Let s Talk About Threat Intelligence

Similar documents
QRadar Feature Discussion IBM SECURITY SUPPORT OPEN MIC

Optimizing IBM QRadar Advisor with Watson

IBM Security Support Open Mic

May the (IBM) X-Force Be With You

Integrated, Intelligence driven Cyber Threat Hunting

IBM Threat Protection System: XGS - QRadar Integration

Introduction to IBM Security Network Protection Manager

IBM Security Network Protection Open Mic - Thursday, 31 March 2016

Analyzing Hardware Inventory report and hardware scan files

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

QRadar Open Mic: Custom Properties

What's new in AppScan Standard version

The New Era of Cognitive Security

Deploying BigFix Patches for Red Hat

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

How AppScan explores applications with ABE and RBE

What's new in AppScan Standard/Enterprise/Source version

IBM Security Network Protection

Fabrizio Patriarca. Come creare valore dalla GDPR

Predators are lurking in the Dark Web - is your network vulnerable?

IBM Security Network Protection Solutions

IBM Security Identity Manager New Features in 6.0 and 7.0

Securing global enterprise with innovation

Be effective in protecting against the cybercrime

IBM MaaS360 Kiosk Mode Settings

BigFix Query Unleashed!

Using Buffer Usage Monitor Report & Sniffer must_gather for troubleshooting

Let s talk about QRadar 7.2.5

More on relevance checks in ILMT and BFI

XGS & QRadar Integration

IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions

Disk Space Management of ISAM Appliance

IBM Security Access Manager Single Sign-on with Federation

HTTP Transformation Rules with IBM Security Access Manager

Remote Syslog Shipping IBM Security Guardium

Security Support Open Mic Build Your Own POC Setup

IBM BigFix Relays Part 1

The McGill University Health Centre (MUHC)

How to Secure Your Cloud with...a Cloud?

XGS Administration - Post Deployment Tasks

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

IBM Next Generation Intrusion Prevention System

XGS: Making use of Logs and Captures

Let's talk about QRadar Apps: Development & Troubleshooting IBM SECURITY SUPPORT OPEN MIC

Interpreting relevance conditions in commonly used ILMT/BFI fixlets

IBM Security Access Manager v8.x Kerberos Part 2

ISAM Advanced Access Control

Junction SSL Debugging With Wireshark

Configuring your policy to prevent appliance problems

Modern Realities of Securing Active Directory & the Need for AI

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Security Support Open Mic: ISNP High Availability and Bypass

Understanding scan coverage in AppScan Standard

ISAM Federation STANDARDS AND MAPPINGS. Gabriel Bell IBM Security L2 Support Jack Yarborough IBM Security L2 Support.

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

10 FOCUS AREAS FOR BREACH PREVENTION

IBM Security Guardium: : Sniffer restart & High CPU correlation alerts

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

RSA Security Analytics

IBM Application Security on Cloud

IBM BigFix Client Reporting: Process, Configuration, and Troubleshooting

CloudSOC and Security.cloud for Microsoft Office 365

Qualys Indication of Compromise

Symantec Ransomware Protection

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Configuring zsecure To Send Data to QRadar

Cyber security tips and self-assessment for business

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

IBM Security Network Protection v Enhancements

BigFix 101- Server Pricing

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

IBM Guardium Data Encryption

Security Support Open Mic Client Certificate Authentication

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Ponemon Institute s 2018 Cost of a Data Breach Study

Cisco & IBM Security SECURING THE THREATS OF TOMORROW, TODAY, TOGETHER


Accelerating growth and digital adoption with seamless identity trust

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

IBM Security Access Manager What s in the box : InfoMap Authentication Mechanism IBM SECURITY SUPPORT OPEN MIC. 13 Dec 2017

Incident Response Agility: Leverage the Past and Present into the Future

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Juniper Sky Advanced Threat Prevention

CyberArk Privileged Threat Analytics

Cyber Security. Our part of the journey

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

IBM Security Identity Governance and Intelligence Clustering and High Availability

IBM Security Access Manager

SOLUTION MANAGEMENT GROUP

SWD & SSA Updates 2018

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Are we breached? Deloitte's Cyber Threat Hunting

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

Transcription:

Let s Talk About Threat Intelligence IBM SECURITY SUPPORT OPEN MIC #20 Slides and additional dial in numbers: http://ibm.biz/openmic20 January 26, 2017 NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.

