Upload
ibm-security
View
285
Download
1
Tags:
Embed Size (px)
Citation preview
© 2015 IBM Corporation
IBM Security
1© 2015 IBM Corporation
(Security) Ignorance Isn’t Bliss:
5 Ways to Advance Security Decisions with
Threat Intelligence
Jim Brennan
Director of Strategy and Product Management
Infrastructure Security & X-Force
© 2015 IBM Corporation
IBM Security
2
Agenda
Threat Intelligence Overview
Current Challenges
Solutions
X-Force Exchange
The 5 Things You Can Do
Questions
© 2015 IBM Corporation
IBM Security
3
What is threat intelligence?
*Gartner, Definition: Threat Intelligence, Rob McMillan, May 2013, refreshed September 3, 2014, G00249251
Evidence-based knowledge, including
context, mechanisms, indicators,
implications, and actionable advice
about an existing or emerging menace
or hazard to assets that can be used to
inform decisions regarding the subject’s
response to that menace or hazard.
© 2015 IBM Corporation
IBM Security
4
The Threat Intelligence market is growing …
1 Gartner, Competitive Landscape: Threat Intelligence Services, Worldwide, 2015, October 2014 G00261001
Threat Intelligence Services
market size1
SANS Cyber Threat Intelligence Summit
2015
Courses
Instructors
Disciplines
2014
Courses
Instructors
Disciplines
© 2015 IBM Corporation
IBM Security
5
… and maturing from an industry perspective
Importance as part of any organization’s suite of tools
The criteria for evaluation
– Where is it sourced from?
– How often is it updated?
– Is it vetted by humans?
– And many others …
© 2015 IBM Corporation
IBM Security
6
Threat intelligence does help
Attacks: Increased efficiencies
achieved
More efficiency in security
processing to help clients focus
on identified malicious events
Events: up 12% year
on year to 91m
Observable occurrences
in a system or network
Incidents: up 22% year
on year
Attacks deemed worthy
of deeper investigation
Monthly7,647,121
Security events
Annual16,857
Monthly1,405
Security attacks
Annual109.37
Monthly9.11
Security incidents
Security Intelligence
Correlation and analytics toolsSecurity Intelligence
Human security analysts
Weekly
1,764,121Weekly
324
Weekly
2.10
Annual91,765,453
Utilization of threat intelligence can yield a significant reduction in security incidents, as well as speed to respond
© 2015 IBM Corporation
IBM Security
7
Security teams are using multiple sources of intelligence to identify cyber threats, but they come with new challenges
65%of enterprise firms use external threat intelligence
to enhance their security decision making 1
However, security teams lack critical
support to make the most of these resources
It takes too long to make information actionable
Data is gathered from untrusted sources
Analysts can’t separatethe signal from the noise
1 Source: ESG Global
© 2015 IBM Corporation
IBM Security
8
Ever-increasing proliferation of cyber
threat intelligence feeds
External
Malware
Hashes /
MD5
Brand
abuse
phishing
indicator
s
Malware
campaigns/
indicators
Fraud
payment
logs
Top tier
phishing
indicators
Customer
asset /
credentials
Threat
landsca
pe intel
(TTPs)
Intel as a
service
(IaaS)
Staff
asset /
credentia
ls
Industry
threat
intel
sharing
Public
sector
threat
intel
ISAC
threat
intel
Law
enforcemt
threat
intel
Passiv
e DNS
intel
OSINT
sentiment
analysis
Undergd
dark Web
intel
IP
reputatio
n intel
Human
Intel
(HUMINT)
Technical
Intel
(TECHINT)
Actor
intel/ind
icators
Internal
Firewall
logs
Proxy
logs
IDS/IPS
logs
Web
logs
Application
logs
Authent-
ication
logs
Malware
detection
logs
logs
Network
Security
logs
Building
access
logs
Fraud
payment
logs
CSIRT
incidents
Vulner-
ability
patch
mgmt
DNS/
DHCP
logs
Call/
IVR
logs
Endpoi
nt
security
logs
Employee
directory
SSO/
LDAP
contex
t
Application
inventory
Website
marketing
analytics
Advanced analytics and human intelligence must be applied and integrated into the organization to leverage the value of all the data
When shopping for intelligence sources, organizations can be overwhelmed by choices as well as the cost and complexity to
operationalize and gain a return on investment
Operationalizing it can be costly and complex
© 2015 IBM Corporation
IBM Security
9
The bad actors are already collaborating
© 2015 IBM Corporation
IBM Security
10
Ideal requirements for key capabilities in a solution
Know everything about the particular observable that starts your
investigation, i.e. historical information
Know everything your colleagues in the same industry know about
that particular observable
Apply everything you and your colleagues know to the controls that
exist in your infrastructure in order to better protect your organization
© 2015 IBM Corporation
IBM Security
11
The real value of threat intelligence lies in its application to your business – to turn insight into action
Without insight, organizations struggle to
understand and stay ahead of the threat.
