Building an Effective Threat Intelligence Capability Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO
The Race To Digitize Automotive Telematics In-vehicle entertainment Navigation Safety services Concierge services Remote diagnostics Personalized insurance Manufacturing Supply chain management Geo-fencing Machine diagnostics Inventory control Industrial automation control Equipment monitoring Retail & Finance Smart payments, cards Point of sale terminals ATM Vending machine monitoring Digital signage and electronic billboards Healthcare Home healthcare and hospital patient monitoring Remote telemedicine & physician consultation Body sensor monitoring Utilities Meter reading Industrial controls Pro-active alerts Smart Grid applications Remote temperature control Consumer Services Smart home appliances Connected home Video feed monitoring Copyright 2016 Symantec Corporation 2
Your Data casts a Digital Shadow that grows with every online interaction! Copyright 2016 Symantec Corporation 3
Our Growing CYBER-DEPENDENCE 3D PRINTING DRONES ROBOTS AUGMENTED HUMANS BIG DATA INTERNET OF THINGS SMART CITIES SOCIAL NETWORKS CRICTICAL INFRASTRUCTURE CYBER-CHAOS REGULATIONS MOBILITY CLOUDS LOSS OF TRUST INFORMATION EXPLOSION DIGITAL WILDFIRE HYPER-CONNECTIVITY DEEP WEB DARK CLOUDS PERVASIVE IT E-SABOTAGE CYBER-CONFLICTS MASSIVE DATA LOSS CYBER-ESPIONAGE IDENTITY THEFT DIGITAL EXTORTION TARGETED ATTACKS VULNERABILITIES SOCIAL ENGINEERING CYBER-CRIME Copyright 2016 Symantec Corporation
Already Compromised http://www.csoonline.com/article/2835080/data-breach/15-of-the-scariest-things-hacked.html
Changing Business Environment Common Challenges EXPANDED ATTACK SURFACE LARGE, COMPLEX ENVIRONMENTS ADVANCED ADVERSARIES BROAD-BASED IMPACTS Cloud Infrastructures Multiple Products Well-funded Targeted Attacks Mobile Protection Thousands of Servers Country Sponsored Internet of Everything Internet of Everything (IoT) BYOD Multiple Endpoints Lack of Talent Nation States Underground Market More Data at Risk Disguised Attacks Copyright 2016 Symantec Corporation 6
A MAJOR SKILLS GAP IS EMERGING I HAVE LOTS OF DATA.. BUT NO INFORMATION DATA SCIENCE IS UNDER-INVESTED, NOT WELL DEFINED AND UNDER-SKILLED
Threat Intelligence Framework A LIFE-CYCLE Threat Intelligence Capability Data Classification Confirm and prioritize Risk Automated Response Build Critical Capabilities Incident Response Indicators of Compromise (IoC)
Build Critical Capabilities USING INDICATORS OF COMPROMISE Suspect Indicator Deploy, Collaborate & Share Big Data Enabled Indicator Search Build Protection Strategies Big Data Enabled Attack Attribute Analysis Indicator of Compromise (IOC) or Breach Big Data Enabled Intelligence Aggregation Big Data Enabled Victim & Adversary Analysis Big Data Enabled Campaign Analysis Actionable Security Intelligence & Cyber Protection Copyright 2016 Symantec Corporation
Threat Intelligence Framework A LIFE-CYCLE Threat Intelligence Capability Data Classification Confirm and prioritize Risk Automated Response Analyst Diversity Build Critical Capabilities Incident Response Indicators of Compromise (IoC) Career Advancement Development Program Cyber Simulations Develop Analyst Skills 10
Copyright 2016 Symantec Corporation 11
Cyber Security Exercise Continuous skills development for Security Teams Fully managed SaaS and Platform-as-a- Service offering with global coverage Comprehensive scoring and reporting functionality Over 600 hours of live system challenge scenarios, covering different industry verticals Over 7,000+ participants in 30+ countries Scenarios designed for different levels of difficulty Exercises can be run 1 day monthly, quarterly or yearly Copyright 2016 Symantec Corporation 12
Threat Intelligence Framework A LIFE-CYCLE Commercial & OSINT Sources Establish Sources Internal Sources Government Sources Industry Sources Threat Intelligence Capability Data Classification Confirm and prioritize Risk Automated Response Analyst Diversity Development Program Cyber Simulations Incident Response Career Advancement Build Critical Capabilities Indicators of Compromise (IoC) Develop Analyst Skills 13