Panelists Jason Keirstead QRadar Architecture Team Rory Bray QRadar Security Architect Dwight Spencer Principal Solutions Architect Adam Frank Principal Solutions Architect Peter Szczepankiewicz - QRadar Offering Manager Jonathan Pechta Support Technical Writer / Support Content Lead Special Guests Eric Newman RiskIQ Hugh Docherty - PhishMe Steve Ginty - RiskIQ 2 IBM Security

Announcements

QRadar 7.3 Coming soon & what you need to know in advance Controlled rollout is now in progress for QRadar 7.3. This upgrade will be an ISO file that must be installed on each appliance (no patch all) Due to the size of the upgrade, it is expected to take slightly longer than previous patches. A new requirement of WinCollect 7.2.4 is in place. QRadar Open Mics Coming soon QRadar Open Mic #21: Vulnerability & Risk Management with QRadar (February 23 rd ) QRadar Open Mic #22: QRadar 7.3 Feature Discussion (Live March 21 st ) QRadar forums Reminder that we have a new forum at http://ibm.biz/qradarforums. This is a great place to get questions answered from support, developers, and other QRadar users and administrators. 4 IBM Security

Threat Intelligence

What is Threat Intelligence? (TI) Threat Intelligence is the brother and a component of Security Intelligence, these are the tools, data, and procedures that are relevant to protecting your organization. Threat Intelligence includes in-depth curated information about specific threats to help organizations protect themselves from attacks that are new, unknown, or damaging. Analogy Think of Threat Intelligence as a Neighborhood Watch program, but for security data. You already have measures and tools in place for protecting your home, but outside data provided by others who have seen risks and incidents you have not can provide critical information to protect you home. The people in your neighborhood watch are the people, vendors, and security community who share data, tools, and techniques. Vectors People (phishing), drive by downloads, file infectors, vulnerable applications (CVE), infrastructure issues, legacy software, and more. 6 IBM Security

How to Bring Threat Intelligence to QRadar Threat Intelligence provides users and administrators the power to act on indicators of attacks. With each feed, this data and indicators might be different; however, in QRadar this information all revolves around Reference Data, except for the IBM X-Force IP Reputation Feed enabled via the System Settings in QRadar 7.2.8+. QRadar has a Threat Intelligence app that leverages STIX/TAXII format feeds to import data in to Reference Sets. A number of IBM Partners have created apps that take the guess work out of this process for their feed data. 7 IBM Security And more, who have not yet released their app, like PhishMe.

Indicators of Compromise Used in Threat Intelligence An indicator of compromise is any recorded or captured piece of digital evidence from a security incident that can be used to provide information about an intrusion or issue. These indicators provide teams the first concrete targets for your investigation. These are your neighborhood watch fliers. Different threat intelligence feeds might use different indicators, depending on your region, business sector, security requirements. Other indicators can include data captured by the security intelligence side, such as: URLs Anomalies (unusual traffic / behavior / first contact) Account change events (privileged escalations) Former employees Regional irregularities Mismatched port-application traffic Large HTML responses (injections) Volume of requests for identical file Registry changes DNS anomalies http://detect-respond.blogspot.com Recommended reading: http://detect-respond.blogspot.com/2014/03/use-of-term-intelligence-at-rsa.html 8 IBM Security

How to Get Threat Intel Data in to QRadar A. Adding Threat Intelligence with an IBM Partner App: 1. You must be at QRadar 7.2.6+ or the specified version of QRadar the app has been validated against. In most cases, QRadar support will recommend a minimum of QRadar 7.2.6 Patch 4 for any QRadar systems that leverage apps/extensions. 2. Install the app via the Admin tab > Extension Management. B. If you are adding the IBM X-Force Threat Intelligence Feed: 1. You must be at QRadar 7.2.8 or later. 2. Enable the feed from the Admin tab > System Settings > Enable X-Force Threat Intelligence Feed> Yes. C. Adding a feed using the IBM Threat Intelligence app: Create an authorized service token, add a proxy server and CA certificates (if required), create reference sets for the data, add your threat feed (STIX/TAXII), create a TAXII Rule Actions. D. Leverage the QRadar API Using the QRadar API, customers can send threat intelligence data to directly update reference sets. 9 IBM Security

