Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Orchestrating Your Security Defenses
with Threat Intelligence
August 15, 2017
Sam Dillingham
Senior Offering Manager
IBM X...
2 IBM Security
Today’s agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
G...
3 IBM Security
It takes too long to make
information actionable
Analysts can’t separate
the signal from the noise
Data is ...
4 IBM Security
More companies are
sharing and consuming
threat intelligence
1. Timely and early warning of
relevant threat...
5 IBM Security
IBM X-Force Exchange
is a threat intelligence sharing
platform designed to help
security teams research,
co...
6 IBM Security
Collections streamline security investigations
with research from curated content
Groups allow public or pr...
7 IBM Security
Today’s agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
G...
8 IBM Security
for threat
intelligence
use cases Real-time blocking
Security operations
Threat research & hunting
9 IBM Security
Use Case 1: Real-time blocking
Usage
• Blocking access to known
malicious actors
• Can include IPs, domains...
10 IBM Security
In IBM X-Force Exchange, classification and scoring for URLs and IP
addresses combines results of multiple...
11 IBM Security
Web applications are scored on several risk factors
12 IBM Security
Use Case 2: Security Operations
Usage
• Maps threat intelligence to data
observed in your environment
• In...
13 IBM Security
The use of open standards maximizes interoperability with existing
systems
 API queries based on
query/re...
14 IBM Security
Use Threat Intelligence through open STIX/TAXII format
Use reference sets for correlation, searching, repo...
15 IBM Security
Use Case 3: Threat Research and Hunting
Usage
• Research of potential threats that
may or may not yet be a...
16 IBM Security
X-Force global threat intelligence delivers a wide range of benefits
Higher
Order
Intelligence
Observables...
17 IBM Security
Correlation of indicators and higher-order intelligence is critical
173.242.117.120 is a malware C&C serve...
18 IBM Security
Correlation provides pivotability to accelerate threat investigation
Network traffic
to C&C IP
observed
Ma...
19 IBM Security
X-Force Exchange Collections streamline security investigations
Higher Order Intelligence
Free text area o...
20 IBM Security
Agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
Get star...
21 IBM Security
20,000+ devices
under contract
20B events managed
per day
133 monitored countries
3,700+ security-related
...
22 IBM Security
SDK
X-Force Threat Intelligence can be integrated into security solutions via
multiple methods
IBM CONFIDE...
23 IBM Security
There is a comprehensive range of Threat Intelligence available via API
Indicators/Content Details
Vulnera...
24 IBM Security
IBM Security App Exchange
Driving the evolution of collaborative defense
 Access user and business
partne...
25 IBM Security
React faster, coordinate better, respond smarter to incidents
Single Hub Provides Easy Workflow Customizat...
26 IBM Security
IBM X-Force Malware Analysis
Submit suspicious files directly into IBM X-Force Exchange
Automate
suspiciou...
27 IBM Security
A diversified financial services company greatly improved their threat
research capabilities and collabora...
28 IBM Security
Agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
Get star...
29 IBM Security
Helpful Resources
X-Force Exchange
• Try it: xforce.ibmcloud.com
• API: https://api.xforce.ibmcloud.com/do...
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright I...
Upcoming SlideShare
Loading in …5
×

Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence

2,180 views

Published on

Although the majority of organizations subscribe to threat intelligence feeds to enhance their security decision making, it's difficult to take full advantage of true insights due to the overwhelming amounts of information available. Even with an integrated security operations portfolio to identify and respond to threats, many companies don't take full advantage of the benefits of external context that threat intelligence brings to identify true indicators of compromise. By taking advantage of both machine- and human-generated indicators within a collaborative threat intelligence platform, security analysts can streamline investigations and speed the time to action.

Join this webinar to hear from the IBM Security Chief Technology Officer for Threat Intelligence to learn:

How the IBM Security Operations and Response architecture can help you identify and response to threats faster
Why threat intelligence is a fundamental component of security investigations
How to seamlessly integrate threat intelligence into existing security solutions for immediate action

