Building Successful Threat Intelligence Programs

Similar documents
CloudSOC and Security.cloud for Microsoft Office 365

Building Resilience in a Digital Enterprise

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

RSA NetWitness Suite Respond in Minutes, Not Months

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

locuz.com SOC Services

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

with Advanced Protection

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Are we breached? Deloitte's Cyber Threat Hunting

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

RSA IT Security Risk Management

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ForeScout Extended Module for Splunk

Operationalizing the Three Principles of Advanced Threat Detection

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

THREAT INTELLIGENCE PLATFORM

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

LAB2 R12: Optimize Your Supply Chain Cyber Security

CyberArk Privileged Threat Analytics

The New Era of Cognitive Security

CYBER RESILIENCE & INCIDENT RESPONSE

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

CYBER SOLUTIONS & THREAT INTELLIGENCE

Noam Ikar R&DVP. Complex Event Processing and Situational Awareness in the Digital Age

10 FOCUS AREAS FOR BREACH PREVENTION

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

align security instill confidence

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Cybersecurity for Service Providers

4/13/2018. Certified Analyst Program Infosheet

MITIGATE CYBER ATTACK RISK

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

CERT Development EFFECTIVE RESPONSE

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Un SOC avanzato per una efficace risposta al cybercrime

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Intelligent and Secure Network

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

SIEMLESS THREAT DETECTION FOR AWS

Service Provider View of Cyber Security. July 2017

A Practical Guide to Efficient Security Response

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Security by Default: Enabling Transformation Through Cyber Resilience

PULLING OUR SOCS UP VODAFONE GROUP AT RSAC Emma Smith. Andy Talbot. Group Technology Security Director Vodafone Group Plc

Assessing Your Incident Response Capabilities Do You Have What it Takes?

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Use Cases. E-Commerce. Enterprise

Doxxing, Dissidents, And. Digital Extortion. Fortify Your Digital Risk Defenses. Nick Hayes, Senior Analyst

Reinvent Your 2013 Security Management Strategy

ForeScout ControlFabric TM Architecture

Business continuity management and cyber resiliency

Integrated, Intelligence driven Cyber Threat Hunting

The Digital Risk Dilemma

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

The University of Queensland

CYBER THREAT INTEL: A STATE OF MIND. Internal Audit, Risk, Business & Technology Consulting

Security. Made Smarter.

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

What makes a good KRI? Using FAIR to discover meaningful metrics

SYMANTEC DATA CENTER SECURITY

BETTER Mobile Threat Defense (BMTD)

Machine Learning and Advanced Analytics to Address Today s Security Challenges

RSA INCIDENT RESPONSE SERVICES

Imperva Incapsula Website Security

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Securing Your Digital Transformation

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Challenges and. Opportunities. MSPs are Facing in Security

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

RSA INCIDENT RESPONSE SERVICES

An All-Source Approach to Threat Intelligence Using Recorded Future

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

CyberEdge. End-to-End Cyber Risk Management Solutions

Cyber Security Incident Response Fighting Fire with Fire

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

Do You Know Your Organization's Top 10 Security Risks?

Cyber Security Stress Test SUMMARY REPORT

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Governance Ideas Exchange

8 Must Have. Features for Risk-Based Vulnerability Management and More

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

2017 Annual Meeting of Members and Board of Directors Meeting

NEXT GENERATION SECURITY OPERATIONS CENTER

C T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified

Transcription:

Threat Intelligence-Driven Security Building Successful Threat Intelligence Programs Allan Thomson, LookingGlass CTO June 2017

Intelligence-Driven Security Threat Intelligence evidence-based knowledge including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to IT or information assets. It can be used to inform decisions regarding the subject s response to that menace or hazard. 1 1Market Guide for Security Threat Intelligence Services Gartner 14 October 2014 Informs Threat Mitigation the elimination or reduction of the frequency, magnitude, or severity of exposure to risks, or minimization of the potential impact of a threat or warning. 2 2 http://security.stackexchange.com/questions/tagged/threat-mitigation Reduces Risk the possibility that something bad or unpleasant (such as an injury or a loss) will happen. 3 3 Webster's Dictionary 2017 LookingGlass. All Rights Reserved. 2

The Threat Landscape * Courtesy - Google Keynote Presentation FIRST 2017 Technical (not people) People who are not good at computers People who are good at computers People who are good at computers, organized & experienced People who are good at computers, organized, experienced & kinetic Threat Sophistication Which threat level do you face? 2017 LookingGlass. All Rights Reserved. 3

Intelligence Lifecycle Assess changes to requirements Define Needs With Organization Discuss Impact, Manage Follow Up Actions Configure Collection Management System Draft and Deliver to Intelligence Product Organization Review and Fine Tune System Tasking Analyze Relevant Data Sort, Filter, Vet & Prioritize Data 2017 LookingGlass. All Rights Reserved. 4

