WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Similar documents
RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

SIEM Solutions from McAfee

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

Reducing the Cost of Incident Response

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Popular SIEM vs aisiem

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

C T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified

Power of the Threat Detection Trinity

MITIGATE CYBER ATTACK RISK

RSA INCIDENT RESPONSE SERVICES

esendpoint Next-gen endpoint threat detection and response

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

CloudSOC and Security.cloud for Microsoft Office 365

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

ForeScout ControlFabric TM Architecture

Noam Ikar R&DVP. Complex Event Processing and Situational Awareness in the Digital Age

THE EVOLUTION OF SIEM

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

Sustainable Security Operations

Are we breached? Deloitte's Cyber Threat Hunting

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Pedal to the Metal: Mitigating New Threats Faster with Rapid Intel and Automation

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Security. Made Smarter.

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

भ रत य ररज़र व ब क. Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

Enhancing Threat Intelligence Data. 05/24/2017 DC416

Traditional Security Solutions Have Reached Their Limit

CYBER SOLUTIONS & THREAT INTELLIGENCE

Business Context: Key for Successful Risk Management

The Evolution of : Continuous Advanced Threat Protection

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

WHITE PAPER. The Need to Know

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Novetta Cyber Analytics

BUILDING AND MAINTAINING SOC

Integrated, Intelligence driven Cyber Threat Hunting

with Advanced Protection

Resolving Security s Biggest Productivity Killer

CYBER RESILIENCE & INCIDENT RESPONSE

empow s Security Platform The SIEM that Gives SIEM a Good Name

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

locuz.com SOC Services

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

FOR FINANCIAL SERVICES ORGANIZATIONS

Speed Up Incident Response with Actionable Forensic Analytics

Cyber Security Technologies

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

CTI Capability Maturity Model Marco Lourenco

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Reduce Your Network's Attack Surface

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Business continuity management and cyber resiliency

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Threat Centric Vulnerability Management

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

2018 Edition. Security and Compliance for Office 365

Advanced Malware Protection. Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe

KnowBe4 is the world s largest integrated platform for awareness training combined with simulated phishing attacks.

Introducing Cyber Observer

MEETING ISO STANDARDS

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Cyber Security. Our part of the journey

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

GDPR: An Opportunity to Transform Your Security Operations

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

RSA INCIDENT RESPONSE SERVICES

Make IR Effective with Risk Evaluation and Reporting

Security and Compliance for Office 365

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

HOSTED SECURITY SERVICES

Protecting organisations from the ever evolving Cyber Threat

deep (i) the most advanced solution for managed security services

Transcription:

WHITE PAPER Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale One key number that is generally accepted and that every CISO watches is 200-days. As reported in many widely accepted reports, that s been the average amount of time between an initial compromise and when its actually discovered in an organization. Law enforcement, a business partner or independent researchers are often the ones to inform an organization that they ve suffered a data breach. In an effort understand possible indicators of compromise (IOCs), many organizations gather threat intelligence data. This data contains information about bad actors on the web, machine generated domain names, known bad IP addresses, lists of email addresses used for phishing campaigns and other data. The threat analyst team will review the IOC data either manually or in a threat intelligence platform (TIP) to understand the relevance of the externally seen IOCs to their business in their vertical for their environment. To understand whether or not any of this data might be relevant for an organization, the organization s security team will attempt to tie a relevant subset of the tens of millions of active IOCs collected from multiple sources to security information from inside their organization and contained in their security information and event management (SIEM) system log data. Most of the threat intelligence feeds available on the market aren t intelligence at all; they re aggregated reports on malware and spam, rogue IP addresses, and vulnerabilities that can t be tied to a given environment. Dave DeWalt, CEO FireEye SIEM Limitations Today s modern SIEM is built on a concept from the late 1990s that data can be collected from a wide variety of security systems can be correlated to reduce false positives, highlight security issues, and support investigation and incident management. In the late 90s, no one could have predicted the large amounts of data streaming into the SIEM every second from a growing number of mission critical applications, security hardware and software solutions, and IT infrastructure. For the average enterprises, the math is obvious: 30,000 events per second (EPS) = 3 billion events per day = 600 GB per day = 120 TB over 200 days! The concept of threat intelligence is only about five years old. To address the need for additional methods of correlation, SIEM vendors added lookup and active list capabilities. These might scale to 500,000 items but certainly not consumption of tens of millions of indicators of compromise. Pricing and scalability are often the two barriers to keeping enough data on-line for active breach detection over the 200-day window. The requisite computing power required for storage and correlation often isn t available to organizations. Many organizations only keep 30-90 days of data on-line and accessible to meet compliance regulations. In summary, the SIEM is not longer an adequate time machine for today s 200-day exposure window.

The Growing Volume of Threat Intelligence Data Threat intelligence has evolved a great deal in a very short period of time. Many customers value having accurate and timely threat intelligence. There are hundreds of sources (free and paid), and many of them are of high quality. However, given the expertise of researchers at individual provider/vendors: One vendor will report an indicator of compromise before another Many threat feeds are offered in different formats making them hard to digest for downstream use in a SIEM None can tell you with 100% certainty that all their IOCs are relevant for your organization. This means that the threat intelligence vendors could be supplying millions of false-positives along with the few that are relevant To defend against cyber attacks, it is important for a defender to have timely access to relevant, actionable threat intelligence and the ability to act on that intelligence. NIST 800-150 (Draft) Many organizations have subscribed to multiple feeds of threat intelligence. Some organizations subscribe to over 40. Threat Intelligence Platforms evolved to curate this data from multiple threat feeds and provide deduplication and post processing of the data to make it digestible for a SIEM. Over the 200-days exposure window it is possible for an organization to have to review over 25 million active indicators of compromise from fee-based and open source threat intelligence providers. Since 2013, the number of active indicators has been growing at an average rate of 39% every month 1 and shows no sign of abating. Part of the growth in the number of IOCs comes from analysis of the almost one million never-before-seen threats being released into wild on a daily basis 2 and attackers that are using domain generation algorithms to create millions of throw-away domains. This technique called Domain Fluxing, is used for keeping a malicious botnet in operation by constantly changing the domain name of the botnet owner s Command and Control (C&C) server. It is also responsible for generating millions of random domains every hour. This reduces the value of threat data by reducing the overall timeliness. The compute power required to correlate all the IOCs with 120TB of data simply isn t available to most organizations. Even if an organization is able to run a correlation search against the data, the search can take hours or days and in some cases never complete. The question of what IOCs collected are relevant for my environment over the last 200 days, goes unanswered. 1 ThreatStream Labs, January 25, 2016 2 Symantec Internet Security Threat Report, April 2015

The Next Big Data Problem Threat Intelligence Data The SIEM has a role to play as the traditional single pane of glass for log data exploration and search, correlation for false-positive reduction, incident investigation, security metrics reporting (often for compliance) and facilitating incident management. Organizations have recognized that increasing amounts of relevant security data from traditional security and application data sources is already a scalablity problem. Creating matches between IOCs and security data is a new big data problem that requires a separate analytics engine that can address current and future scalability issues. As security organizations mature, individual big data solutions that solve particular security problems will emerge that will make up a new layer of security ecosystem. These solutions will provide answers that will be fed back to the SIEM which will continue to facilitate data query, provide automated reports and perform security incident management and investigation. A View of IOCs Across the Threat Models The scalable correlation of tens of millions of IOCs and over 200-days of customer data gives organizations a unique real-time view into attacker activity and the ability to align attacks with current threat reference models. The two predominant models are The Kill Chain shown as the Mandiant s Attack Chain (figure 1) and the Diamond Model (figure 2). Correlation of organization s log data against five key indicators of compromise yields visibility though the lens of each model.

Figure 2 -- Diamond model (from the Diamond Model summary by Sergio Caltagirone) Benefits to the Organization Adding a solution that can scale to collect over 200 days of data from logs and match millions of externally collected IOCs in real-time: Summary Operationalizes threat data for immediate use for incident responders and SOC operations personnel Provides for SIEM scalability and makes the SIEM smarter Means that indicators provided are relevant to your specific company or agency Allows you to identify and measure which streams of threat intelligence are the most relevant for your organization Supports creating linkage between anomalous activities and known threats along the entire attack chain and is relevant for the Diamond Model Moves from security operations center (SOC) to Intelligence-driven security operations center (ISOC 3 ) To address growing scalability issues, organizations will need to embrace a distributed computing approach to security. In addition, Threat Intelligence Platforms will need to create organizational relevance for threat intelligence data. The SIEM will continue to collect log data from traditional security sources and the next generation of threat intelligence platforms will have to answer the question of what s relevant across the window of exposure. These answers to the relevance question will be pushed into existing workflows for analysis and automated response. 3 The Five Characteristics of an Intelligence-Driven Security Operations Center, November 2015, Gartner

About Anomali Anomali delivers earlier detection and identification of adversaries in your organizations network by making it possible to correlate tens of millions of threat indicators against your real time network activity logs and up to a year or more of forensic log data. Anomali s approach enables detection at every point along the kill chain, making it possible to mitigate threats before material damage to your organization has occurred. To learn more, visit www.anomali.com, follow us on Twitter @anomalidetect, contact sales@anomali.com or call 1-844-4-THREATS. Copyright 2016 Anomali. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback