Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

The Game is On - the Future of Threat Intelligence

1.031 visualizaciones

Publicado el

Managed security is dead. It’s no longer capable of responding to today’s advanced cyber-threats. We can see the evidence all around us in the daily headlines. Nearly all of the companies that reported breaches in the past few years used some type of managed security provider (MSP). Clearly, there must be a better way.

Publicado en: Tecnología
  • Sé el primero en comentar

The Game is On - the Future of Threat Intelligence

  2. 2. Andrew Plato CISSP, CISM, QSA President / CEO MEET THE SPEAKER ANITIAN intelligent information security
  3. 3. Vision: Security makes the world a better place. Mission: Build great security leaders. We deliver security and threat intelligence via our practice areas: VisionPath: Compliance, PCI, HIPAA, NERC, ISO, NIST, etc. RiskNow: Rapid Risk Assessment Ring.Zero: Penetration Testing Sherlock: Managed threat intelligence, incident response ANITIAN ANITIAN intelligent information security
  4. 4. Intent • Define threat intelligence and why it is important • Present our view of the future of security analytics • Present Anitian’s approach to threat intelligence Overview • A Study in Breach • What is Threat Intelligence? • Sherlock Managed Threat Intelligence OVERVIEW intelligent information securityANITIAN
  5. 5. Do you want to be secure or compliant? • Secure – We do what is right – Anitian is here for you – Sit tight, this presentation is for you • Compliant – We only do what we have to do – Locate a checkbox auditor, lots of them out there – Have a nice day, this presentation is not for you DECLARE OUR INTENT ANITIAN intelligent information security
  7. 7. MISSED TARGET • Target breach was the beginning • There was ample evidence of the breach, but nobody responded to it • There was ample technology to detect breaches • People were not responding, analysis was not happing • Vital intelligence was not getting to leadership intelligent information securityANITIAN
  8. 8. • Vulnerabilities are widespread • Detection and attribution are difficult • The data are gigantic • Technologies are only as good as the users • Competing priorities within SecOps, Development, Sysadmin, etc. • Breaches are accelerating WE KNOW THE PROBLEM ANITIAN intelligent information security
  9. 9. • Current AV is profoundly bad at detecting emerging threats • Most AVs can only manage about 95% effective • That 5% remaining is huge • Symantec’s own VP admitted that “AV is dead!” THE FAILURE OF ANTI-VIRUS ANITIAN intelligent information security
  10. 10. • Big data is not an answer, it’s a problem • SIEM is a powerful tool, but… • …there are immense barriers to operationalization • SIEM’s generate alerts, not intelligence THE FAILURE OF SIEM ANITIAN intelligent information security
  11. 11. FAILURE OF INCIDENT RESPONSE VerizonDataBreachReport-2014 ANITIAN intelligent information security
  12. 12. FAILURE OF INCIDENT RESPONSE • Notification of a breach is increasingly coming from third parties • Organizations are not detecting attacks • Alerts get ignored, because there are too many of them • Leadership does not have viable intelligence, they just have data (and lots of it) • Dashboards filled with eye candy do absolutely nothing • We are not managing threat, we are desperately trying to contain weakness ANITIAN intelligent information security
  14. 14. ANITIAN intelligent information security
  15. 15. • Intelligence about the attacks, tactics, and targets • Tools that can quickly differentiate an attack from noise • Big data cruncher, that finds the needle in a stack of needles • Incident handlers that can piece together the crime • Processes that fuels faster, more accurate decision making and response WE NEED CYBER-SHERLOCK ANITIAN intelligent information security
  16. 16. • A threat is something bad that might happen. • Threat elements: Motive: A reason for that bad thing to exist Capability: Means to happen Opportunity: Weakness that enables the threat to happen • Motive is not always malicious • Capability is not always obvious • Opportunity is the thing you have most control over • Threat intelligence analyzes data in the context of these three elements ELEMENTARY THREAT ANITIAN intelligent information security
  17. 17. ACTION WHERE DOES IT COME FROM? intelligent information security Noise Big Data Refined Data Alerts / Signatures IoC Intelligence ANITIAN
  18. 18. • Data, to help tune, optimize, or direct your security analytics • Diverse sources: commercial, government, open source • Diverse types: IoC, reputation, tactics • Standards: – STIX: Structured Threat Information Expression – TAXII: Trusted Automated Exchange of Indicator Information SO WHAT IS IT, REALLY? ANITIAN intelligent information security