Intelligence Efforts Focus Identify intelligence efforts that protect the following Indirectly Connected Priority #1: Self Third Party & Supply Chain Priority #2: Third Party & Supply Chain Priority #3: Indirectly Connected Self 2017 LookingGlass. All Rights Reserved. 5

The Need For Cyber Assessment Use Case An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#445543fde599 Verizon s Data Breach Fighter Gets Hit With, Well, a Data Breach http://fortune.com/2016/03/24/verizon-enterprise-data-breach/ Hackers Threaten to Release 30GB of Stolen Data From San Francisco s Municipal Railway http://fortune.com/2016/11/28/muni-hack-san-francisco/ 2017 LookingGlass. All Rights Reserved. 6

Threat Intelligence Program Framework - What you need - Who you need - How they re organized 7 Parts - How the program works What the program uses How its measured What & How it delivers 2017 LookingGlass. All Rights Reserved. 7

Intelligence Program Part 1 2017 LookingGlass. All Rights Reserved. 8

Intelligence Program Part 1 Continued Phishing Examples Phish Honeypots, spam email, and links Customer Abuse Box Feed/Monitoring Org Web Logs Phone/SMS messages Domain Name Registrations and Go Live Alerts Phishing Sites Detection System Brand Protection Examples Logos and Visual Marks Impostor Social Media Accounts Copyrighted Image Search Claimed Relationships Takedown Services Examples Malware Imposters Confidential Files Phishing Phone Email 2017 LookingGlass. All Rights Reserved. 9

Cyber Assessment: Use Case Provide to security executives, assessment on either self or Third Party & Supply Chain systems and assets Build program to continuously assess and report Areas to consider Network Footprint System Compromises & Infections Account Compromises External Facing Vulnerabilities Domain & Spear-Phishing Risk Intelligence Indications & Warnings 2017 LookingGlass. All Rights Reserved. 10

Intelligence Program Part 2 Tip: Focused On Specific Deliverables Program - Planning - Architecture - Strategy Security Subject Matter Experts (SME) - Cyber Analysts - Social Analysts - Phishing Analysts - Malware / Forensic Specialists - Incident Response Specialists - Brand Protection Analysts - Rogue Applications - Third Party Risk Analysts - Physical Security Analysts - Language & Translation Specialists Network System SMEs - Network Security Operations - Network Integration Specialists Development SMEs - Software developers - Data processing - Data analytics - Data visualization 2017 LookingGlass. All Rights Reserved. 11

Cyber Assessment: Use Case required - Planning - Architect - Manager - Cyber Analyst - Social Analyst - Third Party Risk Analyst - Software developers covering Data processing Data analytics Data visualization 2017 LookingGlass. All Rights Reserved. 12

Intelligence Program Part 3 Tip: Consider Tiered Structure - Support 24x7 Operations Structure - Manager - Tier 1 Cyber Threat Analysts (junior) - Tier 2 Cyber Threat Analysts (senior) Typical Work Schedule - 12 hour shifts 4on/4off with relief support Tiered Structure Essential - Tier 1 Example: 24 full-time Cyber Analysts - Tier 2 Example: One full-time Senior Cyber Threat Analyst and Three full-time Cyber Threat Analysts Backup/Resiliency - Have permanent remote team members as geographic backup and resiliency support 2017 LookingGlass. All Rights Reserved. 13

Cyber Assessment: Use Case Structure - Manager - Cyber/Social/Third Party Analysts - Software Development Work schedule - On demand - 9-to-5 2017 LookingGlass. All Rights Reserved. 14

Intelligence Program Part 4 Tips: - Functional Area Specific - Keep It Current - Invest in Technology Improvements 2017 LookingGlass. All Rights Reserved. 15

Intelligence Program Part 4: High Level 24x7 Real-Time Intelligence ing Local Telemetry Tier 1: Rapid Alerting Tier 2: Contextual Alerting Local Org Data Ingest Feed Vetting/Noise Reduction Escalation Data Verification Third Party Data Data Tagging Adding Context 5Ws Review Criteria Relevancy Additional Tagging for Data Lake/Threat Landscape Industry Data Quality Feedback Additional Capture (e.g Screenshots) Relevancy Feedback Quality Review Global Actor Data Alert Hotline Global Cyber Data Average alert 1 to 3 min after collection Response 10 to 30 min after collection Organization Threat Response & SMTP SMS VOIP 2017 LookingGlass. All Rights Reserved. 16

Intelligence Program Part 4: Phishing Detection Specific Workflow System Start Assign Ownership Site Review Update Status Create Action Initiate Action Status Options Not Reviewed Under Review Call - Waiting for Response Email - Waiting for Response C&D - Waiting for Response No action needed Monitor Closed SOC Manager SOC Analyst Analyst Manager Action Needed Yes Determine Action Type Required Close Incident End Incident Target Issues Claimed Relationship Domain Name Violation Image Use Multi-Issue Objectionable Content Traffic Diversion Threat 2017 LookingGlass. All Rights Reserved. 17

