Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
*
The Role of Threat Intelligence
and Layered Security

for Intrusion Prevention in the
Post-Target Breach Era
Ted Gruenlo...
! Review of the current Network Security landscape
! Quick overview of Layered Security
! What, exactly, is Threat Intelli...
Current Network Security

Not Your Father’s Threats
Yesterday’s Threat Landscape…
!  Perimeter was defined, and endpoints w...
Current Network Security

Today’s Threat Landscape
!  Perimeter? What perimeter? And with BYOD, it’s more like herding cat...
Layered Security: Fact and Fiction
! The Big Boys like to bash each other
! Are there any silver bullets?
! Let’s have an ...
Layered Security: A Quick Inventory
From perimeter to endpoint, paralleling the “Cyber Kill Chain”:
!  External IPS, Next-...
What is Threat Intelligence?
“The real-time collection, normalization, and analysis of the
data generated by users, applic...
No, really. What is Threat Intelligence?
This might get a little technical.
WARNING
No, really. What is Threat Intelligence?
Malware Exchanges & Sources
Malware Exchange (major NetSec vendors)
VirusTotal.co...
OK. What does Threat Intelligence look like?
Lists of IPs and/or URLs
Could be as simple as a text file of IP addresses or
...
Firewall333
 IDS/IPS
 Corporate LAN
Explicit rules
 DPI/Pattern matching
 AV software, Host-based IPS
0%
 10% to 40%
 10% ...
Publicly Shared Threat Intelligence
The What.
Many Network Security vendors make their living selling threat
intelligence....
Publicly Shared Threat Intelligence
The Who.
A sampling of NetSec organizations that provide free Threat Intelligence.
sen...
Publicly Shared Threat Intelligence
The How.
Here’s how we do it.
CINS System
Active Sentinels
The Internet
and
NetSec
Com...
And in conclusion…
Layered security doesn’t only make sense as a
network security strategy; its diversity also produces
be...
Ted Gruenloh
Director of Operations
(972) 991-5005
tedg@econet.com
http://www.networkcloaking.com/free
Questions?
Ted Grue...
Upcoming SlideShare
Loading in …5
×

The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention in the Post-Target Breach Era

119 views

Published on

Presented at InnoTech Oklahoma 2016. All rights reserved.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention in the Post-Target Breach Era

