1

Connecting the Dots Between Your Threat Intelligence Tradecraft and Business Operations

John Pescatore, SANSAdam Meyer, SurfWatch Labs

2

Obligatory Agenda Slide

• Housekeeping info• Here’s what we will do￮ 1:05 – 1:15 Overview – John Pescatore￮ 1:15 – 1:45 Threat Intelligence – Adam Meyer￮ 1:45 – 2:00 – Q&A

Thanks to our sponsor:

3

Q & A

•Please use GoToWebinar’s

Questions tool to submit

questions to our panel.

• Send to “Organizers”

and tell us if it’s for

a specific speaker.

4

Making Security Advances During Turbulent Times

Threats aren’t standing still Business/technology demands aren’t, either Prevent more, detect faster, resolve with less disruption

5

Which Industries Are Most at Risk?

Source: Symantec 2016

6

Or Are These Industries Most at Risk?

Source: Fireye 2016

7

Or Maybe These?

Source: Fireye 2016

8

Lifecycle of a Unicorn (CVE-2014-6332)

Source: Microsoft Security Intelligence Report, 2015

9

Shifting Strategies

Source: Intel Security 2016

10

Shield

Eliminate Root Cause

Monitor/Report

Policy Assess Risk

Baseline Vuln Assessment/Pen TestSecurity Configuration

Mitigate

• FW/IPS• Anti-malware• NAC

• Patch Management• Config Management• Change Management

• Software Vuln Test• Training• Network Arch• Privilege Mgmt

Discovery/Inventory

• SIEM• Security Analytics• Incident Response

ThreatsRegulationsRequirementsOTT Dictates

Continuous Processes

11

Defining Situational Awareness

• Pre-flight: plan safest route• In flight: Decreasing reaction time so that mission gets

accomplished, pilot returns safely• Post-flight: do better next time

12

Plenty of Data

• Threat feeds• Security Controls status/configuration• Log Monitoring• Asset Status￮ Network Scanning￮ Passive Discovery￮ Credentialed Access￮ Local agent drill-down

13

From Data to Action

Bus. Intelligence Big Data

Security Big Data

Fraud/TransactionBig Data

Threat Analytics

Situational Awareness

Security Controls Analytics

Action!

14

Focus/Force Multiplication

• Need to focus limited resources on the highest payback areas.• Turn floods of data into harvests of information.• False positives are not the problem – wasting time on them is.• Situational awareness vs. information/event management.• Action – prevent more, detect faster, resolve more surgically• Intelligence vs. voyeurism…

Connecting the Dots Between Your Threat Intelligence

Tradecraft and Business Operations

Today’s Speaker

2

Adam MeyerChief Security StrategistSurfWatch Labs

Gaining Visibility of Cyber Risks is Critical to the Viability of Your Business

• A majority of attacks compromise defenses within minutes, but detecting the breach takes on average 200+ days

• Leaders are struggling to align security strategies with real-world business strategies

- 14% of corporations report that the Board is actively involved in cybersecurity preparedness

- 52% report minimal involvement

• Supply chain represents significant risk - 57% of breaches originate from partners and suppliers (PwC)

17

18

Cybercriminals shift tactics to hit targets that are:

“Attractive” and “Soft”

The Threat Balloon

19

There’s an Intel Gap Between Cyber Security and the Business

20

Source: http://ryanstillions.blogspot.com/2014/04/on-ttps.html

Cyber Threat Intelligence Stack

21

Intelligence is regularly defined as information that can be acted upon to change outcomes.

1. Move from “unknown unknowns” to “known unknowns” by discovering the existence of threats, and then …

2. Shifting “known unknowns” to “known knowns”, where the threat is well understood and mitigated.

Defining “Intelligence”

While this is the norm for defenders, it’s not normal for decision makers.

Put Cyber Threat Intelligence into Terms the Business Can Understand

22

Organization

Business Unit

Products and Services

Tools in Support of the Product/Service

Infrastructure to Support the Tools

Data in Support of the Business

• Be Defendable

• Executive Communications (Non-Technical)• Is the Business Unit “Well Positioned” Against Threats? Why Not?