Leveraging a Basic Rule Set for Feed Data (RFISI) Partners who work with IBM to create apps are provided a baseline rule set as a content pack. This is available to all users and includes generic rules that can be used with any threat intelligence data. This is the IBM Security Ready for Security Intelligence Content Pack, which is available for download from the X-Force App Exchange (https://exchange.xforce.ibmcloud.com/hub/). Requires QRadar 7.2.6 Patch 4 or later. Includes generic rules that are intended to be modified and exported by vendors. Normal admins can install this to work with or expand on their threat data. 10 IBM Security

Ready for Security Intelligence (RFISI) Rules and Reference Data URL: https://ibm.biz/rfisi_threat_intel GitHub: https://github.com/ibm-security-intelligence/data-import/tree/master/rfisi-threat-import Pre-defined Reference Collections Each of these sets has a complimentary reference table to hold extended data related to each item in a set. For example, Phishing Senders set will be accompanied by a reference table called Phishing Senders Data. Phishing Senders - contains IPs of hosts that are known/suspected of sending phishing attempts. Phishing Subjects - contains subject lines from email campaigns that are known to be phishing attempts Spam Senders - contains IPs of known spam servers. If the provider doesn t distinguish between phishing and other spam then both go in this set. Malware Senders - contains IPs of mail hosts known to send malicious emails (virus/malware attachments, html exploits, etc). If the providers doesn t distinguish between these and other spam then all should go to the Spam Senders set. Malware URLs - contains URLs know to be malware downloads Malware Hostnames - contains the hosts (or IPs) of servers providing malware downloads. Hostnames are better due to virtual hosting. 11 IBM Security

Ready for Security Intelligence (Continued) Phishing URLs contains the URLs associated with phishing emails Malicious URLs contains URLs for other exploit types (browser exploits mainly) Botnet IPs - contains IPs associated with botnet activity. Intended for nodes rather than C&C IPs but if the provider doesn t distinguish between them then both go in this set. Botnet C&C IPs - contains IPs known to be C&C servers rather than nodes. If the provider does not distinguish between nodes and C&C, then all Ips should go to the Botnet IPs set. Malware IPs - contains IPs associated with malware post-exploit communications (exfiltration uploads, etc) Anonymizer IPs - contains IPs of known anonymized services, such as VPN providers, TOR exit nodes and other proxies. Malware Hashes MD5 - contains MD5 sums of malware files Malware Hashes SHA - contains SHA (SHA-1, SHA-256, etc) sums of malware files Rogue Process Names - contains process names or executable names for known malware, trojans, etc. 12 IBM Security

Ready for Security Intelligence (Continued) Each of these reference tables will have a primary key of the same type and value as the set they compliment. Each reference table also provides the following fields: Provider - The Threat Intel provider's name so that detection can be attributed to the correct threat integration. Confidence - A confidence rating between 0 and 100, if applicable. Use 50 if unknown or if translating from high-med-low use a reasonable distribution like 90-50-20. First Seen Date - The date that the threat provider first observed the indicator. Last Seen Date - The most recent observation. 13 IBM Security

Chat discussion Your chance to respond to the community 1. What are some STIX/TAXII feeds that you use in your environment? Type in to chat some of the feeds that you find useful or important. 2. How do I judge the quality of my threat intelligence feed? 3. What are quality of Indicators of compromise? Any tips or hints. 4. The best threat intelligence is from inside your own space and analysis. Given a botnet C&C that YOU find, you would naturally go hunt over history. You then can share this data using tools to help others, such as the Malware Information Sharing Platform or the X-Force Exchange. 14 IBM Security

Investigations, Intelligence, Tools, & Workflow Identifying the important facts: 1. How? (Document / generate reports for everything) 2. Who? (Accounts impacted) 3. What? (Data or systems involved) 4. Where? (Entry & exfiltration points) 5. Why? (Weaknesses / required remediation) 4. Remediate accounts, hosts, exfiltration points 5. Repeat and share your workflow 1. Document methods & IOCs 2. Search your systems for IOC activity Watson Advisor A new generation of tools is coming soon with Watson Advisor. Using Cognitive computing to understand massive amounts of data from written to speech. Machine knowledge helps further curate and helps you get the visibility you need to respond swiftly to security incidents when they occur and learning along the way. 3. Investigate incidents & assess 15 IBM Security

Special thanks to our guests RiskIQ: https://www.riskiq.com/ To our panelist from PhishMe: https://phishme.com/ 16 IBM Security

THANK YOU FOLLOW US ON: https://www.facebook.com/ibmsecuritysupport QRadar Forums: https://ibm.biz/qradarforums youtube/user/ibmsecuritysupport @askibmsecurity securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback