More Related Content Similar to Intelligence driven defense webinar (20) Intelligence driven defense webinar2. © 2017 ThreatConnect, Inc. All Rights Reserved.
Today’s Agenda
Get answers:
• Intelligence-Driven Defense (IDD) : what
does it mean in real terms?
• How can teams at all levels of maturity
take advantage of IDD?
• What does IDD look like operationally in
ThreatConnect?
2
4. © 2017 ThreatConnect, Inc. All Rights Reserved.
How to Define Threat Intelligence
First, what is threat intelligence?
“Threat intelligence is evidence-based
knowledge, including context, mechanisms,
indicators, implications and actionable advice,
about an existing or emerging menace or
hazard to assets that can be used to inform
decisions regarding the subject’s response to
that menace or hazard.”
“The details of the motivations, intent, and
capabilities of internal and external threat
actors. Threat intelligence includes specifics
on the tactics, techniques, and procedures of
these adversaries. Threat intelligence’s
primary purpose is to inform business
decisions regarding the risks and
implications associated with threats."
5. © 2017 ThreatConnect, Inc. All Rights Reserved.
Threat Intelligence: Simplified
Now on my reading level..
“Knowledge of threats that you can use to defend yourself.”
“Actionable Knowledge of Threats”
Distilled even more:
6. © 2017 ThreatConnect, Inc. All Rights Reserved. 6
The Threat Defense Surface Area (TDSA)
Bigger Targets need Bigger Shields
The likelihood of
having things go right in
your security organization.
7. © 2017 ThreatConnect, Inc. All Rights Reserved.
Strength/capabilities/focus
of your threat intelligence
X
People and tools to whom
that TI is effectively
communicated
(i.e. “operations”)
=
Your Threat Defense
Surface Area
7
The Threat Defense Surface Area (TDSA)
The Geometry of IDD
Operations
Intelligence
A = I * O
TI is siloed
Bare bones
Unclear focus
False positives
++MTTD
TI is shared
Fleshed out
Intel Requirements
Fewer FPs
--MTTD
8. © 2017 ThreatConnect, Inc. All Rights Reserved.
Intelligence-Driven Defense means...
Your entire security team (and beyond) is
dedicated to increasing your Threat Defense
Surface Area by actively communicating and
contributing in order to:
● Increase actionable knowledge of threats
● Leverage that knowledge
10. © 2017 ThreatConnect, Inc. All Rights Reserved.
Determining What’s Right For You
• Needs differ based on factors like threat landscape, maturity, risk tolerance, size, and budget
• What are your threat intelligence requirements?
• Are your needs more strategic or tactical?
• How big of a target does your TDSA need to cover?
10
Different Teams Have Different Needs
More MatureLess Mature
Using Threat
Intelligence
Doing Threat
Intelligence
Prevention & Detection Assisting IR Inform Security Policy
11. © 2017 ThreatConnect, Inc. All Rights Reserved.
TC Identify
11
The Intel Consumer
Who’s it for?
• The “Intel Consumer”
• Smaller teams just getting started
What do they want to do with it?
• Consume Intel
• Reduce False Positives in their SIEM
• Get started on increasing their Threat Defense Surface Area
What do they need?
• Machine-Readable Threat Intelligence
• ThreatConnect Intelligence
• Minimal Setup and Support
12. © 2017 ThreatConnect, Inc. All Rights Reserved.
TC Manage
12
The Under-Resourced Intel Rebel
Who’s it for?
• The Under-Resourced “Intel Rebel”
• Small team, needs to do more with less
What do they want to do with it?
• Same as Intel Consumer
• Plus automation and orchestration
What do they need?
• Get all teams and tools talking
• Playbooks
13. © 2017 ThreatConnect, Inc. All Rights Reserved.
TC Analyze
13
The Intel Analyst
Who’s it for?
• The “Intel Analyst”
• Mature teams that want to create new intel
What do they want to do with it?
• Consume, analyze, create and share intel
• Strategic view of intel for advising, policy
What do they need?
• Powerful data model to support threat modelling
• Sharing and reporting
14. © 2017 ThreatConnect, Inc. All Rights Reserved.
TC Complete
14
The Ultimate Power in Threat Intelligence
Who’s it for?
• Mature teams
• Security leaders who want to build an intelligence-driven
security organization from the ground up
What do they want to do with it?
• Build and Customize the Platform and Apps
• Create Complex Automations & Orchestration
• Inform Team, Speed Response
• Inform Decisions Across the Organization
What do they need?
• A fully extensible, intelligence-driven platform
• Full threat modelling and communication support
15. © 2017 ThreatConnect, Inc. All Rights Reserved.
Putting it all together
15
How does ThreatConnect Help?
Operations
Intelligence
A = I * C
Intelligence * Operations
=
Your Threat Defense Surface Area
17. © 2017 ThreatConnect, Inc. All Rights Reserved.
Playbooks -
Automation &
Orchestration
Problem
• Fragmented technologies and
processes in cybersecurity
Solution
• Create automated playbooks
• Configure apps to talk to each other
automatically
• Share Playbooks across teams
• Human-in-the-loop
17
Intelligence-Driven
Automation &
Orchestration
Augment human
intuition by freeing it
from mundane tasks
18. © 2017 ThreatConnect, Inc. All Rights Reserved.
Collective Analytics Layer
Provide global insights on threat data to all ThreatConnect instances
18
EvilDomain.com
Public
whitelists?
How many
sources?
How many of TC’s 15K other
analysts have viewed it?
Was it observed recently
by others?
Are the sources you find
relevant and accurate?
What
about
false
positives?
19. © 2017 ThreatConnect, Inc. All Rights Reserved.
The Scenario
• Security team of a Fortune 500 company is
on the lookout for whaling scams
• Standard loadout: SOC, IR, CTI
• CTI has gathered intel on several possible
adversaries
• SOC has several monitoring inboxes for
collecting email alert data
• TC Complete
19
20. © 2017 ThreatConnect, Inc. All Rights Reserved.
An alert!
Teeny-tiny TDSA
Operations
Intelligence
Iteration One
● SOC inbox ingests an email
● Playbook extracts the indicators and
stores them in ThreatConnect
No one is notified.
Nothing happens.
Maybe someone will check it out later.
21. © 2017 ThreatConnect, Inc. All Rights Reserved.
Analysis and Awareness in Realtime
Adding Intel and Telling Someone
Operations
Intelligence
Iteration Two
● Indicators sent to third party for enrichment
● Enrichment data matched against ThreatConnect
● SOC team notified of potential matches
22. © 2017 ThreatConnect, Inc. All Rights Reserved.
Communicating Across Teams and Time
Increasing the Area
Operations
Intelligence
Iteration Three
● The CTI team’s intel identified an adversary that used
whaling scams
● The CTI team recorded whaling scams in
ThreatConnect as a key requirement
● This flag causes the IR team to be notified in Slack
23. © 2017 ThreatConnect, Inc. All Rights Reserved.
Avoiding False Positives
Almost there...
Operations
Intelligence
Iteration Four
● Instead of blindly notifying the IR team, the Playbook checks
CAL for false positives
● If there are FPs, the IR team is not notified and the SOC team’s
email is updated instead
● Adversary record updated for future TI regardless of outcome
24. © 2017 ThreatConnect, Inc. All Rights Reserved.
Closing the Loop
Saturation
Operations
Intelligence
Iteration Five
● IR team deep dives on key data in CAL
● Hits a button to block a malicious indicator
● CTI team gets feedback on action taken
25. © 2017 ThreatConnect, Inc. All Rights Reserved.
Intelligence-Driven Defense
How does ThreatConnect Help?
Operations
Intelligence
Intelligence
● Enriched data using reverse WHOIS
● Referenced intel on existing adversary
● Use of intel requirements
● Used CAL to mitigate false positives
Operations
● Notified all teams of Whaling Scam
requirement
● Slacked IR team on alert
● CoA reported back to CTI
● Used CAL to mitigate false positives