamAnalyst Feedback and Collaboration

Pre-Process, Aggregate, Analyze

Indicator Acquisition • OPTIC / Research • Trusted Collaboration • Homeland Security • Partners (APP Store) • Sandbox • Modern Honey Net

Threat Indicator

Acquisition


Enterprise Integration • Integrate to existing Security

Infrastructure • Delivered from the Cloud • Correlation Instructions

– Rules, Reports, Dashboards

• One Click Browser • Rest API • STIX

Enterprise Distribution


Documents

OVERVIEW - HITRUST Alliance€œMy organization needs the ability to ... quality of the intel determine where best ... – Rather than focusing on the analysis analysts spent their