  19. 19. STIX EXAMPLE ANITIAN intelligent information security
  20. 20. NOT INTELLIGENCE ANITIAN intelligent information security
  21. 21. • Threat intelligence is highly specialized data • It is not a product, per se • It must be consumed and put into context • A person and/or technology must consume and use the intelligence to find the actual evidence of compromise • Integrating threat intelligence is both a technical challenge and operational challenge • Wargames dashboards are meaningless • The data are complex, difficult to use • Executives will not understand this THE PROBLEM ANITIAN intelligent information security
  22. 22. Technical Advances • Detect anywhere, defend everywhere • Integrated platforms • More sharing (STIX/TAXII and such) Detection Improvements • Advanced detections and AI • Automated intelligence reactions Human Intelligence • Move from enforcement, to analysis • Focus on operationalizing security • Improved work-flow management THE FUTURE OF THREAT INTELLIGENCE ANITIAN intelligent information security
  24. 24. People RiskNow [Process] Threat Intelligence [Technology] ANITIAN intelligent information security
  25. 25. WHAT IS ANITIAN SHERLOCK? A service to deliver threat intelligence. It unites people, processes, and technology: • PEOPLE: Anitian’s analysts backed with 20 years of experience • PROCESS: We use our innovative RiskNow approach to rapidly distill raw threat intelligence into meaningful hunts • TECHNOLOGY: We integrate multiple threat intelligence feeds and have a customized stack of commercial products to accelerate the detection process ANITIAN intelligent information security
  26. 26. Sherlock Vision Statement ANITIAN intelligent information security
  27. 27. Sherlock Mission Statement ANITIAN intelligent information security
  28. 28. HOW SHERLOCK WORKS • Our “Sherlocks” hunt through your environment looking for evidence of compromise • Our Tactics – Alerts: Automated alerts that tip off our team – IoC: Indicator of Compromise from our threat intelligence feeds – Hunt: Using IoCs and our RiskNow process define “hunts” for clues in an environment – Case: When we find something, we open a case to track it – Campaign: A collection of cases (or hunts) that share similar attributes ANITIAN intelligent information security
  29. 29. SHERLOCK THREAT INTELLIGENCE PORTAL ANITIAN intelligent information security
  30. 30. SHERLOCK THREAT INTELLIGENCE DETAIL ANITIAN intelligent information security
  31. 31. THE SHERLOCK STACK ANITIAN intelligent information security
  32. 32. STACK TECHNOLOGY • Fortinet NGFW, IDS/IPS, Sandboxing • Cylance Advanced endpoint breach detection • Splunk SIEM • Solara Advanced network forensics • Click Security Advanced reporting and analytics • Websense Data loss prevention, web security • Nessus Vulnerability management • NNT Change management ANITIAN intelligent information security
  33. 33. SERVICE OPTIONS • Intelligence analysis • Sherlock stack • Advanced forensics • Incident response & breach notification • Vulnerability management ANITIAN intelligent information security
  34. 34. ADD-ON SHERLOCK SERVICES Anitian can provide add-on services • Device management (NGFW, SIEM, etc.) • RiskNow Rapid Risk Assessment • Network & Application Layer Penetration Testing • PCI Compliance assessments • SOC2 audits • Code review ANITIAN intelligent information security
  35. 35. PACKAGES • Sherlock.A Analytics • Sherlock.AS Analytics + Stack • Sherlock.ASF Analytics + Stack + Deep Forensics • Sherlock.CRM Continuous Risk Management • Sherlock.H Healthcare industry package • Sherlock.E Energy industry package • Sherlock.SecOps Security operations package ANITIAN intelligent information security
  36. 36. THE TEAM • SANS Trained analysts • Focused on you • Dedicated person (with backups) • Hands on tech people • Senior analysts and forensic auditors available on demand ANITIAN intelligent information security
  37. 37. RESOURCE REQUIREMENTS • 5-10 days for setup of stack • 5-10 days of tuning • Reports begin flowing in 10-20 days • Less than 1 hour per week to review reports ANITIAN intelligent information security
  38. 38. BENEFITS OF ANITIAN SHERLOCK • Deep analysis and threat intelligence • Combination of human and machine intelligence • Multiple intelligence feeds • Actionable reports, no dizzying dashboards • Dedicated analysts • All data stays on-premise, no offsite storage, no co-mingling • You own the technology • Most experienced security intelligence team in the world ANITIAN intelligent information security
  39. 39. THANK YOU EMAIL: TWITTER: @AnitianSecurity WEB: BLOG: SLIDES: CALL: 888-ANITIAN ANITIAN intelligent information security