Potential attacks can be overlooked if the
attacker’s methods and motives are unknown
Armed with this intelligence, organizations can
take action ahead of threat to proactively adapt
security strategy, remediate vulnerabilities and
monitor for impact
By applying intelligence upfront, an organization
can optimize security resources, increase
efficiencies, reduce costs and improve risk
management
© 2015 IBM Corporation
IBM Security
12
Threat Intelligence sharing
It helps provide insight, context, and confidence with respect to the
information that is being observed, i.e. an isolated attack or part of a
broader industry-wide attack
It benefits both the organization and the broader community
Ranges from technical information on a particular piece of malware to
more strategic, unstructured content
© 2015 IBM Corporation
IBM Security
13
The current state of threat intelligence sharing
E-mail and informal gatherings
ISACs – Information Sharing and Analysis Center
– Financial Services, National Health, Information Technology
Threat Intelligence Platforms
– Dynamic market populated by both established players and startups
Machine Readable Threat Intelligence
– STIX - Structured Threat Information Expression
– TAXII – Trusted Automated Exchange of Indicator Information
© 2015 IBM Corporation
IBM Security
14
Backed by the reputation
and scale of IBM X-Force
Introducing IBM X-Force Exchange
Research and collaboration platform and API
Security Analysts and Researchers
Security Operations
Centers (SOCs)
Security Products and Technologies
OPENa robust platform with access to a wealth of threat intelligence data
SOCIALa collaborative platform for sharing threat intelligence
ACTIONABLEan integrated solution to help quickly stop threats
A new platform to consume, share, and act
on threat intelligence
IBM X-Force Exchange is:
© 2015 IBM Corporation
IBM Security
15
OPENA robust platform with access to a wealth of threat intelligence data
• Over 700 terabytes of machine-generated intelligence
from crawler robots, honeypots, darknets, and
spamtraps
• Multiple third party and partner sources of intelligence
• Up to thousands of malicious indicators classified
every hour
Quickly gain access to threat data from curated
sources:
Leverage the scale of IBM Security and partner ecosystem
Human intelligence adds context to machine-
generated data:
• Insights from security experts, including industry
peers, IBM X-Force, and IBM Security
professionals
• Collaborative interface to organize and annotate
findings, bringing priority information to the
forefront
© 2015 IBM Corporation
IBM Security
16
IBM Security
Network Protection
XGSIBM Security QRadar
Security Intelligence
IBM Security
Trusteer Apex
Malware
Protection
ACTIONABLEAn integrated solution to help quickly stop threats
STIX / TAXII(future feature)
API
• Integration between IBM Security
products and X-Force Exchange-
sourced actionable intelligence
• Designed for third-party integration
with planned future support for STIX
and TAXII, the established standard for
automated threat intelligence sharing
• Leverage the API to connect threat
intelligence to security products
Push intelligence to enforcement
points for timely protection
3rd Party Products
© 2015 IBM Corporation
IBM Security
17
SOCIALA collaborative platform for sharing threat intelligence
Add context to threats
via peer collaboration
• Connect with industry peers to
validate findings
• Share a collection of Indicators
of Compromise (IOCs) to aid in
forensic investigations
Discovers a new malware domain and marks it as malicious in the X-Force Exchange
INCIDENT
RESPONDER
1
Finds the domain and applies blocking rules to quickly stop malicious traffic. Shares with his CISO using the Exchange
SECURITY
ANALYST
2
Adds the domain to a public collection named “Malicious Traffic Sources Targeting Financial Industry” to share with industry peersCISO
3
For the first time, clients can interact with IBM X-Force security researchers and experts directly
IBM
X-FORCE
4
© 2015 IBM Corporation
IBM Security
18
Steps you can take today … on tools
Understand your threat intelligence– Relevance
– Integration
– Efficiency in sharing among products and teams
Understand machine readable threat intelligence– STIX – stix.mitre.org
– TAXII – taxii.mitre.org
– APIs
1
2
© 2015 IBM Corporation
IBM Security
19
Steps you can take today … on processes
At a security team level– Identify information you have
– Collaborate effectively within the organization
At a company level– Team with CIO/CISO
– Understand and address silos and legal issues
At an industry level– Participate in industry security consortiums
– Contribute to online threat intelligence sharing communities
*Source: Rick Holland, Forrester Research
4
3
5
20 © 2015 IBM Corporation
Questions?
© 2015 IBM Corporation
IBM Security
21
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available
in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s
sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in
any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the
United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in preventing
improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will
necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES
NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE
FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.