More Related Content Similar to Collective intelligence : Crowdsourcing CTI Challenges and Opportunities (20) Collective intelligence : Crowdsourcing CTI Challenges and Opportunities1. Copyright © 2019 JASK
Collective Intelligence:
Crowdsourcing CTI Challenges and Opportunities
Rob Fry, CTO @JASK
September 17th 2019
LA Cyber Lab - Security Summit
2. Copyright © 2019 JASK
• CTI Background
• Value of Crowdsourcing CTI?
• Challenges/Opportunities to Make it Real
• Customer Interest Level
Agenda
2
3. Copyright © 2019 JASK
About Me
3
VP of Eng
Software Engineer
Co-Founder
Advisor
Mentor
Pain-in-the-Ass
Inventor
Internet Streaming
Security Engineer
Docker Containers
Orchestration
Public Cloud
Board Member
CASB
Microservices
Venture
Cloud SIEM
Public Speaker
Open Source
CTO
4. Copyright © 2019 JASK
! The facts expressed here belong to everybody, the
opinions to me. The distinction is yours to draw.
! Any similarity to actual companies or technology, living or
dead, is purely coincidental.
! Every statement in this presentation is probably true when stated,
but truth changes over time.
! Any disclaimer issued by me is subject to change without notice or
reason or anything else.
! Disclaimer does not cover misuse, accident, lightning, flood, tornado, tsunami, volcanic
eruption, earthquake, hurricanes, or other acts of God, neglect, damage from improper use,
incorrect line voltage, unauthorized use, unauthorized repair, improper installation, typos, broken antenna or
marred cabinet, missing or altered serial numbers, electromagnetic radiation from nuclear blasts, sonic boom vibrations, customer
adjustments that are not covered in this list, and incidents owing to an airplane crash, ship sinking or taking on water, motor vehicle crashing, dropping the item, falling rocks, leaky roof, broken glass, disk failure,
accidental file deletions, mud slides, forest fire, hitting of a deer, milk coming out of your nose due to laughing while drinking, or projectiles, which can include, but are not limited to, arrows, bullet shots, BBs, shrapnel, lasers, napalm, torpedoes, emissions of X-rays, Alpha, Beta and Gamma
rays, knives, stones, etc.
Disclaimer!
4
7. Copyright © 2019 JASK
Crowdsourced Cyber Threat Intelligence
7
Is it a New Idea?
9. Copyright © 2019 JASK
Crowdsourced Cyber Threat Intelligence
9
What is this about?
10. Copyright © 2019 JASK
Crowdsourced Cyber Threat Intelligence
10
• Contribution - vs - Consumption
• Context - vs - Indicators
• Quality - vs - Quantity
• One to Many, Many to One
15. Copyright © 2019 JASK
CTI Background - History
15
Evolution of Threat Intel
It was probably here.
16. Copyright © 2019 JASK
CTI Background - History
16
Artifacts of Love & Disdain
17. Copyright © 2019 JASK
CTI Background - History
17
Evolution of Threat Intel
Email IM Msg Boards
18. Copyright © 2019 JASK
CTI Background - History
18
Evolution of Threat Intel
Email IM Msg Boards
Sidenote:
For Many of Us, This is Still Standard Operating
20. Copyright © 2019 JASK
CTI Background - History
20
Evolution of Threat Intel
Anubis
22. Copyright © 2019 JASK
CTI Background - History
22
Evolution of Threat Intel
Is Bad?
Yes
No
Binary Return
23. Copyright © 2019 JASK
CTI Background - History
23
Evolution of Threat Intel
Product Market
Cost
Product/Market Fit
24. Copyright © 2019 JASK
CTI Background - History
24
Evolution of Threat Intel
Startups! Open Source
&
27. Copyright © 2019 JASK
CTI Background - History
27
Evolution of Threat Intel
DATA!
