Upload
surfwatch-labs
View
182
Download
0
Embed Size (px)
Citation preview
1
Connecting the Dots Between Your Threat Intelligence Tradecraft and Business Operations
John Pescatore, SANSAdam Meyer, SurfWatch Labs
2
Obligatory Agenda Slide
• Housekeeping info• Here’s what we will do○ 1:05 – 1:15 Overview – John Pescatore○ 1:15 – 1:45 Threat Intelligence – Adam Meyer○ 1:45 – 2:00 – Q&A
Thanks to our sponsor:
3
Q & A
•Please use GoToWebinar’s
Questions tool to submit
questions to our panel.
• Send to “Organizers”
and tell us if it’s for
a specific speaker.
4
Making Security Advances During Turbulent Times
Threats aren’t standing still Business/technology demands aren’t, either Prevent more, detect faster, resolve with less disruption
5
Which Industries Are Most at Risk?
Source: Symantec 2016
6
Or Are These Industries Most at Risk?
Source: Fireye 2016
7
Or Maybe These?
Source: Fireye 2016
8
Lifecycle of a Unicorn (CVE-2014-6332)
Source: Microsoft Security Intelligence Report, 2015
9
Shifting Strategies
Source: Intel Security 2016
10
Shield
Eliminate Root Cause
Monitor/Report
Policy Assess Risk
Baseline Vuln Assessment/Pen TestSecurity Configuration
Mitigate
• FW/IPS• Anti-malware• NAC
• Patch Management• Config Management• Change Management
• Software Vuln Test• Training• Network Arch• Privilege Mgmt
Discovery/Inventory
• SIEM• Security Analytics• Incident Response
ThreatsRegulationsRequirementsOTT Dictates
Continuous Processes
11
Defining Situational Awareness
• Pre-flight: plan safest route• In flight: Decreasing reaction time so that mission gets
accomplished, pilot returns safely• Post-flight: do better next time
12
Plenty of Data
• Threat feeds• Security Controls status/configuration• Log Monitoring• Asset Status○ Network Scanning○ Passive Discovery○ Credentialed Access○ Local agent drill-down
13
From Data to Action
Bus. Intelligence Big Data
Security Big Data
Fraud/TransactionBig Data
Threat Analytics
Situational Awareness
Security Controls Analytics
Action!
14
Focus/Force Multiplication
• Need to focus limited resources on the highest payback areas.• Turn floods of data into harvests of information.• False positives are not the problem – wasting time on them is.• Situational awareness vs. information/event management.• Action – prevent more, detect faster, resolve more surgically• Intelligence vs. voyeurism…
Connecting the Dots Between Your Threat Intelligence
Tradecraft and Business Operations
Today’s Speaker
2
Adam MeyerChief Security StrategistSurfWatch Labs
Gaining Visibility of Cyber Risks is Critical to the Viability of Your Business
• A majority of attacks compromise defenses within minutes, but detecting the breach takes on average 200+ days
• Leaders are struggling to align security strategies with real-world business strategies
- 14% of corporations report that the Board is actively involved in cybersecurity preparedness
- 52% report minimal involvement
• Supply chain represents significant risk - 57% of breaches originate from partners and suppliers (PwC)
17
18
Cybercriminals shift tactics to hit targets that are:
“Attractive” and “Soft”
The Threat Balloon
19
There’s an Intel Gap Between Cyber Security and the Business
20
Source: http://ryanstillions.blogspot.com/2014/04/on-ttps.html
Cyber Threat Intelligence Stack
21
Intelligence is regularly defined as information that can be acted upon to change outcomes.
1. Move from “unknown unknowns” to “known unknowns” by discovering the existence of threats, and then …
2. Shifting “known unknowns” to “known knowns”, where the threat is well understood and mitigated.
Defining “Intelligence”
While this is the norm for defenders, it’s not normal for decision makers.
Put Cyber Threat Intelligence into Terms the Business Can Understand
22
Organization
Business Unit
Products and Services
Tools in Support of the Product/Service
Infrastructure to Support the Tools
Data in Support of the Business
• Be Defendable
• Executive Communications (Non-Technical)• Is the Business Unit “Well Positioned” Against Threats? Why Not?
