Click here to load reader
Upload
bhaskar-karambelkar
View
528
Download
1
Embed Size (px)
Citation preview
1All material confidential and proprietary
Interop 2016
COLLECTING AND USING THREAT INTELLIGENCE DATA
2All material confidential and proprietary
INTRODUCTIONS
3All material confidential and proprietary
WE MAKE THREAT INTELLIGENCE ACCESSIBLE
ThreatConnect unites cybersecurity people, processes and technologies behind a cohesive intelligence-driven defense. Designed for security teams at all maturity levels, ThreatConnect enables organizations to maximize the value of their security technology investments, combat the fragmentation of their security organizations, and enhance their infrastructure with relevant threat intelligence.
4All material confidential and proprietary
ABOUT ME
Bhaskar Karambelkar,Data Science Lead
5All material confidential and proprietary
WHAT IS GOING ON?
6All material confidential and proprietary
VERIZON 2016 DBIR – DETECTION DEFICIT
• Attackers are getting faster and we are not catching up.•Most compromises happen within
days.•Most compromises are discovered
weeks and months out if not years.
WHAT IS GOING ON?
Source: Verizon 2016 Data Breach Investigations Report.
7All material confidential and proprietary
VERIZON 2016 DBIR – DISCOVERY METHODS
• Internal discovery is less and less common.• Third Party (often Victims) and L&E
are the ones who discover breaches.
WHAT IS GOING ON?
Source: Verizon 2016 Data Breach Investigations Report.
8All material confidential and proprietary
THREAT INTELLIGENCE
9All material confidential and proprietary
GARTNER HYPE CYCLE
SOURCE: http://www.gartner.com/technology/research/methodologies/hype-cycle.jsp
10All material confidential and proprietary
THREAT INTELLIGENCE (TI)•Gartner defines TI as ‘evidence-based knowledge, including context, mechanisms,
indicators, implications, and actionable advice about an existing or emerging menace or hazard to assets, that can be used to inform decisions regarding the subject’s response to that menace or hazard’.1
• But often TI is mistaken for just the Indicators of Compromise (IOCs) and ergo has become a marketing buzzword. LET US CHANGE THAT PERCEPTION.
• TI works best in collaboration with other security practices, Vulnerability & Patch Management (VM), Security Operations (SOC), Incident Response (IR) etc.
• It is an important piece in the data-driven approach to Threat Management.
11All material confidential and proprietary
THE THREAT INTELLIGENCE PROCESS
Collect
Enrich
Connect
Contextualize
Analyze & Prioritize
Operationalize
External Sources
Whois/ passive-DNS/ GeoIP
Firewalls, IDS/IPS, Vuln Scanners, Endpoint Sec.
SEIM
12All material confidential and proprietary
THREAT INTELLIGENCE PROGRAM MATURITY MODELWell-DefinedTIProgram
TIProgramInPlace
Expanding
WarmingUp
Notsurewheretostart
13All material confidential and proprietary
CHARACTERISTICS OF GOOD TI• RELEVANT
• TIMELY
• COMPREHENSIVE
• ACCURATE
• All these make it ACTIONABLE.
14All material confidential and proprietary
FEEDS, FEEDS, FEEDS
15All material confidential and proprietary
TI FEEDS AND DONE, RIGHT ?... WRONG!• Subscribing to a bunch of open and/or premium external feeds and sticking them in your
firewall, IDS/IPS, SIEMs will not work. WHY ?• Too many false positives, too much irrelevant data, exhausted and overworked security
analysts, false sense of security.• If anything this will hurt your security posture.• So feeds are useless then? Not quiet.• External feeds are only a piece of the TI management process. They add a unique value to
the process but are not the be all and end all of TI.• Vetted sources can help drive down the false positives. • Contextualized/Enriched/Connected indicator sources can help Ops, IR teams make
proper decisions and prioritize correctly.
16All material confidential and proprietary
SO, WHICH FEEDS DO I NEED?WRONG QUESTION, YOU FAIL AT JEOPARDY!• Correct Question: •What are the key areas in my defense that need strengthening based on my security risk
assessment and threat modeling ?
• So what do I do?• Look for vetted feeds.• Compare and contrast premium vendor feeds. • Evaluate your subscribed feeds.• Be part of a Industry specific sharing community (FS-ISAC, ONG-ISAC etc.)
BEST INTEL COMES FROM YOUR OWN ORGANIZATION.
17All material confidential and proprietary
THREAT INTELLIGENCE PLATFORM
18All material confidential and proprietary
WHAT IS A TI PLATFORM (TIP) AND WHY DO I NEED ONE ?A product to manage your threat intelligence processes in one central place.
Allows you to:• subscribe to internal/external feeds.• enrich/connect/contextualize/prioritize your data.• integrate your TI data with security tools (Firewalls, IDS/IPS, WAFs, VM, SIEMs).• keep track of historic data for reference and trend analysis.• interact with common interest communities for sharing data.
And also allows:• various security teams (IR, SOC, IT) to collaborate on threat data.• your CIO/CISO and other senior execs to gain insights for strategic decision making.
19All material confidential and proprietary
HOW DO I GET ONE?Find a TIP vendor!
• Things to consider when looking for a vendor:o Integration with existing tools.o Hosting options (multi-tenant, on-prem, private cloud)o Collaboration, Community supporto Reporting and Dashboards.o Service provider support.
Your TIP needs to be a team player in your security infrastructure and aid you in your tactical/operational/strategic threat management needs.
20All material confidential and proprietary
ACTING ON THREAT INTELLIGENCE
21All material confidential and proprietary
PUT THOSE IOCS RIGHT TO BED WORK!•Make your TIP the central nervous system of your security infrastructure.
• There should be bi-directional communication between your TIP and your firewalls/SIEMs/IDS/IPS/Endpoint Security.
• Not all devices need all IOCs, segregate by device type as well as kill chain target.
• Vet good IOCs, share them as much as possible/allowed with peers.
•Mark bad IOCs (known goods or false positives) but don’t completely get rid of them as they may provide context.
22All material confidential and proprietary
THANK YOU!• Comments/Questions
• http://www.treatconnect.com/
• https://twitter.com/bhaskar_vk• https://www.linkedin.com/in/bhaskarvk