SlideShare a Scribd company logo

Intelligence driven defense webinar

ThreatConnect
ThreatConnect

The document discusses intelligence-driven defense (IDD) and how ThreatConnect supports it. IDD means increasing a team's threat defense surface area by sharing threat intelligence (TI) across security operations and analysts. ThreatConnect provides automated playbooks, a collective analytics layer, and tools to connect intelligence and operations teams. This allows indicators from alerts to be enriched, potential matches to be flagged for analysts based on known adversaries, and feedback loops to update intelligence and close investigation loops.

Technology
1 of 27
Download to read offline
Mitigate Threats Faster with an Intelligence-Driven Defense Dan Cole Director of Product Management
© 2017 ThreatConnect, Inc. All Rights Reserved. Today’s Agenda Get answers: • Intelligence-Driven Defense (IDD) : what does it mean in real terms? • How can teams at all levels of maturity take advantage of IDD? • What does IDD look like operationally in ThreatConnect? 2
Intelligence-Driven Defense (IDD) What does it mean?
© 2017 ThreatConnect, Inc. All Rights Reserved. How to Define Threat Intelligence First, what is threat intelligence? “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” “The details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence’s primary purpose is to inform business decisions regarding the risks and implications associated with threats."
© 2017 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence: Simplified Now on my reading level.. “Knowledge of threats that you can use to defend yourself.” “Actionable Knowledge of Threats” Distilled even more:
© 2017 ThreatConnect, Inc. All Rights Reserved. 6 The Threat Defense Surface Area (TDSA) Bigger Targets need Bigger Shields The likelihood of having things go right in your security organization.
© 2017 ThreatConnect, Inc. All Rights Reserved. Strength/capabilities/focus of your threat intelligence X People and tools to whom that TI is effectively communicated (i.e. “operations”) = Your Threat Defense Surface Area 7 The Threat Defense Surface Area (TDSA) The Geometry of IDD Operations Intelligence A = I * O TI is siloed Bare bones Unclear focus False positives ++MTTD TI is shared Fleshed out Intel Requirements Fewer FPs --MTTD
© 2017 ThreatConnect, Inc. All Rights Reserved. Intelligence-Driven Defense means... Your entire security team (and beyond) is dedicated to increasing your Threat Defense Surface Area by actively communicating and contributing in order to: ● Increase actionable knowledge of threats ● Leverage that knowledge
Intelligence-Driven Defense for All How can teams at all levels of maturity take advantage of IDD?
© 2017 ThreatConnect, Inc. All Rights Reserved. Determining What’s Right For You • Needs differ based on factors like threat landscape, maturity, risk tolerance, size, and budget • What are your threat intelligence requirements? • Are your needs more strategic or tactical? • How big of a target does your TDSA need to cover? 10 Different Teams Have Different Needs More MatureLess Mature Using Threat Intelligence Doing Threat Intelligence Prevention & Detection Assisting IR Inform Security Policy
© 2017 ThreatConnect, Inc. All Rights Reserved. TC Identify 11 The Intel Consumer Who’s it for? • The “Intel Consumer” • Smaller teams just getting started What do they want to do with it? • Consume Intel • Reduce False Positives in their SIEM • Get started on increasing their Threat Defense Surface Area What do they need? • Machine-Readable Threat Intelligence • ThreatConnect Intelligence • Minimal Setup and Support
© 2017 ThreatConnect, Inc. All Rights Reserved. TC Manage 12 The Under-Resourced Intel Rebel Who’s it for? • The Under-Resourced “Intel Rebel” • Small team, needs to do more with less What do they want to do with it? • Same as Intel Consumer • Plus automation and orchestration What do they need? • Get all teams and tools talking • Playbooks
© 2017 ThreatConnect, Inc. All Rights Reserved. TC Analyze 13 The Intel Analyst Who’s it for? • The “Intel Analyst” • Mature teams that want to create new intel What do they want to do with it? • Consume, analyze, create and share intel • Strategic view of intel for advising, policy What do they need? • Powerful data model to support threat modelling • Sharing and reporting