• What the Business Cares About• What is the Threat Surface?• What Investments are Needed?
• Needs of the User Community• User Point of Presence• Public Facing / Adversary Exposure
• IT Pain Points• Decentralized Oversight (Shadow IT, Disconnected IT Teams)
• Adversary’s Target• Liability and Regulatory Impact
Put Cyber Threat Intelligence into Terms the Business Can Understand
23
Strategic• For Senior Leaders• Used to measure cyber risk and make investments
Operational
Tactical
• Bridges the broad, non-technical, strategic needs with the narrow, technical inputs
• Focuses on the immediate operating environment
• Where On-the-Network actions take place• The efforts to Detect and Respond to on the wire events
Decision
Output
Output
Internal vs. External Threat Intelligence
24
Internal• Necessary for tactical defense
- Prevention- Detection- Incident Response- Information Exchange
External• Necessary for managing overall
organizational risk- Industry threat activity- Fraud/Extortion- Brand & Reputation- Targeting
25
• Start Simple– Good business managers run things on a foundation of the evaluated
intelligence – it’s the thing you know.
• Make Risks Learnable– Learnable risks are the ones we could make less uncertain if we took
the time and resources to learn more about them.
– Random risks are defined as those that had no analysis.
– Separating learnable risks from random ones in business decisions for causes or drivers can make them less uncertain.
– Tie Learnable risks to any characteristics that makes you “you”.
Measuring Cyber Threat Intelligence
26
• Enable Good Analysis – If an intelligent human is conducting an attack, intelligent humans
must be directing the defense.*
– All operations in cyberspace begin with a human being.**
• Ensure You are Defendable– Against malicious individuals and groups
– In court and against regulatory action
– Your brand, both personal and organizational
* Defendable Architectures Lockheed Martin Achieving Cyber Security by Designing for Intelligence Driven Defense** Intelligence and National Security Alliance (INSA)
Measuring Cyber Threat Intelligence
The CISO’s Tug of War
27
Source: EMC
Intelligence Operations (Tracking Threats) vs. Network Defense (Stop the Bleeding)
How a CISO Can Leverage Threat Intelligence to Mitigate Risk
• Intelligence provides critical insights on ACTIVE threats to your business and can be applied to different areas of the business
- Threat intelligence teams – know threat actors and their motivations to improve your defenses
- Fraud teams – understand what commodities are being monetized so you can minimize fraud
- Partners and Suppliers – understand the “presence” your vendors have to complement supply chain risk management
- Breach Response – instead of waiting to “get the call” from law enforcement, get ahead of the curve
28
Mitigating Risk with a Practical Intelligence Operation
• Co-Managed Intel – Complement your intel and facilitate faster, more effective risk management decisions
• Focus on Analysis – It’s less about getting more data and more about enabling sound analysis
• Link Intel to Business Impact – Avoid alert fatigue by worrying about threats specific to your business
• People, Process, Technology – Good intelligence leverages automation, expert human analysis and a process for using the intel
29
30
SurfWatch Labs Bridges the Intelligence Gap
Additional SurfWatch Labs Resources
SurfWatch Cyber Advisor:www.surfwatchlabs.com/cyber-advisor
Dark Web Surveillance: www.surfwatchlabs.com/dark-web-intelligence
Request a Demonstration:
• Personal Demo: info.surfwatchlabs.com/request-demo
• Demo Webinar: info.surfwatchlabs.com/Webcast/Threat-Intel-Live-Demo-Series
Connecting Your Intelligence Tradecraft to Business Operations
31
32
33
Resources
• SANS : https://www.sans.org/webcasts/archive/2016• SANSFire– https://
www.sans.org/event/sansfire-2016• SurfWatch Labs: https://www.surfwatchlabs.com• Questions: [email protected]• @John_Pescatore
34
Acknowledgements
Thanks to our sponsor:
And also to our speakers and to our attendees:
Thank you for joining us today
© 2016 The SANS™ Institute – www.sans.org