29. Copyright © 2019 JASK
CTI Background - History
29
Evolution of Threat Intel
Threat Score
User Score
Machine Score
Total Score
Incident Response
30. Copyright © 2019 JASK
CTI Background - History
30
Evolution of Threat Intel
Threat Score
User Score
Machine Score
Total Score
Incident Response Asset Score
31. Copyright © 2019 JASK
CTI Background - History
31
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset Value
32. Copyright © 2019 JASK
CTI Background - History
32
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset Value
Context For CTI
33. Copyright © 2019 JASK
CTI Background - History
33
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
34. Copyright © 2019 JASK
CTI Background - History
34
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data
35. Copyright © 2019 JASK
CTI Background - History
35
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Weights
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
38. Copyright © 2019 JASK
CTI Background - History
38
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Weights
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Threat Score Threat Score Threat Score Threat Score
39. Copyright © 2019 JASK
CTI Background - History
39
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Weights
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Threat Score Threat Score Threat Score Threat Score
Machine Score Machine Score Machine Score Machine Score
40. Copyright © 2019 JASK
CTI Background - History
40
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Weights
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Threat Score Threat Score Threat Score Threat Score
Machine Score Machine Score Machine Score Machine Score
User Score User Score User Score User Score
41. Copyright © 2019 JASK
CTI Background - History
41
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Weights
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Threat Score Threat Score Threat Score Threat Score
Machine Score Machine Score Machine Score Machine Score
User Score User Score User Score User Score
Injection of Context
42. Copyright © 2019 JASK
CTI Background - History
42
Evolution of Threat Intel
Threat Score
User Score
Machine Score
Total Score
(Silo 1 * Silo Weight %) + (Silo 2 * Silo Weight %) + (Silo 3 * Silo Weight %) + (Silo 4 * Silo Weight %)
(Silo 3 * Silo Weight %) + (Silo 4 * Silo Weight %) + (Silo 5 * Silo Weight %) + (Silo 7 * Silo Weight %)
(Silo 3 * Silo Weight %) + (Silo 4 * Silo Weight %) + (Silo 6 * Silo Weight %) + (Silo 7 * Silo Weight %)
43. Copyright © 2019 JASK
CTI Background - History
43
Evolution of Threat Intel
Probably got to here.
44. Copyright © 2019 JASK
CTI Background - History
44
Evolution of Threat Intel
Somedays it felt here. Security is hard.
46. Copyright © 2019 JASK
You
Value of Crowdsourced CTI
46
Crowdsourced Data
One-way
Vendor or Community Aggregated
Good Start But Little Context
47. Copyright © 2019 JASK
You
Value of Crowdsourced CTI
47
Crowdsourced Data
One-way
Upload
49. Copyright © 2019 JASK
Value of Crowdsourced CTI
49
Company “A”
Company “B”Exchange
Channel
Community
53. Copyright © 2019 JASK
Value : Challenge
53
• How Much Data?
• How Many Customers?
• What Business Verticals?
56. Copyright © 2019 JASK
Challenges/Opportunities to Make it Real
56
?What Would it Take?
58. Copyright © 2019 JASK
58
What is Your Team’s Posture?
Challenge & Opportunity - Customer
59. Copyright © 2019 JASK
Challenge & Opportunity - Customer
59
Efficacy
Measure
History
Curation
60. Copyright © 2019 JASK
Challenge & Opportunity - Customer
60
Context
CTI Pipeline
61. Copyright © 2019 JASK
Challenge - Product
61
What Specific Customer Problem Are You Solving?
62. Copyright © 2019 JASK
Challenge - Product
62
What Specific Customer Problem Are You Solving?
People Data Expertise
63. Copyright © 2019 JASK
Challenge - Product
63
Curation
Update Look Back History Tombstone
65. Copyright © 2019 JASK
Challenge - Product
65
• Automatic Aggregate
• New Methodologies
• Easier Potential for Sharing
• Private Channels
• Ownership Dilema
The “Cloud” Challenge
66. Copyright © 2019 JASK
Challenge - Product
66
The “Data” Challenge
• Data Protection
• Anonymization
• Secure Point-to-Point
• Business Risk
• Authorization/Legal (Opt-in)
• T&Cs With Product Vendor
67. Copyright © 2019 JASK
Challenge & Opportunity - Product
67
The Waze Analogy
Courtesy of Google
69. Copyright © 2019 JASK
Challenge & Opportunity - Product
69
Crowdsourced Herd Methodology
70. Copyright © 2019 JASK
Challenge & Opportunity - Product
70
User Validated Indicators
71. Copyright © 2019 JASK
Challenge & Opportunity - Product
71
Business Vertical
Business Vertical
Business Vertical Relevance
72. Copyright © 2019 JASK
Challenge & Opportunity - Product
72
Crowdsourced Herd Methodology
?
73. Copyright © 2019 JASK
Challenge & Opportunity - Product
73
Crowdsourced Herd Methodology
?
True Positive True Negative False Positive False Negative
74. Copyright © 2019 JASK
74
User Validated Indicators
Challenge & Opportunity - Product
76. Copyright © 2019 JASK
76
Individual Individual
User Validating User
Verdict?
Community
Challenge & Opportunity - Product
77. Copyright © 2019 JASK
77
Individual
Company
Business Vertical
Community
• Measure for Efficacy
• Understand Layers
• Changes in Data
• Integrity of the Data
Challenge & Opportunity - Product
78. Copyright © 2019 JASK
• 10:1 - Velocity
• Which Products Are Most Suited to Support?
• What Product(s) or Organizations Have Been Successful?
• What Have We Learned From Previous Shortcomings?
• “Brass Tacks” - What Would Customers Rather Have?
Customer Interest Level
78
79. Copyright © 2019 JASK
• How Do We Make it Easier?
• Ownership on Both Sides
• New Technologies Provide Opportunity?
• Importance of Measuring Efficacy
• Data, et al.
Wrap-up
79
80. Copyright © 2019 JASK
Questions?
Thank You!
80
rob@jask.com
@_robfry on Twitter