Establish Sources RICH TELEMETRY Internal Sources Crowdsourcing Employee Security Awareness Internal Forums / Distribution Lists Log and network data (SIEM, FW, etc) Industry Sources Supply Chain Partners Informal Industry Relationships (1-on-1) Formal Industry Organizations (ENISA, etc.) Open & Commercial Sources Vendor Threat feeds Security Intelligence Providers Public Threat Feeds (Zeus, SpyEye, etc.) Counter Intelligence & HUMINT capability Software-as-a-service (SaaS) threat alerting Government Sources Law Enforcement National Security Organizations Computer Emergency Readiness Teams (CERT) 14
Threat Intelligence Framework A LIFE-CYCLE Operationalize Intelligence Threat Analytics Commercial Sources Establish Sources Proactive Defense Threat Dissemination Internal Sources Government Sources Cyber Kill Chain OSINT & HUMINT Sources Threat Intelligence Capability Data Classification Confirm and prioritize Risk Automated Response Analyst Diversity Development Program Cyber Simulations Incident Response Career Advancement Build Critical Capabilities Indicators of Compromise (IoC) Develop Analyst Skills 15
Operationalize Intelligence THREAT ANALYTICS The ability to gather & query both external insight and internal visibility, essentially generating security intelligence, needs to be at the heart of any (big data) security analytics platforms Vulnerability Analysis IP Reputation DataFeeds & Lookups Providing better protection by: Predictive Analysis & Adversary Intelligence Earlier Event Detection & Prioritization Faster Incident Response & Better Risk Management Phishing Analysis URL Reputation DataFeeds & Lookups Email/Web Analysis Campaign & Incident Analysis and Lookups Malware Analysis & Lookups Strategic Analysis Threat Actor Profiles File Reputation Lookups Brand Protection TT&P Analysis Copyright 2016 Symantec Corporation
Symantec is the leader in cyber security big data analytics for many years. 1 billion+ systems 200M+ Norton & SEP users (the biggest source of telemetry) 9 security ops centers globally; 1000+ expert analysts 4 trillion rows of security telemetry 100 billion more/month Blocked 182 million threats last year Copyright 2016 Symantec Corporation 17
SOC Architecture Integration of Intelligence Cyber Intelligence Team Security Intelligence Feeds Security Analytics Log Collection & Archiving Threat Detection Team Log Analysis & Passive Discovery Cyber Intelligence Asset Discovery Real-time Monitoring Threat Prevention Team Threat & Vulnerability Management Intelligence Correlations Management of Security Devices / Operations Policy Testing & Risk Assessment Integrate 3 rd Party Solutions Reporting and Quality Assurance Network & Host Forensics Incident Response & Remediation Applied Intelligence Analysis & Reporting Threat Response Team Forensic Analysis & Visualization Controlled readiness Testing 360 o Contextual View Security Simulation Compliance & Audit Reports
Symantec Enterprise Security Strategy Integrated Solutions, Now with Bluecoat Common Cloud Console Management SaaS/IaaS Threat Protection Information Protection Analytics & SOC Management & Compliance PUBLIC CLOUD PRIVATE CLOUD ATP Endpoint Web Proxy DC Security Email Security DLP CASB VIP 2FA Managed PKI Encryption (SSL) Unified Analytics Platform and Apps Cyber Security Services (CSS) EPM Control Compliance Suite (CCS) SELF SERVICE On-Premise DATA CENTER Common Platform and Cloud Services (Integration, Analytics, Orchestration, Provisioning, Usage, Metering, Licensing, Identity Management) Common Cloud Infrastructure (IaaS): Public or Private Cloud 3S PARTNER RE-SELL DIRECT SELL 19
Thank you! haider_pasha@symantec.com Copyright 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 20