Operationalizing Security Intelligence [ InfoSec World 2014 ]

883 views
825 views

Published on

Security intelligence is only worthwhile if a relevant piece of information is obtained and analyzed in a timely manner and able to aide a rapid decision-making process to mitigate an imminent threat – this capability is part of the new school security approach of Detect, Respond, Resolve with greater efficiency and speed which all enterprises should be benefiting from.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
883
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Operationalizing Security Intelligence [ InfoSec World 2014 ]

  1. 1. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. OperationalizingSecurity Intelligence Rafal M. Los Principal, Strategic Security Services HP Enterprise Security Services #InfoSecWorld-2014
  2. 2. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Tosetyourexpectations: Thisisasuper-ultracondensed introductiontoaverycomplex topic.
  3. 3. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. whatis“securityintelligence”?
  4. 4. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “collective set ofactivities, and artifacts to make intelligence- drivendecisions”
  5. 5. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. detect,respond,resolvemore effectivelyintheattacklifecycle
  6. 6. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. didsomeonesay“killchain”?
  7. 7. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. reconnaissance weaponization delivery exploitationinstallation command & control (c2) actions on objectives TheLockheedMartin“KillChain”
  8. 8. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. youradversariesareorganized
  9. 9. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. youradversariesareadaptable
  10. 10. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. yourdefensesarestatic
  11. 11. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. yourdefensesarepredictable
  12. 12. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. PREVENTIONISAMYTH
  13. 13. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. timeforabetter gameplan
  14. 14. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. oldgoal:don’tgetbreached
  15. 15. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. newgoal:disrupttheattack bonuspointsfordisruptingtheattacker
  16. 16. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. reality: yourdefenseswillbebreached
  17. 17. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  18. 18. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. sonowwhat?
  19. 19. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thistalkisaframeworkforyou
  20. 20. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. ..changeislongoverdue.
  21. 21. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thepuzzlepieces
  22. 22. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thetoolbox
  23. 23. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thedata
  24. 24. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. theoperationalprocesses
  25. 25. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. theactions
  26. 26. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. let’sbreakthatdown…
  27. 27. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thetoolbox
  28. 28. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. datastore aggregation andanalyticsengine
  29. 29. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. data data intelligence data
  30. 30. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. scalable flexible extensible fast affordable
  31. 31. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. -variousscanningtools -work-streamsystem -collaborationtools
  32. 32. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thingstolookfor: • normalized input/output data format(s) • inter-operability • extensibility • scriptable automation • scalability • maintainability • feature richness • ease-of-use
  33. 33. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. pickatool-setthatmatchesyour companyprofile
  34. 34. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thedata
  35. 35. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. internal: knowyourenterpriseattacksurface
  36. 36. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. startwiththefundamentals
  37. 37. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. mapthenetwork identifyexistingtechnologies identifybusinesscriticalassets
  38. 38. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. createrepresentativedatamodels continuouslyupdatethesemodels
  39. 39. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “currentstate”[snapshot]
  40. 40. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. whatarewevulnerabletorightnow? whatarewedoingaboutit?
  41. 41. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. THISisyourstartingpoint.
  42. 42. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. nowaddcontext
  43. 43. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Attribute Data asset_type <asset_type> asset_criticality <criticality_level> OS <os_name> OS-patch-level <major_minor> purpose <text> owner <owner_name> owner-BU <business_unit> owner-contact-email <email> owner-contact-phone <phone> installed-software . change-info . vulnerability-info . … … software version software_name <version> software_name <version> software_name <version> … … change_info data last-change <date> last-change-made <text> last-change-tech <name> … … vuln_info data vulnerability <severity> … … 10.1.2.100
  44. 44. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thereisnosuchthing*as “toomuchinformation” * almost…
  45. 45. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “livedata”[continuousfeeds]
  46. 46. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. detectchanges toenvironment inassets
  47. 47. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. determinenewthreats
  48. 48. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  49. 49. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. whatchanged? whatisthepotentialimpact?
  50. 50. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. continuousdetectionofchange • new (previously unseen) node on network • unauthorized configuration change • unauthorized change to application, or system • new/modified user, or access rights • new vulnerability or missing patch
  51. 51. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. requirement: TVMprogram (threat&vulnerabilitymanagement)
  52. 52. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. requirement: configurationmanagementDB (manage,authorizeconfigchanges)
  53. 53. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. requirement: collectivelogging (logkeyitems,onkeyassets)
  54. 54. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  55. 55. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. logaggregateanalyzeidentify refine
  56. 56. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Keyloggingquestionstoanswer: • what should you be logging? • what assets should you log from? • what should you look for? • how do you define ‘timely’? • how much should I be storing for analysis?
  57. 57. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. external: besituationallyaware
  58. 58. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. forexample– • sentiment against your brand/organization • threat climate of your business vertical • attacks against similar organizations, vertical • specific threats against your staff/resources • geopolitical issues pertaining to your enterprise • 3rd party reported vulnerabilities • 3rd party reported exploits • weaknesses in your external technologies • reported abused enterprise assets
  59. 59. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. refining‘data’purposefully IP address context external info analysis
  60. 60. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. definingandoperationalizing processes
  61. 61. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. gatheringinformation
  62. 62. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. failyourinformationquickly
  63. 63. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  64. 64. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. it’sinteresting… butisituseful?
  65. 65. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. notallinformationisuseful
  66. 66. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. toolstoparedowninformation • simple scripts • data analysis applications • relational mapping tools • ‘big data’ platforms • structured & unstructured data analyses
  67. 67. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. findinginformationiseasy
  68. 68. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. throwingawayjunkishard
  69. 69. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. refiningcollectedinformation
  70. 70. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. convertinformationtoknowledge
  71. 71. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  72. 72. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. extremelydifficult
  73. 73. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. manualprocess,foranalysts
  74. 74. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. aidedbyautomation
  75. 75. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 2 3 4 5 6
  76. 76. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. deliveringintelligence
  77. 77. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. informationnecessary tomakeadecision
  78. 78. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. must.be.repeatable.
  79. 79. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. must.be.actionable.
  80. 80. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. AnalysisisNOTenough.
  81. 81. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. needtoanswer:“Sowhat?”
  82. 82. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. providethoroughanalysis backedbyactualfacts,data
  83. 83. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. inatimelyfashion
  84. 84. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. inauseful,consumableformat
  85. 85. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. takingaction
  86. 86. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. rulesofengagement (whatareyouallowedtodo?)
  87. 87. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. take‘purposeful’action
  88. 88. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. whichprocessisactivated? incidentresponse securityoperations
  89. 89. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. takingaction
  90. 90. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. detect
  91. 91. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. beproactive out-maneuverthethreat
  92. 92. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. bereactive counteractivethreat
  93. 93. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. respond
  94. 94. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. mitigatethevulnerability
  95. 95. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. minimizetheimpactofattack
  96. 96. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. shutdownanactiveattack
  97. 97. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. activelyshiftdefenses
  98. 98. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. identifytheattacker
  99. 99. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. resolve
  100. 100. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. restoreservices
  101. 101. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Closed Loop Incident Process
  102. 102. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. adjustsecurityoperations
  103. 103. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. shareIOCs
  104. 104. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. quickrecap
  105. 105. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “SecurityIntelligence”is.. the capability to detect, respond, and resolveyour security incidents though an information-driven approach.
  106. 106. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Youcandothis. Youneedtodothis.
  107. 107. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Knowmore. Defendsmarter.

×