Cloud and Cyber Security Expo 2019 The Terrain to Actionable Intelligence Azeem Aleem, VP Consulting, NTT Security
Actionable Intelligence Actionable intelligence through Cyber Intelligence Embedding intelligence driven security into your environment Where to use Predictive Analytics Creating and applying security metrics to drive performance
We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard John F. Kennedy President John F. Kennedy's speech in 1963 in Washington D.C Image source: http://time.com/4711687/john-f-kennedy-diary-hitler/ Keystone-France Gamma-Keystone/Getty Images
Making success a reality Cognitive Intelligence
5 Man on the Moon Image source: https://www.nationalgeographic.com/science/space/space-exploration/moon-exploration/
Good intelligence isn t just found it s hunted 180,000 160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 2000 2012 2013 2014 2015 2016 2017 2018
Actionable intelligence What adversaries are attacking me? What could we have done better? How did they achieve it? What information was taken?
Reality intelligence-driven SOC 1) Define dwell time From point of trigger to eyes on (analyst assigned) 2) Separation of duties Analytics (CIRT Tier 1) Adv. Tools and tactics SOC/CDC Cyber Threat Intelligence Advanced Analysis 3) Threat intelligence Integrated investigation Visible to analyst Content Analytics
Intelligence driven security framework Tier 1 analyst Tier 2 analyst Threat intelligence analyst Analysis & tools support analyst SOC manager Readiness Establish state of preparation and ability to handle actionable intelligence Response Design and implement a solution that positioned to handle cyber security incident response and remediation in alignment to business objectives and risk Resiliency Develop the ability to predict and respond to cyber incidents while operating and sustaining an optimized intelligent security operation capability
Business & risk alignment What is the mission, scope, and authority to mitigate the risk? Visibility Define the visibility required to achieve mission readiness Readiness Content Build enablement for detection (use cases, situational awareness, and baseline) Security Operations How do I respond, contain, and hunt to achieve the mission identifying known and unknown threats? Applied intelligence & analytics How do I analyze, attribute, and predict the threat and refocus the mission?
L2 Analyst L1 Analyst Threat Intel Analyst Reactive to predictive Initial Alert/ Notification Incident Tracking and Logging Incident Categorization / Assign Priority Triage and Investigate within SLA Escalation to L2 No Remediation / Recovery recommendations Communicate and Report Activities Yes Readiness Investigate Incident Analyze Findings Engaged Content Management No Engage Adv. Analytics No Remediation / Recovery recommendations Communicate and Report Activities Incident Closure YES YES Incident Review/QA/ Lessons Learnt Intel Content Engineering Advanced Analysis Unique Intel Findings Analyze Request of Malware or Forensics Adjust Controls Predictive Document Findings Tune Content within Security Tools Import Indicators to Trending/Analysis Research Threats Report Findings Threat Database Communicate and Report Activities Communicate and Report Activities Generate Incident Metrics
Value of predictive analytics improved resiliency Reconnaissance Weaponize Delivery Exploitation Installation C2 Action Earlier detection of threats
Value of visibility and metrics Before After resource investment Reconnaissance Weaponize Delivery Exploitation Installation C2 Action
Resiliency success factor SOC Mission Monitoring Team Vulnerability Management Incident Response Threat Intelligence Security Engineering Critical Success Factor Critical Success Factor Critical Success Factor Critical Success Factor Critical Success Factor
Getting the cyber swing
Azeem Aleem VP Consulting, NTT Security Follow me on Twitter:@azeem_aleem Come and see us at Stand S4333
Thank you