  1. 1. * The Role of Threat Intelligence and Layered Security
 for Intrusion Prevention in the Post-Target Breach Era Ted Gruenloh Director of Operations Sentinel IPS
  2. 2. ! Review of the current Network Security landscape ! Quick overview of Layered Security ! What, exactly, is Threat Intelligence? ! Threat Intelligence and Layered Security, together ! Publicly shared sources of Threat Intelligence ! Conclusion and Q & A Agenda
  3. 3. Current Network Security
 Not Your Father’s Threats Yesterday’s Threat Landscape… !  Perimeter was defined, and endpoints were easily managed !  Data and assets were static !  Malware/Trojans had limited points of entry
  4. 4. Current Network Security
 Today’s Threat Landscape !  Perimeter? What perimeter? And with BYOD, it’s more like herding cats. !  Data and Assets are mobile, dynamic, and accessed by almost anyone !  Juxtaposition between privacy (SSL) and visibility (decryption, anyone?) !  Malware can manifest itself anywhere
  5. 5. Layered Security: Fact and Fiction ! The Big Boys like to bash each other ! Are there any silver bullets? ! Let’s have an honest conversation: Everyone has their strengths ! We prefer a different approach. More like …
  6. 6. Layered Security: A Quick Inventory From perimeter to endpoint, paralleling the “Cyber Kill Chain”: !  External IPS, Next-Gen Firewalls, Application Firewalls, Vulnerability Scanning, and Penetration Testing !  Dedicated IDS, Web Proxies, SPAM Filters, Sandbox/Sandnet techniques !  Anti-virus, Personal Firewalls, Host-based IPS, patching, software updates !  And one SIEM to log them all So, where does Threat Intelligence fit in? All of the above! “Prepare to be breached.” Shift from preventative to detective? Sort of. Layered Security: “Defense in Depth” Recommended by the NSA ;-)
  7. 7. What is Threat Intelligence? “The real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise.” “The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.” -  John Burnham, IBM Ummmm … What? “The real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise.” “The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.” -  John Burnham, IBM Ummmm … What? “Threat Intelligence is network data that, when put to good use, can protect you.” - Me
  8. 8. No, really. What is Threat Intelligence? This might get a little technical. WARNING
  9. 9. No, really. What is Threat Intelligence? Malware Exchanges & Sources Malware Exchange (major NetSec vendors) VirusTotal.com VirusShare.com IDS/IPS Event Feedback Loop Universities ISPs and Carriers IDS/IPS Customer base Sandnets IDS/IPS Rulesets Other Proprietary Information DNS/Domain Lists and Analytics IP Reputation Lists and Analytics T h i s i s T h r e a t I n t e l l i g e n c e . Data Engine (Pcap analysis and data correlation) Pcaps
  10. 10. OK. What does Threat Intelligence look like? Lists of IPs and/or URLs Could be as simple as a text file of IP addresses or domains associated with bad actors and command & control servers STIX and TAXII Comes from DHS, and designed and maintained by MITRE. Provides a common markup language and method of exchange for threat intelligence data. Many companies provide their threat intelligence in STIX. Proprietary Data Takes many forms, from simple automated feeds to complex databases and APIs. Companies trying to differentiate themselves by providing unique insights, like geolocation, business sector, threat classification, etc.
  11. 11. Firewall333 IDS/IPS Corporate LAN Explicit rules DPI/Pattern matching AV software, Host-based IPS 0% 10% to 40% 10% to 40% Threat Intelligence and Layered Security Security: Blocked Malware: ~85% BLOCKED MALWARE “Actionable” Threat Intelligence !  SIEM consolidates data from multiple devices !  Might include Intelligence from external sources !  Used for analysis and incident response SIEM “Active” Threat Intelligence !  IP and/or Domain reputation lists !  Pushed out to security devices regularly !  Collaboration of InfoSec community Internet Firewall IDS/IPS Corporate LAN
  12. 12. Publicly Shared Threat Intelligence The What. Many Network Security vendors make their living selling threat intelligence. Luckily, many of these vendors also offer at least some of their intelligence up to the community at large, for free, no strings attached. You can benefit from this. The Why. Why give it away? Online businesses often use the ‘Freemium’ business model to introduce their product to consumers. But more importantly, many Network Security vendors feel a sense of duty born out of the Internet’s implicit sense of community. In other words, it’s the right thing to do. And now, the Who and the How.
  13. 13. Publicly Shared Threat Intelligence The Who. A sampling of NetSec organizations that provide free Threat Intelligence. senderbase.org http://shadowserver.org http://rules.emergingthreats.net Open Threat Exchange CI Army list at http://cinsscore.com Center for Internet Security http://dshield.org (SANS Internet Storm Center)
  14. 14. Publicly Shared Threat Intelligence The How. Here’s how we do it. CINS System Active Sentinels The Internet and NetSec Community CINS Lists (“Active” Threat Intelligence) csf firewalls, curl, python urllib, etc.
  15. 15. And in conclusion… Layered security doesn’t only make sense as a network security strategy; its diversity also produces better threat intelligence. And, active threat intelligence can dramatically improve a network’s protection from malware and other attacks. Conclusion? Layered Security and Active Threat Intelligence: Two great tastes that taste great together.
  16. 16. Ted Gruenloh Director of Operations (972) 991-5005 tedg@econet.com http://www.networkcloaking.com/free Questions? Ted Gruenloh @tedgruenloh & @sentinelips

×