Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Operationalizing Security Intelligence [ InfoSec World 2014 ]

1,078 views

Published on

Security intelligence is only worthwhile if a relevant piece of information is obtained and analyzed in a timely manner and able to aide a rapid decision-making process to mitigate an imminent threat – this capability is part of the new school security approach of Detect, Respond, Resolve with greater efficiency and speed which all enterprises should be benefiting from.

Published in: Technology, Business
  • Be the first to comment

Operationalizing Security Intelligence [ InfoSec World 2014 ]

  1. 1. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. OperationalizingSecurity Intelligence Rafal M. Los Principal, Strategic Security Services HP Enterprise Security Services #InfoSecWorld-2014
  2. 2. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Tosetyourexpectations: Thisisasuper-ultracondensed introductiontoaverycomplex topic.
  3. 3. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. whatis“securityintelligence”?
  4. 4. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “collective set ofactivities, and artifacts to make intelligence- drivendecisions”
  5. 5. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. detect,respond,resolvemore effectivelyintheattacklifecycle
  6. 6. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. didsomeonesay“killchain”?
  7. 7. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. reconnaissance weaponization delivery exploitationinstallation command & control (c2) actions on objectives TheLockheedMartin“KillChain”
  8. 8. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. youradversariesareorganized
  9. 9. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. youradversariesareadaptable
  10. 10. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. yourdefensesarestatic
  11. 11. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. yourdefensesarepredictable
  12. 12. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. PREVENTIONISAMYTH
  13. 13. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. timeforabetter gameplan
  14. 14. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. oldgoal:don’tgetbreached
  15. 15. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. newgoal:disrupttheattack bonuspointsfordisruptingtheattacker
  16. 16. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. reality: yourdefenseswillbebreached
  17. 17. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  18. 18. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. sonowwhat?
  19. 19. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thistalkisaframeworkforyou
  20. 20. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. ..changeislongoverdue.
  21. 21. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thepuzzlepieces
  22. 22. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thetoolbox
  23. 23. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thedata
  24. 24. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. theoperationalprocesses
  25. 25. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. theactions
  26. 26. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. let’sbreakthatdown…
  27. 27. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thetoolbox
  28. 28. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. datastore aggregation andanalyticsengine
  29. 29. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. data data intelligence data
  30. 30. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. scalable flexible extensible fast affordable
  31. 31. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. -variousscanningtools -work-streamsystem -collaborationtools
  32. 32. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thingstolookfor: • normalized input/output data format(s) • inter-operability • extensibility • scriptable automation • scalability • maintainability • feature richness • ease-of-use
  33. 33. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. pickatool-setthatmatchesyour companyprofile
  34. 34. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thedata
  35. 35. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. internal: knowyourenterpriseattacksurface
  36. 36. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. startwiththefundamentals
  37. 37. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. mapthenetwork identifyexistingtechnologies identifybusinesscriticalassets
  38. 38. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. createrepresentativedatamodels continuouslyupdatethesemodels
  39. 39. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “currentstate”[snapshot]
  40. 40. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. whatarewevulnerabletorightnow? whatarewedoingaboutit?
  41. 41. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. THISisyourstartingpoint.
  42. 42. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. nowaddcontext
  43. 43. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Attribute Data asset_type <asset_type> asset_criticality <criticality_level> OS <os_name> OS-patch-level <major_minor> purpose <text> owner <owner_name> owner-BU <business_unit> owner-contact-email <email> owner-contact-phone <phone> installed-software . change-info . vulnerability-info . … … software version software_name <version> software_name <version> software_name <version> … … change_info data last-change <date> last-change-made <text> last-change-tech <name> … … vuln_info data vulnerability <severity> … … 10.1.2.100
  44. 44. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. thereisnosuchthing*as “toomuchinformation” * almost…
  45. 45. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “livedata”[continuousfeeds]
  46. 46. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. detectchanges toenvironment inassets
  47. 47. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. determinenewthreats
  48. 48. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  49. 49. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. whatchanged? whatisthepotentialimpact?
  50. 50. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. continuousdetectionofchange • new (previously unseen) node on network • unauthorized configuration change • unauthorized change to application, or system • new/modified user, or access rights • new vulnerability or missing patch
  51. 51. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. requirement: TVMprogram (threat&vulnerabilitymanagement)
  52. 52. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. requirement: configurationmanagementDB (manage,authorizeconfigchanges)
  53. 53. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. requirement: collectivelogging (logkeyitems,onkeyassets)
  54. 54. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  55. 55. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. logaggregateanalyzeidentify refine
  56. 56. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Keyloggingquestionstoanswer: • what should you be logging? • what assets should you log from? • what should you look for? • how do you define ‘timely’? • how much should I be storing for analysis?
  57. 57. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. external: besituationallyaware
  58. 58. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. forexample– • sentiment against your brand/organization • threat climate of your business vertical • attacks against similar organizations, vertical • specific threats against your staff/resources • geopolitical issues pertaining to your enterprise • 3rd party reported vulnerabilities • 3rd party reported exploits • weaknesses in your external technologies • reported abused enterprise assets
  59. 59. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. refining‘data’purposefully IP address context external info analysis
  60. 60. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. definingandoperationalizing processes
  61. 61. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. gatheringinformation
  62. 62. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. failyourinformationquickly
  63. 63. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  64. 64. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. it’sinteresting… butisituseful?
  65. 65. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. notallinformationisuseful
  66. 66. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. toolstoparedowninformation • simple scripts • data analysis applications • relational mapping tools • ‘big data’ platforms • structured & unstructured data analyses
  67. 67. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. findinginformationiseasy
  68. 68. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. throwingawayjunkishard
  69. 69. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. refiningcollectedinformation
  70. 70. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. convertinformationtoknowledge
  71. 71. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  72. 72. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. extremelydifficult
  73. 73. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. manualprocess,foranalysts
  74. 74. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. aidedbyautomation
  75. 75. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 2 3 4 5 6
  76. 76. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. deliveringintelligence
  77. 77. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. informationnecessary tomakeadecision
  78. 78. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. must.be.repeatable.
  79. 79. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. must.be.actionable.
  80. 80. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. AnalysisisNOTenough.
  81. 81. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. needtoanswer:“Sowhat?”
  82. 82. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. providethoroughanalysis backedbyactualfacts,data
  83. 83. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. inatimelyfashion
  84. 84. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. inauseful,consumableformat
  85. 85. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. takingaction
  86. 86. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. rulesofengagement (whatareyouallowedtodo?)
  87. 87. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. take‘purposeful’action
  88. 88. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. whichprocessisactivated? incidentresponse securityoperations
  89. 89. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. takingaction
  90. 90. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. detect
  91. 91. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. beproactive out-maneuverthethreat
  92. 92. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. bereactive counteractivethreat
  93. 93. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. respond
  94. 94. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. mitigatethevulnerability
  95. 95. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. minimizetheimpactofattack
  96. 96. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. shutdownanactiveattack
  97. 97. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. activelyshiftdefenses
  98. 98. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. identifytheattacker
  99. 99. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. resolve
  100. 100. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. restoreservices
  101. 101. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Closed Loop Incident Process
  102. 102. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. adjustsecurityoperations
  103. 103. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. shareIOCs
  104. 104. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. quickrecap
  105. 105. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “SecurityIntelligence”is.. the capability to detect, respond, and resolveyour security incidents though an information-driven approach.
  106. 106. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Youcandothis. Youneedtodothis.
  107. 107. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Knowmore. Defendsmarter.

×