• What the Business Cares About• What is the Threat Surface?• What Investments are Needed?

• Needs of the User Community• User Point of Presence• Public Facing / Adversary Exposure

• IT Pain Points• Decentralized Oversight (Shadow IT, Disconnected IT Teams)

• Adversary’s Target• Liability and Regulatory Impact

Put Cyber Threat Intelligence into Terms the Business Can Understand

23

Strategic• For Senior Leaders• Used to measure cyber risk and make investments

Operational

Tactical

• Bridges the broad, non-technical, strategic needs with the narrow, technical inputs

• Focuses on the immediate operating environment

• Where On-the-Network actions take place• The efforts to Detect and Respond to on the wire events

Decision

Output

Output

Internal vs. External Threat Intelligence

24

Internal• Necessary for tactical defense

- Prevention- Detection- Incident Response- Information Exchange

External• Necessary for managing overall

organizational risk- Industry threat activity- Fraud/Extortion- Brand & Reputation- Targeting

25

• Start Simple– Good business managers run things on a foundation of the evaluated

intelligence – it’s the thing you know.

• Make Risks Learnable– Learnable risks are the ones we could make less uncertain if we took

the time and resources to learn more about them.

– Random risks are defined as those that had no analysis.

– Separating learnable risks from random ones in business decisions for causes or drivers can make them less uncertain.

– Tie Learnable risks to any characteristics that makes you “you”.

Measuring Cyber Threat Intelligence

26

• Enable Good Analysis – If an intelligent human is conducting an attack, intelligent humans

must be directing the defense.*

– All operations in cyberspace begin with a human being.**

• Ensure You are Defendable– Against malicious individuals and groups

– In court and against regulatory action

– Your brand, both personal and organizational

* Defendable Architectures Lockheed Martin Achieving Cyber Security by Designing for Intelligence Driven Defense** Intelligence and National Security Alliance (INSA)

Measuring Cyber Threat Intelligence

The CISO’s Tug of War

27

Source: EMC

Intelligence Operations (Tracking Threats) vs. Network Defense (Stop the Bleeding)

How a CISO Can Leverage Threat Intelligence to Mitigate Risk

• Intelligence provides critical insights on ACTIVE threats to your business and can be applied to different areas of the business

- Threat intelligence teams – know threat actors and their motivations to improve your defenses

- Fraud teams – understand what commodities are being monetized so you can minimize fraud

- Partners and Suppliers – understand the “presence” your vendors have to complement supply chain risk management

- Breach Response – instead of waiting to “get the call” from law enforcement, get ahead of the curve

28

Mitigating Risk with a Practical Intelligence Operation

• Co-Managed Intel – Complement your intel and facilitate faster, more effective risk management decisions

• Focus on Analysis – It’s less about getting more data and more about enabling sound analysis

• Link Intel to Business Impact – Avoid alert fatigue by worrying about threats specific to your business

• People, Process, Technology – Good intelligence leverages automation, expert human analysis and a process for using the intel

29

30

SurfWatch Labs Bridges the Intelligence Gap

Additional SurfWatch Labs Resources

SurfWatch Cyber Advisor:www.surfwatchlabs.com/cyber-advisor

Dark Web Surveillance: www.surfwatchlabs.com/dark-web-intelligence

Request a Demonstration:

• Personal Demo: info.surfwatchlabs.com/request-demo

• Demo Webinar: info.surfwatchlabs.com/Webcast/Threat-Intel-Live-Demo-Series

Connecting Your Intelligence Tradecraft to Business Operations

31

32

33

Resources

• SANS : https://www.sans.org/webcasts/archive/2016• SANSFire– https://

www.sans.org/event/sansfire-2016• SurfWatch Labs: https://www.surfwatchlabs.com• Questions: q@sans.org• @John_Pescatore

34

Acknowledgements

Thanks to our sponsor:

And also to our speakers and to our attendees:

Thank you for joining us today

© 2016 The SANS™ Institute – www.sans.org