Cyber Assessment: Gather - Domains & - User Accounts - Applications Assess - Network Footprint - System Compromises & Infections - Account Compromises - External Facing Vulnerabilities - Domain & Spear-Phishing Risk - Intelligence Indications & Warnings Use Case Report 2017 LookingGlass. All Rights Reserved. 18

Intelligence Program Part 5 Tips - Identify system based on functional requirements - Best-in-class focus to support process include - Threat Intelligence Platform - Response Management - Cyber Intel Workflow - Phishing Workflow - Social Media Intel Workflow - Help Desk INTEL - Time Management 2017 LookingGlass. All Rights Reserved. 19

Intelligence Program Part 5 Use Case Custom Web Application for Analysts - Enter profile data - Monitor and review status of automated pipeline - Connects set of collection systems Used - Vulnerability Scanner - Both Open Source and Commercial Network Footprinting - Domain Analysis - Dark and Surface Web Crawlers - Database and Spreadsheets - Threat Intelligence Platform (and aggregated MRTI) - Internet Intelligence 2017 LookingGlass. All Rights Reserved. 20

Intelligence Program Part 5 System Use Case x.x.x.xx x.x.x.xx x.x.x.xx x.x.xx.xxx Infection Records Compromises Network Intelligence Open Source Vulnerability Scan acme acme acme acme acme acme acme acme acme acme acme acme acme acme Acme Group acme acmegrp access.acme 2017 LookingGlass. All Rights Reserved. 21

Intelligence Program Part 6 Tips: - Who are reports for - Expected outcomes of reports Including - Daily/Weekly Metrics - Threshold Alerting - Event Notifications - Visual and Electronic Event Triggers - Workflow/Time analysis 2017 LookingGlass. All Rights Reserved. 22

Intelligence Program Part 6 Reports - Specific - Segmented - Actionable - Business Relevant Good Afternoon, Brand Abuse Detection Report This is the Brand Abuse Detection Report for the week of [Date]. Cyveillance has identified seven incidents that infringe on the [Brand Name] Brand. A list of these infringements consist of: One Domain Violation Two Impersonation Pages One Claimed Relationship Three Logo Violations The data we collected for the week is reflected in the charts below: Threat Types Imposter Social Media Accounts Company Name Incidents By Source A quick summary of how the page is impersonating your brand will go here. Company Name A quick summary of how the page is impersonating your brand will go here. Domain Name Registration Monitoring Newly registered domains of interest: cyveillance.ooo (whois) cyveillance.io (whois) cyveillance.finance (whois) The top TLD('s) registered using the [brand] name for this week are:.ooo.finance.io 2017 LookingGlass. All Rights Reserved. 23

Intelligence Program Part 6: Report/System & Account Compromises Analysis & Summary on - Total Records Analyzed Use Case - Recent Breaches Listing - Unique Users Covered - Malware Infections Found - High-Recurrence Users - Reputation Risks - Executive Credentials 2017 LookingGlass. All Rights Reserved. 24

Intelligence Program Part 6: Report/Vulnerabilities Use Case Listing sites analyzed Assessment of active vulnerabilities found Number of instances 2017 LookingGlass. All Rights Reserved. 25

Intelligence Program Part 6: Report/Domain & Spear-Phishing Risk Use Case Company owned domains High risk domains 2017 LookingGlass. All Rights Reserved. 26

Intelligence Program Part 6: Report/Intelligence & Warnings Use Case Aggregated view of threat intelligence reports Context and background to support analysis Analysis and prioritization Recommendations on critical intelligence to act on 2017 LookingGlass. All Rights Reserved. 27

Intelligence Program Part 6: Report/Exec Summary Use Case Provide to security professionals Insight into application vulnerabilities Information on potential leaks, theft of sensitive data Identify holes in internal security posture to ensure compliance Identify latest data breaches and compromised user accounts Reduce risk of high impact exploits such as ransomware, website defacements or malicious injection 2017 LookingGlass. All Rights Reserved. 28

Intelligence Program Part 7 Tip: Empower rapid response to incidents and maintain goodwill Internal and Groups - SecOps/NetOps - IT, Compliance, Third Party Risk Supply Chain - Infosec/SecOps Industry - Data Feeds (Open, Commercial) - Technology Learnings - Trusted Sharing Law Enforcement 2017 LookingGlass. All Rights Reserved. 29

Intelligence Program Part 7 Final report influences and updates connected teams Patched Vulnerability Mgmt s Use Case Policy & Password Changes IT Supply Chain Updates Policy and Enforcement Third Party Risk Security Rules Update NetOps & SecOps s 2017 LookingGlass. All Rights Reserved. 30

Define Recommendations Justify Threat Intelligence Program to reduce business risk Justify Define program across Focus intelligence Self Focus Third Party Indirect Protect Protect business leveraging threat intelligence 2017 LookingGlass. All Rights Reserved. 31

Questions? www.lookingglasscyber.com @LG_Cyber @LookingGlassCyber /company/lookingglass /+LookingGlassCyber

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback