CYBER THREAT INTEL: A STATE OF MIND. Internal Audit, Risk, Business & Technology Consulting

Similar documents
CTI Capability Maturity Model Marco Lourenco

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Protecting organisations from the ever evolving Cyber Threat

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

BUILDING AND MAINTAINING SOC

locuz.com SOC Services

Reinvent Your 2013 Security Management Strategy

SIEMLESS THREAT MANAGEMENT

A Risk Management Platform

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

Cyber Threat Intelligence: Integrating the Intelligence Cycle. Elias Fox and Michael Norkus, Cyber Threat Intelligence Analysts January 2017

An Aflac Case Study: Moving a Security Program from Defense to Offense

White Paper. How to Write an MSSP RFP

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

SIEMLESS THREAT DETECTION FOR AWS

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

C T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified

Security Metrics Framework

SIEM (Security Information Event Management)

RELEVANT IMPACT: Building a Successful Threat Management Program. NTX ISSA 3 rd Semi-Annual Cyber Security Conference

From Managed Security Services to the next evolution of CyberSoc Services

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

An All-Source Approach to Threat Intelligence Using Recorded Future

RSA NetWitness Suite Respond in Minutes, Not Months

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

GDPR: An Opportunity to Transform Your Security Operations

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

YOU VE GOT 99 PROBLEMS AND A BUDGET S ONE

Securing Your Cloud Introduction Presentation

Deception: Deceiving the Attackers Step by Step

NEXT GENERATION SECURITY OPERATIONS CENTER

Click to edit Master title style. DIY vs. Managed SIEM

State of Security Operations

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

The New Era of Cognitive Security

Cyber Security. It s not just about technology. May 2017

The Resilient Incident Response Platform

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

4/13/2018. Certified Analyst Program Infosheet

Run the business. Not the risks.

Security Readiness Assessment

Noam Ikar R&DVP. Complex Event Processing and Situational Awareness in the Digital Age

Position Description IT Auditor

Cyber Resilience. Think18. Felicity March IBM Corporation

Cybersecurity Auditing in an Unsecure World

Unlocking the Power of the Cloud

Getting Security Operations Right with TTP0

RSA IT Security Risk Management

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

ForeScout Extended Module for Splunk

Building Successful Threat Intelligence Programs

ArcSight Activate Framework

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Cyber Threat Intelligence Debbie Janeczek May 24, 2017

Integrated, Intelligence driven Cyber Threat Hunting

Operationalizing the Three Principles of Advanced Threat Detection

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

Department of Management Services REQUEST FOR INFORMATION

How to Write an MSSP RFP. White Paper

OFFICE 365 GOVERNANCE: Top FAQ s & Best Practices. Internal Audit, Risk, Business & Technology Consulting

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

Defining Computer Security Incident Response Teams

Security Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

THREAT MANAGEMENT AND OUR TECHNICAL LEARNINGS IMPLEMENTING CTI

Threat Intel for All: There s More to Your Data than Meets the Eye

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

The University of Queensland

Cyber Threat Intelligence Standards - A high-level overview

Detect Fraud & Financial Crime

THE ACCENTURE CYBER DEFENSE SOLUTION

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Fidelis Overview. ISC 2 DoD and Industry Forum. Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases

ManageEngine EventLog Analyzer Quick Start Guide

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Sustainable Security Operations

TRUE SECURITY-AS-A-SERVICE

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cyber Risk Services Secure. Vigilant. Resilient. Deloitte Malta, Cyber

SIEM: Five Requirements that Solve the Bigger Business Issues

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Navigate IT Security with a Framework as Your Guide

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Building a Resilient Security Posture for Effective Breach Prevention

Next-generation Endpoint Security and Cybereason

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Transcription:

CYBER THREAT INTEL: A STATE OF MIND Internal Audit, Risk, Business & Technology Consulting

WHO ARE WE? Randy Armknecht, CISSP, EnCE Protiviti Director - IT Consulting randy.armknecht@protiviti.com Albin Ahmetspahic Protiviti Manager IT Consulting albin.ahmetspahic@protiviti.com

WHAT IS CYBER THREAT INTELLIGENCE

CYBER THREAT INTELLIGENCE: A DEFINITION to evidence-based knowledge including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to IT or information assets and can be used to inform decisions regarding response that menace or hazard -- Gartner

LET S THINK ABOUT THAT Context DATA WITHOUT CONTEXT IS JUST DATA INTELLIGENCE REQUIRES CONTEXT 5

LET S THINK ABOUT THAT Context Mechanism WHAT ARE THE THREAT MECHANICS 6

LET S THINK ABOUT THAT Context Mechanism Indicators HOW WILL WE KNOW THE THREAT HAS BEEN REALIZED? 7

LET S THINK ABOUT THAT Context Mechanism Indicators IF THE THREAT IS REALIZED WHAT DOES IT MEAN FOR US? Implications 8

LET S THINK ABOUT THAT Context Mechanism Indicators IF THE THREAT IS REALIZED WHAT ARE THE ACTIONS NECESSARY TO MINIMIZE THE IMPACT Implications Actionable Advise 9

DOES YOUR CYBER THREAT INTELLIGENCE PROGRAM GENERATE OUTPUT THAT CONTAINS CONTEXT MECHANISMS REPEATABLE INDICATORS CONSISTENT IMPLICATIONS ACTIONABLE ADVISE 10

IF YOU SAID YES

CONGRATULATIONS!