© 2017 ThreatConnect, Inc. All Rights Reserved. TC Complete 14 The Ultimate Power in Threat Intelligence Who’s it for? • Mature teams • Security leaders who want to build an intelligence-driven security organization from the ground up What do they want to do with it? • Build and Customize the Platform and Apps • Create Complex Automations & Orchestration • Inform Team, Speed Response • Inform Decisions Across the Organization What do they need? • A fully extensible, intelligence-driven platform • Full threat modelling and communication support
© 2017 ThreatConnect, Inc. All Rights Reserved. Putting it all together 15 How does ThreatConnect Help? Operations Intelligence A = I * C Intelligence * Operations = Your Threat Defense Surface Area
Intelligence-Driven Defense in ThreatConnect What does IDD look like operationally in ThreatConnect?
© 2017 ThreatConnect, Inc. All Rights Reserved. Playbooks - Automation & Orchestration Problem • Fragmented technologies and processes in cybersecurity Solution • Create automated playbooks • Configure apps to talk to each other automatically • Share Playbooks across teams • Human-in-the-loop 17 Intelligence-Driven Automation & Orchestration Augment human intuition by freeing it from mundane tasks
© 2017 ThreatConnect, Inc. All Rights Reserved. Collective Analytics Layer Provide global insights on threat data to all ThreatConnect instances 18 EvilDomain.com Public whitelists? How many sources? How many of TC’s 15K other analysts have viewed it? Was it observed recently by others? Are the sources you find relevant and accurate? What about false positives?
© 2017 ThreatConnect, Inc. All Rights Reserved. The Scenario • Security team of a Fortune 500 company is on the lookout for whaling scams • Standard loadout: SOC, IR, CTI • CTI has gathered intel on several possible adversaries • SOC has several monitoring inboxes for collecting email alert data • TC Complete 19
© 2017 ThreatConnect, Inc. All Rights Reserved. An alert! Teeny-tiny TDSA Operations Intelligence Iteration One ● SOC inbox ingests an email ● Playbook extracts the indicators and stores them in ThreatConnect No one is notified. Nothing happens. Maybe someone will check it out later.
© 2017 ThreatConnect, Inc. All Rights Reserved. Analysis and Awareness in Realtime Adding Intel and Telling Someone Operations Intelligence Iteration Two ● Indicators sent to third party for enrichment ● Enrichment data matched against ThreatConnect ● SOC team notified of potential matches
© 2017 ThreatConnect, Inc. All Rights Reserved. Communicating Across Teams and Time Increasing the Area Operations Intelligence Iteration Three ● The CTI team’s intel identified an adversary that used whaling scams ● The CTI team recorded whaling scams in ThreatConnect as a key requirement ● This flag causes the IR team to be notified in Slack
© 2017 ThreatConnect, Inc. All Rights Reserved. Avoiding False Positives Almost there... Operations Intelligence Iteration Four ● Instead of blindly notifying the IR team, the Playbook checks CAL for false positives ● If there are FPs, the IR team is not notified and the SOC team’s email is updated instead ● Adversary record updated for future TI regardless of outcome
© 2017 ThreatConnect, Inc. All Rights Reserved. Closing the Loop Saturation Operations Intelligence Iteration Five ● IR team deep dives on key data in CAL ● Hits a button to block a malicious indicator ● CTI team gets feedback on action taken
© 2017 ThreatConnect, Inc. All Rights Reserved. Intelligence-Driven Defense How does ThreatConnect Help? Operations Intelligence Intelligence ● Enriched data using reverse WHOIS ● Referenced intel on existing adversary ● Use of intel requirements ● Used CAL to mitigate false positives Operations ● Notified all teams of Whaling Scam requirement ● Slacked IR team on alert ● CoA reported back to CTI ● Used CAL to mitigate false positives
© 2017 ThreatConnect, Inc. All Rights Reserved. Questions?
© 2017 ThreatConnect, Inc. All Rights Reserved. Thank You THREATCONNECT.COM

Recommended

Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
ThreatConnect
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
ThreatConnect
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
ThreatConnect
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
ThreatConnect
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
ThreatConnect
 

Recommended

Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
ThreatConnect
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
ThreatConnect
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
ThreatConnect
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
ThreatConnect
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
ThreatConnect
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
ThreatConnect
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 
Become a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza Beghal
Null Singapore
 
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
Priyanka Aash
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and Orchestration
Greg Foss
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
Cybereason
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
Rahul Neel Mani
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
ThreatConnect
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerThe Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
Rahul Neel Mani
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
Priyanka Aash
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
chrissanders88
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsWEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
Interset
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_Kukreja
Puneet Kukreja
 

More Related Content

What's hot

Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
ThreatConnect
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 

What's hot (20)

Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
 
Become a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza Beghal
 
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and Orchestration
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teaming
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerThe Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 

Similar to Intelligence driven defense webinar

ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_Kukreja
Puneet Kukreja
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Stephanie McVitty
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
IBM Security
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Puneet Kukreja
 
Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned.
Proofpoint
 

Similar to Intelligence driven defense webinar (20)

WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsWEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_Kukreja
 
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
 
13734729.ppt
13734729.ppt13734729.ppt
13734729.ppt
 
Select idps
Select idpsSelect idps
Select idps
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
KnowBe4-Presentation-Overview.pdf
KnowBe4-Presentation-Overview.pdfKnowBe4-Presentation-Overview.pdf
KnowBe4-Presentation-Overview.pdf
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned.
 
Threat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and ResearchThreat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and Research
 
Modernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingModernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led Training
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Intelligence driven defense webinar

  • 1. Mitigate Threats Faster with an Intelligence-Driven Defense Dan Cole Director of Product Management
  • 2. © 2017 ThreatConnect, Inc. All Rights Reserved. Today’s Agenda Get answers: • Intelligence-Driven Defense (IDD) : what does it mean in real terms? • How can teams at all levels of maturity take advantage of IDD? • What does IDD look like operationally in ThreatConnect? 2
  • 4. © 2017 ThreatConnect, Inc. All Rights Reserved. How to Define Threat Intelligence First, what is threat intelligence? “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” “The details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence’s primary purpose is to inform business decisions regarding the risks and implications associated with threats."
  • 5. © 2017 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence: Simplified Now on my reading level.. “Knowledge of threats that you can use to defend yourself.” “Actionable Knowledge of Threats” Distilled even more:
  • 6. © 2017 ThreatConnect, Inc. All Rights Reserved. 6 The Threat Defense Surface Area (TDSA) Bigger Targets need Bigger Shields The likelihood of having things go right in your security organization.
  • 7. © 2017 ThreatConnect, Inc. All Rights Reserved. Strength/capabilities/focus of your threat intelligence X People and tools to whom that TI is effectively communicated (i.e. “operations”) = Your Threat Defense Surface Area 7 The Threat Defense Surface Area (TDSA) The Geometry of IDD Operations Intelligence A = I * O TI is siloed Bare bones Unclear focus False positives ++MTTD TI is shared Fleshed out Intel Requirements Fewer FPs --MTTD
  • 8. © 2017 ThreatConnect, Inc. All Rights Reserved. Intelligence-Driven Defense means... Your entire security team (and beyond) is dedicated to increasing your Threat Defense Surface Area by actively communicating and contributing in order to: ● Increase actionable knowledge of threats ● Leverage that knowledge
  • 9. Intelligence-Driven Defense for All How can teams at all levels of maturity take advantage of IDD?
  • 10. © 2017 ThreatConnect, Inc. All Rights Reserved. Determining What’s Right For You • Needs differ based on factors like threat landscape, maturity, risk tolerance, size, and budget • What are your threat intelligence requirements? • Are your needs more strategic or tactical? • How big of a target does your TDSA need to cover? 10 Different Teams Have Different Needs More MatureLess Mature Using Threat Intelligence Doing Threat Intelligence Prevention & Detection Assisting IR Inform Security Policy
  • 11. © 2017 ThreatConnect, Inc. All Rights Reserved. TC Identify 11 The Intel Consumer Who’s it for? • The “Intel Consumer” • Smaller teams just getting started What do they want to do with it? • Consume Intel • Reduce False Positives in their SIEM • Get started on increasing their Threat Defense Surface Area What do they need? • Machine-Readable Threat Intelligence • ThreatConnect Intelligence • Minimal Setup and Support
  • 12. © 2017 ThreatConnect, Inc. All Rights Reserved. TC Manage 12 The Under-Resourced Intel Rebel Who’s it for? • The Under-Resourced “Intel Rebel” • Small team, needs to do more with less What do they want to do with it? • Same as Intel Consumer • Plus automation and orchestration What do they need? • Get all teams and tools talking • Playbooks
  • 13. © 2017 ThreatConnect, Inc. All Rights Reserved. TC Analyze 13 The Intel Analyst Who’s it for? • The “Intel Analyst” • Mature teams that want to create new intel What do they want to do with it? • Consume, analyze, create and share intel • Strategic view of intel for advising, policy What do they need? • Powerful data model to support threat modelling • Sharing and reporting
  • 14. © 2017 ThreatConnect, Inc. All Rights Reserved. TC Complete 14 The Ultimate Power in Threat Intelligence Who’s it for? • Mature teams • Security leaders who want to build an intelligence-driven security organization from the ground up What do they want to do with it? • Build and Customize the Platform and Apps • Create Complex Automations & Orchestration • Inform Team, Speed Response • Inform Decisions Across the Organization What do they need? • A fully extensible, intelligence-driven platform • Full threat modelling and communication support
  • 15. © 2017 ThreatConnect, Inc. All Rights Reserved. Putting it all together 15 How does ThreatConnect Help? Operations Intelligence A = I * C Intelligence * Operations = Your Threat Defense Surface Area
  • 16. Intelligence-Driven Defense in ThreatConnect What does IDD look like operationally in ThreatConnect?
  • 17. © 2017 ThreatConnect, Inc. All Rights Reserved. Playbooks - Automation & Orchestration Problem • Fragmented technologies and processes in cybersecurity Solution • Create automated playbooks • Configure apps to talk to each other automatically • Share Playbooks across teams • Human-in-the-loop 17 Intelligence-Driven Automation & Orchestration Augment human intuition by freeing it from mundane tasks
  • 18. © 2017 ThreatConnect, Inc. All Rights Reserved. Collective Analytics Layer Provide global insights on threat data to all ThreatConnect instances 18 EvilDomain.com Public whitelists? How many sources? How many of TC’s 15K other analysts have viewed it? Was it observed recently by others? Are the sources you find relevant and accurate? What about false positives?
  • 19. © 2017 ThreatConnect, Inc. All Rights Reserved. The Scenario • Security team of a Fortune 500 company is on the lookout for whaling scams • Standard loadout: SOC, IR, CTI • CTI has gathered intel on several possible adversaries • SOC has several monitoring inboxes for collecting email alert data • TC Complete 19
  • 20. © 2017 ThreatConnect, Inc. All Rights Reserved. An alert! Teeny-tiny TDSA Operations Intelligence Iteration One ● SOC inbox ingests an email ● Playbook extracts the indicators and stores them in ThreatConnect No one is notified. Nothing happens. Maybe someone will check it out later.
  • 21. © 2017 ThreatConnect, Inc. All Rights Reserved. Analysis and Awareness in Realtime Adding Intel and Telling Someone Operations Intelligence Iteration Two ● Indicators sent to third party for enrichment ● Enrichment data matched against ThreatConnect ● SOC team notified of potential matches
  • 22. © 2017 ThreatConnect, Inc. All Rights Reserved. Communicating Across Teams and Time Increasing the Area Operations Intelligence Iteration Three ● The CTI team’s intel identified an adversary that used whaling scams ● The CTI team recorded whaling scams in ThreatConnect as a key requirement ● This flag causes the IR team to be notified in Slack
  • 23. © 2017 ThreatConnect, Inc. All Rights Reserved. Avoiding False Positives Almost there... Operations Intelligence Iteration Four ● Instead of blindly notifying the IR team, the Playbook checks CAL for false positives ● If there are FPs, the IR team is not notified and the SOC team’s email is updated instead ● Adversary record updated for future TI regardless of outcome
  • 24. © 2017 ThreatConnect, Inc. All Rights Reserved. Closing the Loop Saturation Operations Intelligence Iteration Five ● IR team deep dives on key data in CAL ● Hits a button to block a malicious indicator ● CTI team gets feedback on action taken
  • 25. © 2017 ThreatConnect, Inc. All Rights Reserved. Intelligence-Driven Defense How does ThreatConnect Help? Operations Intelligence Intelligence ● Enriched data using reverse WHOIS ● Referenced intel on existing adversary ● Use of intel requirements ● Used CAL to mitigate false positives Operations ● Notified all teams of Whaling Scam requirement ● Slacked IR team on alert ● CoA reported back to CTI ● Used CAL to mitigate false positives
  • 26. © 2017 ThreatConnect, Inc. All Rights Reserved. Questions?
  • 27. © 2017 ThreatConnect, Inc. All Rights Reserved. Thank You THREATCONNECT.COM