Published in: Technology
  • Be the first to comment

Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence

  1. 1. Orchestrating Your Security Defenses with Threat Intelligence August 15, 2017 Sam Dillingham Senior Offering Manager IBM X-Force Pamela Cobb Portfolio Manager IBM X-Force
  2. 2. 2 IBM Security Today’s agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
  3. 3. 3 IBM Security It takes too long to make information actionable Analysts can’t separate the signal from the noise Data is gathered from untrusted sources 1 Source: ESG Global 65% of enterprise firms use external threat intelligence to enhance their security decision making 1 Security teams often lack critical support to make the most of these resources.
  4. 4. 4 IBM Security More companies are sharing and consuming threat intelligence 1. Timely and early warning of relevant threats to stay a step ahead 2. Increased visibility to emerging threats as more organizations benefit from other organization’s detections 3. Validation and prioritization of threats based on context of suspicious activity 4. Faster and more orchestrated response through enrichment of incidents with IoCs 5. More awareness of targets and tactics to help plan, build and evolve your security strategy How to Collect, Refine, Utilize and Create Threat Intelligence Gartner, Oct 2016 IBM and Business Partner Use Only
  5. 5. 5 IBM Security IBM X-Force Exchange is a threat intelligence sharing platform designed to help security teams research, collaborate and integrate. xforce.ibmcloud.com IBM and Business Partner Use Only
  6. 6. 6 IBM Security Collections streamline security investigations with research from curated content Groups allow public or private collaboration to validate threats and develop response plans Integrations strengthen security solutions and provide additional threat intelligence • Validate findings • Aid in forensic investigations • Provide tactical / strategic intelligence • Address investigations • Enable research workflow • Interact with X-Force research community • X-Force Exchange SDK / API / STIX / TAXII • Threat Feed Manager • Free / commercial usage IBM and Business Partner Use Only
  7. 7. 7 IBM Security Today’s agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
  8. 8. 8 IBM Security for threat intelligence use cases Real-time blocking Security operations Threat research & hunting
  9. 9. 9 IBM Security Use Case 1: Real-time blocking Usage • Blocking access to known malicious actors • Can include IPs, domains, URLs, etc. • Implemented by firewalls, IPSes, proxies, and other security devices Critical Factors • Speed in making blocking decisions • Scoring flexibility to set a threshold of what to block • Frequent incremental updates to minimize performance impact Delivery Route • Software development kits (SDKs) • Block lists
  10. 10. 10 IBM Security In IBM X-Force Exchange, classification and scoring for URLs and IP addresses combines results of multiple analyses.
  11. 11. 11 IBM Security Web applications are scored on several risk factors
  12. 12. 12 IBM Security Use Case 2: Security Operations Usage • Maps threat intelligence to data observed in your environment • Includes intelligence that can be mapped to network and host- based indicators • Integration with operational tools, such as SIEM and incident response Critical Factors • Support for open standards for easy integration into existing solutions • Pivotability among indicators to aid in rapid investigation • Completeness of data Delivery Route • STIX/TAXII feeds • Cybox
  13. 13. 13 IBM Security The use of open standards maximizes interoperability with existing systems  API queries based on query/response model for threat intelligence  Leverages basic authentication  Load balanced to support traffic loads  Node SDK module available  TAXII services provided to access threat intelligence  Supports STIX/Cybox objects JSON RESTful API STIX / TAXII Standards Support
  14. 14. 14 IBM Security Use Threat Intelligence through open STIX/TAXII format Use reference sets for correlation, searching, reporting • Load threat indicators in Collections into QRadar Reference sets • Create custom rule response to post IOCs to Collection • Bring Watchlists of IP addresses from X-Force Exchange and create a rule to raise the magnitude of any offense that includes the IP Watchlist IBM and Business Partner Use Only
  15. 15. 15 IBM Security Use Case 3: Threat Research and Hunting Usage • Research of potential threats that may or may not yet be affecting your organization • Can be done via a web-based UI or API Critical Factors • Scriptable access of data in an easy-to-use manner • Aggregation of multiple intelligence sources (from different vendors) into a single stream • Flexible search Delivery Route • REST-based API • Research platforms with web interfaces
  16. 16. 16 IBM Security X-Force global threat intelligence delivers a wide range of benefits Higher Order Intelligence Observables and Indicators Actors Campaigns Incidents TTPs Vulnerabilities MalwareAnti-SpamWeb App Control IP ReputationURL / Web Filtering
  17. 17. 17 IBM Security Correlation of indicators and higher-order intelligence is critical 173.242.117.120 is a malware C&C server djs14.com is a malware C&C server CVE-2013-3029 is an Excel vulnerability abc@xyz.com sends SPAM Organization Y is a threat actor Indicator Feeds Correlated Threat Intelligence 173.242.117.120 is a malware C&C server … which is associated with PoSeidon malware family targeted against retailers used by attackers in country X, Y and Z to steal credit card information from PoS systems Communicates with C&C servers: 173.242.117.120, 203.19.201.20 C&C domains: djs14.com, jdjnci.net Twitter feed @malwarecommander Infects via drive-by download exploiting CVE-2015-2093 malicious Excel file exploiting CVE-2013-3029 email attachment from abc@xyz.com Host indicators Registry keys A, B, C Processes D, E, F Event log entries G, H Memory fingerprint J, K vs.
  18. 18. 18 IBM Security Correlation provides pivotability to accelerate threat investigation Network traffic to C&C IP observed Malware associated with C&C server Other C&C IPs for the malware Host IoCs for the malware Actor/ campaign details Infection method details What does this communication mean? What is the attacker after? How did they get in? Where else are they? How do I verify infections? Send indicators to EDR tool Correlate CVEs to SIEM vuln scansCorrelate IPs to flow data in SIEM Understand motivations, report to exec mgt Initiate patchingInvestigate exfiltration Quarantine infected endpoints
  19. 19. 19 IBM Security X-Force Exchange Collections streamline security investigations Higher Order Intelligence Free text area of the Collection is used to organize Identifiers, Campaigns, TTPs, TLP status, and other pertinent details. Observables & Indicators Related reports on URL / IP reputation, malware, vulnerabilities, and related attachments
  20. 20. 20 IBM Security Agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
  21. 21. 21 IBM Security 20,000+ devices under contract 20B events managed per day 133 monitored countries 3,700+ security-related patents 270M endpoints monitored for malware 38B analyzed web pages and images 8M spam and phishing attacks daily 850K malicious IP addresses 113K documented vulnerabilities Millions of unique malware samples As of May 2017 The scale of IBM Security brings unique breadth and depth to X-Force threat intelligence
  22. 22. 22 IBM Security SDK X-Force Threat Intelligence can be integrated into security solutions via multiple methods IBM CONFIDENTIAL - LIMIT DISTRIBUTION UNTIL MAY 16 Data & intelligence sources Analytics Engine IBM Security Products OEM SDK Platform Users Open API Com- mercial API APIPortal Threat Intelligence Content pDNS Whois information Collections Higher Order Intelligence Vulnerabilities Malware Sandbox Malware Families IP Reputation URL Reputation Web Applications Delivery Layer Threat integration Threat consumers Platform Layer XFMA XGS Platform Users
  23. 23. 23 IBM Security There is a comprehensive range of Threat Intelligence available via API Indicators/Content Details Vulnerabilities Risk score (CVSS), Exploit characteristics, Exploit consequences, Remedy information, Affected Products, Protection information (e.g. references for IPS, Vulnerability Assessment content), and External references Malware Disposition, Hash value, First observed, Malware family, Vendors covering (%), Download sources, Command and Control Servers, Email sources, and Email subjects Malware Families First/Last Observance, and Associated hash values (MD5) / IP Reputation Risk score (1-10), Geolocation, Applications associated, Malware associated, Categorization – current and historical with confidence value (1-100%), Passive DNS information, Subnet reputation URL Reputation Risk score (1-10), Applications associated, Categorization – current and historical, DNS information Web Applications Risk score, Categorization, Base URL, Vulnerabilities, Hosting URLs, and Hosting IPs pDNS Passive DNS information Whois information Registrant information – name, organization, country, and e-mail. IBM Network Protection Monthly XPU Content, as well as each signature, date of its release, and the vulnerability for which it provides coverage Collections Curated content on specific security investigations, including both structured and unstructured content. Higher Order Intelligence Cybox objects such as campaign, threat actor, tools, tactics, procedures, course of action, and indicator information, as part of the collections.
  24. 24. 24 IBM Security IBM Security App Exchange Driving the evolution of collaborative defense  Access user and business partner innovations  Extend IBM Security solution functionality to new use cases  Download validated security apps from a single platform A platform for security collaboration https://apps.xforce.ibmcloud.com
  25. 25. 25 IBM Security React faster, coordinate better, respond smarter to incidents Single Hub Provides Easy Workflow Customization and Process Automation • Helps cyber security teams orchestrate IR process and manage and respond to incidents faster, better and more intelligently • Drives down response times by streamlining the process of escalating and managing incidents • Ensures consistency and adherence to regulatory requirements and legal obligations • Automates time-consuming tasks • Leverages staff more effectively
  26. 26. 26 IBM Security IBM X-Force Malware Analysis Submit suspicious files directly into IBM X-Force Exchange Automate suspicious file investigation Act on in-depth intelligence reports Access anywhere, anytime with a scalable cloud architecture IBM and Business Partner Use Only
  27. 27. 27 IBM Security A diversified financial services company greatly improved their threat research capabilities and collaboration workflows “I didn’t realize I was on X-Force Exchange that much. The collaboration capabilities and threat intelligence are highly valuable to me and a great help to my challenges and activities throughout each day.” -Network Security Analyst II Business challenge  Need for curated threat research to complement their SIEM  Lack of internal collaboration in the threat investigation process IBM X-Force Exchange with IBM QRadar Helped better defend the organization’s network from attacks, scans and phishing attempts on a daily basis, using IP / URL reputation data, geo-location status of IPs, vulnerability data, md5 detail and shared collections from X-Force Exchange in conjunction with IBM QRadar. Research, collaborate and integrate
  28. 28. 28 IBM Security Agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
  29. 29. 29 IBM Security Helpful Resources X-Force Exchange • Try it: xforce.ibmcloud.com • API: https://api.xforce.ibmcloud.com/doc/ General X-Force information: • X-Force blogs on SecurityIntelligence.com • IBM X-Force Threat Intelligence Report for 2017 • IBM Interactive Security Incidents website to stay up to date on latest verified breaches IBM/BUSINESS PARTNER USE Contact Us! Sam Dillingham, sam.dillingham@us.ibm.com, Sr Offering Manager Pamela Cobb, pcobb@us.ibm.com, Portfolio Manager
  30. 30. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. FOLLOW US ON: THANK YOU

×