CURRENT STATE 49% don t look at the threat intel or reports received 43% don t use the data for decision making 69% don t have necessary staff skills Source: http://www.infosecurity-magazine.com/news/firms-value-threat-intel-but-fail/ 13

SO IF YOU RE LIKE EVERYBODY ELSE.

WHERE CAN WE OBTAIN INTELLIGENCE?

BUT ARE WE BUYING INTELLIGENCE OR JUST DATA? CONTEXT MECHANISMS INDICATORS IMPLICATIONS ACTIONABLE ADVISE 16

SO WHAT SHOULD WE DO?

CYBER THREAT INTELLIGENCE IS A STATE OF MIND Take the data from the vendors Augment it with your own internal data Mix them thoroughly in the minds of your analysts Use the results to impart change in the environment Effective intelligence is the result of a process 18

THE CYBER THREAT INTELLIGENCE LIFECYCLE

THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction 6 Evaluation CCIR Analysis & Production Feedback Collection Processing & Exploitation 20

CCIR COMMANDER S (CISO) CRITICAL INFORMATION REQUIREMENTS Information requirement identified by the commander as being critical to facilitating timely decision making -- Joint Publication 1-02 PIR CCIR 21

THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration 6 Evaluation Planning & Direction Determine intelligence requirements Develop a CTI team Create a collection plan Generate requests for information Analysis & Production CCIR Feedback Collection Processing & Exploitation 22

THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction Analysis & Production 6 Evaluation CCIR Feedback Collection Collect data to satisfy intelligence requirements using: All-Source collection: Critical Applications Network Infrastructure Security Infrastructure Processing & Exploitation 23

THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction 6 Evaluation Analysis & Production CCIR Feedback Collection Processing & Exploitation Interpret raw data Convert interpreted data into a usable format (information) for analysis 24

THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction Analysis & Production Fuse information from Step 3 Provide facts, findings, and forecasts Analysis should be: Objective Timely Accurate Actionable Use Confidence Method 6 Evaluation CCIR Feedback Processing & Exploitation Collection 25

THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Deliver the finished product to intelligence consumers at various levels: Strategic (CISO) Operational (APT) Tactical (TTP) 6 Evaluation Planning & Direction Analysis & Production CCIR Feedback Collection Processing & Exploitation 26

WHAT DOES IT LOOK LIKE IN AN ORGANIZATION?

COMMON INFORMATION SECURITY ORGANIZATION STRUCTURE CISO Governance Security Engineering CTI Compliance Security Operations Center (SOC) Vulnerability Management 28

ANALYST ROLES & RESPONSIBILITIES Collection Threat Feeds, Alerts IOCs Incident Reporting Processing & Exploitation Analysis & Production Indexing Raw Data Sorting Raw Data Organizing Raw Data Integrating, Evaluating Information Analyzing Information Assessing Courses of Action Dissemination & Integration Strategic Consumers Operational Consumers Tactical Consumers 29

AN EXAMPLE

TOP DOWN, DEFINE THE MISSION Risk Analysis and Assessment Business Processes and Data Mission and Security Mapping Definition Existing Architecture and Infrastructure Threat Definition and Threat Intelligence Critical Applications Network Infrastructure Security Infrastructure Collect Intel Collect Intel, Net Flows Collect Intel Filtering, Correlation, Analytics, Analysis, Reporting, Prevention, and Response Monitoring, Triage, Analysis, Escalation, Prevention, Counter, and Response 31

APPLYING THE INTELLIGENCE CYCLE TO CTI Organic Infrastructure Endpoint Devices Routers OS / Hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security devices, Software, Services, and Processes Internal Resources 32

APPLYING THE INTELLIGENCE CYCLE TO CTI Threat Intel CTI Vendors OSINT Govt sources Common Groups Intel collection layer Security Processes Log Collectors Event Collectors Net Flows Social Media News Dark Web Media and Web Managed Device Layer Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / Custom Organic Infrastructure Endpoint Devices Routers OS / Hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security Devices, Software, Services, and Processes Internal Resources 33

APPLYING THE INTELLIGENCE CYCLE TO CTI Analytical Layer Correlation Layer Correlation engine, filtering and analysis Operations, Security, and User Behavior Analytics Workflow automation Config and Problem Management Security process intel AV, IDS/IPS, DLP, Content Security, Data & DB Security, App Security, FIM, FW Threat Intel T Intel Vendors OSINT Govt sources Common Groups Intel collection layer Security Processes Log Collectors Event Collectors Net Flows Social Media News Dark Web Media and Web Managed Device Layer Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / Custom Organic Infrastructure Endpoint Devices Routers OS / hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security Devices, Software, Services, and Processes Internal Resources 34

APPLYING THE INTELLIGENCE CYCLE TO CTI Presentation layer Reports Security Management IT Operations Compliance Business Analytical Layer Correlation Layer Correlation engine, filtering and analysis Operations, Security, and User Behavior Analytics Workflow automation Config and Problem Management Security process intel AV, IDS/IPS, DLP, Content Security, Data & DB Security, App Security, FIM, FW Threat Intel T Intel Vendors OSINT Govt sources Common Groups Intel collection layer Security Processes Log Collectors Event Collectors Net Flows Social Media News Dark Web Media and Web Managed Device Layer Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / Custom Organic Infrastructure Endpoint Devices Routers OS / hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security Devices, Software, Services, and Processes Internal Resources 35

WHAT DID WE LEARN?

WHAT WE VE LEARNED Data!= Intelligence 37

CYBER THREAT INTELLIGENCE A STATE OF MIND 38

2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback