SlideShare a Scribd company logo

Embracing Threat Intelligence and Finding ROI in Your Decision

Cylance
Cylance

Threat intelligence has long existed but is now recognized as a distinct discipline. Tradecraft and technology in threat intelligence are rapidly maturing, along with industry expectations. Choosing how to invest in threat intelligence programs should be driven by business risk, though any organization can be targeted. Providing context increases the value of threat intelligence, and the strongest programs understand the return on investment of sharing intelligence externally.

Technology
1 of 21
Download to read offline
EMBRACING THREAT INTELLIGENCE: … AND FINDING ROI IN YOUR DECISION STEVE MANCINI | SENIOR DIRECTOR OF SECURITY CYLANCE PUBLIC
Introduction New Jersey to Oregon Scarlet Night / Boilermaker Support Desk to Security Architect RAPIER Police Reserve Specialist Capture the Flag to ICASI Founder: Bay Area APT SIG Cylance – but not a sales guy Favorites: • Tempranillo • Barolo • Malbec • Lot No. 1
Agenda Embracing Threat Intelligence • Clarity • Expectation • Adoption • Recognition Finding ROI in your Decision • Beginning • Scope • Effort • Context • Questions • Skee Ball • Value • Sharing ENJOY YOUR BREAKFAST; I AM NOT HERE TO SELL YOU ANYTHING
EMBRACING THREAT INTELLIGENCE
What are we talking about? § Threat Intelligence vs. Threat Data § IOAs à IOCs à TTPs § Colliding Nomenclatures: Numbers/ Zoos/ Elements! § Build vs. Buy: analysis, platforms, integration, sharing § People: Who can benefit from it? What skillsets? § Process: How do you use it? What Orgs/ Depts/ Programs? § Technology: What can you consume, use, create, share? THREAT INTELLIGENCE WHEN YOU GET PAST THE HYPE, TRADECRAFT AND TECHNOLOGY ARE MATURING RAPIDLY
GROWING COMMUNITY SUPPORT 63% 51% 48% 56% 64% 75% 76% CTI Improves Visibility Into Attacks Faster More Accurate Detection/ Response Reduction in Incidents Use Vendor Feeds to Augment CTI Program Feel CTI is Important to Security Have Dedicated Resources to a CTI Program Actively Gather Threat Intelligence COMPELLING RESULTS DRIVE INDUSTRY EXPECTATIONS Source: https://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767
§ NIST CSF § NIST 800-53 § NIST 800-39 § PCI-DSS 3.0 § Shared Assessment (SIG) § Shared Assessment (AUP) § SOC 2 § BSIMM § C2M2 § NIST 800-150 INDUSTRY STANDARDS CTI WILL BECOME AN EXPECTED CONTROL IN MORE STANDARDS OVER TIME “… if the company had acted faster. ...”
THREAT INTELLIGENCE HAS ALWAYS BEEN PRESENT JUST NOT RECOGNIZED AS A STAND ALONE DISCIPLINE Example: NIST SP 800-39 Assess Frame RespondMonitor Frame Establishes Context & Strategy Sources & Methods for Acquiring CTI Assess Analysis & Determination of Risk CTI Delivers Relevance for Threats/ Vulns. Respond Evaluation/ Implement Course(s) of Action CTI TTPs can Focus Evaluation/ Efficacy Monitor Verifying Implementation, Measuring Effectiveness CTI Monitors External Factors Affecting Effectiveness
FINDING ROI IN YOUR DECISION
• Establish information-sharing goals and objectives that support business processes and security policies. • Identify existing internal sources of cyber threat information. • Specify the scope of information-sharing activities. • Establish information-sharing rules. • Join and participate in information-sharing efforts. • Actively seek to enrich indicators by providing additional context, corrections, or suggested improvements. • Use secure, automated workflows to publish, consume, analyze, and act upon cyber threat information. • Proactively establish cyber threat-sharing agreements. • Protect the security and privacy of sensitive information. • Provide ongoing support for information-sharing activities. STARTING YOUR OWN PROGRAM NIST 800-150
§ Identify your TI Champion/ Owner/ Support § Inventory your Environment: What can you benefit from? What can you potentially share? Your SNC? § Conceptual Architecture: Integrate & Automate § Gain Management (and Legal!) Support § Baseline the Efficacy (Metrics) of Existing Controls. § Select your Sources: OSINT, Vendors, Peers § Onboard Sources § Respond/ Refine/ Resource STARTING YOUR OWN PROGRAM (2) MOST PROGRAMS ARE A PROCESS OF EVOLUTION; MOST OUT OF THE BOX SOLUTIONS ARE TOOL CENTRIC
§ RSA (2011) § Bit 9 (2013) § Sony (2014) § Dark Hotel (2014) § Lightspeed § Kaspersky § Target : Fazio § Oracle § O2 : Xsplit YOU CAN BE A TARGET BECAUSE: • YOU HAVE ACCESS • YOU HAVE INFORMATION • PEOPLE REUSE PASSWORDS SCOPE: YOUR ATTACK SURFACE
ABSENT INDUSTRY STANDARDS CHOSING HOW TO INVEST IS DRIVEN BY BUSINESS RISK Assess Your Efforts Over Time Return Effort Heroic Ad hoc. Most often this is only Open Source Int. Results: Context is often lost Managed Information is collected & managed Result: Initial skills in tradecraft established Defined Consistent ways of working defined/ maintained Results: Emergence of Defensive TTPs Measured Process becomes a management tool Results: Mature understanding of CTI forming Improved Process is at heart of organization Results: CTI delivers value across orgs.
CTI Contribution to Risk / Friction Reduction Risk Cost Automated Manual Respond Detect Prevent Semi- Automated Minimize Vulnerability Minimize Impact Source: Managing Risk and Information Security 2nd edition Malcolm Harkins How you Use CTI Strategic Consume / Use Create Strategy Operational MATURING CTI CAN REDUCE FRICTION AND CONSEQUENCE COSTS
Context Drives Value Strategic Tactical Operational § Training § WarGames § Strategic Decision Making § Risk Assessments § Threat Models § 3rd Party/ Supply Network Chain § Detection § Incident Response § Forensics
Priority Intelligence Requirements Strategic Tactical Operational Situational Awareness: § Am I affected? § Are my vendors affected? Predictive Threat Assessment: § Am I Next? § Skeeball Heat Map Controls Assessment: § Would I have been affected?
APPLY CONTEXT TO OPEN SOURCE THREAT INTELLIGENCE INCREASES ITS VALUE THREAT REPORTS & SKEEBALL Analyzing Published Threat Reports: 50: Realized Risk 40: Supply Network Chain 30: Strategic Partners 20: Same Industry 10: Regional/ Socio-Political 0: “Minority Report”
VALIDATING YOUR INVESTMENT ??? ??? ??? ??? ??? ??? ??? Faster Understanding of Attack/ Risk Faster More Accurate Detection/ Response? Reduction in Incidents More Value from Threat Feeds & Vendors? Management Sentiment Toward CTI CTI Program Contributes to Business Goals? Thought Leadership in your Vertical? MEASURED SUCCESS VALIDATES INVESTMENT DECISION Source: https://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767
• You are not Alone; Unless You Chose to Be • A Policy of Isolation & Silence Works Against You • Breaking Silence: Google & Aurora • Disrupt, Deny, Degrade, Destroy, or Deceive • Built on Trust, not Documentation or NDA’s • Quid Pro Quo • Valued Partner vs. Lurking Leech ”First they came…” Martin Niemöller Ultimate Stage of Maturity THE STRONGEST MOST EFFECTIVE PROGRAMS UNDERSTAND THE ROI OF SHARING EXTERNAL TO THEIR COMPANY/ ORGANIZATION.
Summary THREAT INTELLIGENCE HAS ALWAYS BEEN PRESENT; JUST NOT RECOGNIZED AS A STAND ALONE DISCIPLINE TRADECRAFT AND TECHNOLOGY ARE MATURING RAPIDLY; SO IS HYPE CHOSING HOW TO INVEST SHOULD DRIVEN BY BUSINESS RISK; BUT … YOU CAN BE A TARGET BECAUSE YOU HAVE ACCESS & INFORMATION COMPELLING RESULTS DRIVE INDUSTRY EXPECTATIONS FOR ADOPTION CTI WILL BECOME AN EXPECTED CONTROL IN MORE STANDARDS OVER TIME CONTEXT INCREASES THREAT INTELLIGENCE VALUE THE STRONGEST MOST EFFECTIVE PROGRAMS UNDERSTAND THE ROI OF SHARING EXTERNAL TO THEIR COMPANY/ ORGANIZATION.
QUESTIONS ------------- Threat Intelligence

Recommended

Cylance Protect-Next-Generation Antivirus-Overview
Cylance Protect-Next-Generation Antivirus-OverviewCylance Protect-Next-Generation Antivirus-Overview
Cylance Protect-Next-Generation Antivirus-Overview
Innovation Network Technologies: InNet
 
Cylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment DatasheetCylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment Datasheet
Innovation Network Technologies: InNet
 
Exploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeExploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of Cybercrime
Cylance
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security Operations
Priyanka Aash
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
Scalar Decisions
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
Priyanka Aash
 
2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow
Scalar Decisions
 
Threat Life Cycle Management
Threat Life Cycle ManagementThreat Life Cycle Management
Threat Life Cycle Management
Fujitsu Middle East
 

Recommended

Cylance Protect-Next-Generation Antivirus-Overview
Cylance Protect-Next-Generation Antivirus-OverviewCylance Protect-Next-Generation Antivirus-Overview
Cylance Protect-Next-Generation Antivirus-Overview
Innovation Network Technologies: InNet
 
Cylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment DatasheetCylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment Datasheet
Innovation Network Technologies: InNet
 
Exploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeExploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of Cybercrime
Cylance
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security Operations
Priyanka Aash
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
Scalar Decisions
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
Priyanka Aash
 
2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow
Scalar Decisions
 
Threat Life Cycle Management
Threat Life Cycle ManagementThreat Life Cycle Management
Threat Life Cycle Management
Fujitsu Middle East
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
Liberteks
 
Introduction to MicroSolved, Inc.
Introduction to MicroSolved, Inc.Introduction to MicroSolved, Inc.
Introduction to MicroSolved, Inc.
MRMaguire
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian Organizations
Scalar Decisions
 
Demystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesDemystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use Cases
Priyanka Aash
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016
Sarah Bark
 
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Resilient Systems
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
Priyanka Aash
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
centralohioissa
 
Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]
Tracey Ong
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
ReZa AdineH
 
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Fujitsu Middle East
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surface
Priyanka Aash
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Know
jxyz
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
Priyanka Aash
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
SurfWatch Labs
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
hforhassan101
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 

More Related Content

What's hot

Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
Liberteks
 
Introduction to MicroSolved, Inc.
Introduction to MicroSolved, Inc.Introduction to MicroSolved, Inc.
Introduction to MicroSolved, Inc.
MRMaguire
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian Organizations
Scalar Decisions
 
Demystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesDemystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use Cases
Priyanka Aash
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016
Sarah Bark
 
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Resilient Systems
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
Priyanka Aash
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
centralohioissa
 
Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]
Tracey Ong
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
ReZa AdineH
 
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Fujitsu Middle East
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surface
Priyanka Aash
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Know
jxyz
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
Priyanka Aash
 

What's hot (19)

Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
 
Introduction to MicroSolved, Inc.
Introduction to MicroSolved, Inc.Introduction to MicroSolved, Inc.
Introduction to MicroSolved, Inc.
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian Organizations
 
Demystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesDemystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use Cases
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016
 
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
 
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surface
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Know
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
 

Similar to Embracing Threat Intelligence and Finding ROI in Your Decision

How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
SurfWatch Labs
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
hforhassan101
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
MichaelSadeghiPhDABD
 
13734729.ppt
13734729.ppt13734729.ppt
13734729.ppt
AmitPandey388410
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
Information Security
Information SecurityInformation Security
Information Security
divyeshkharade
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
PECB
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
SurfWatch Labs
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
Siemplify
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence program
Mark Arena
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?
Wendy Nather
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
Putting the Human Back in the Loop for Analysis
Putting the Human Back in the Loop for AnalysisPutting the Human Back in the Loop for Analysis
Putting the Human Back in the Loop for Analysis
Andy Piazza
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
SensePost
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
Joel Cardella
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
SaraPia5
 
Power of Small Data
Power of Small DataPower of Small Data
Power of Small Data
Ramkumar Ravichandran
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 

Similar to Embracing Threat Intelligence and Finding ROI in Your Decision (20)

How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
13734729.ppt
13734729.ppt13734729.ppt
13734729.ppt
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Information Security
Information SecurityInformation Security
Information Security
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence program
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Putting the Human Back in the Loop for Analysis
Putting the Human Back in the Loop for AnalysisPutting the Human Back in the Loop for Analysis
Putting the Human Back in the Loop for Analysis
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
 
Power of Small Data
Power of Small DataPower of Small Data
Power of Small Data
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
 

Recently uploaded

Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 

Recently uploaded (20)

Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 

Embracing Threat Intelligence and Finding ROI in Your Decision

  • 1. EMBRACING THREAT INTELLIGENCE: … AND FINDING ROI IN YOUR DECISION STEVE MANCINI | SENIOR DIRECTOR OF SECURITY CYLANCE PUBLIC
  • 2. Introduction New Jersey to Oregon Scarlet Night / Boilermaker Support Desk to Security Architect RAPIER Police Reserve Specialist Capture the Flag to ICASI Founder: Bay Area APT SIG Cylance – but not a sales guy Favorites: • Tempranillo • Barolo • Malbec • Lot No. 1
  • 3. Agenda Embracing Threat Intelligence • Clarity • Expectation • Adoption • Recognition Finding ROI in your Decision • Beginning • Scope • Effort • Context • Questions • Skee Ball • Value • Sharing ENJOY YOUR BREAKFAST; I AM NOT HERE TO SELL YOU ANYTHING
  • 5. What are we talking about? § Threat Intelligence vs. Threat Data § IOAs à IOCs à TTPs § Colliding Nomenclatures: Numbers/ Zoos/ Elements! § Build vs. Buy: analysis, platforms, integration, sharing § People: Who can benefit from it? What skillsets? § Process: How do you use it? What Orgs/ Depts/ Programs? § Technology: What can you consume, use, create, share? THREAT INTELLIGENCE WHEN YOU GET PAST THE HYPE, TRADECRAFT AND TECHNOLOGY ARE MATURING RAPIDLY
  • 6. GROWING COMMUNITY SUPPORT 63% 51% 48% 56% 64% 75% 76% CTI Improves Visibility Into Attacks Faster More Accurate Detection/ Response Reduction in Incidents Use Vendor Feeds to Augment CTI Program Feel CTI is Important to Security Have Dedicated Resources to a CTI Program Actively Gather Threat Intelligence COMPELLING RESULTS DRIVE INDUSTRY EXPECTATIONS Source: https://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767
  • 7. § NIST CSF § NIST 800-53 § NIST 800-39 § PCI-DSS 3.0 § Shared Assessment (SIG) § Shared Assessment (AUP) § SOC 2 § BSIMM § C2M2 § NIST 800-150 INDUSTRY STANDARDS CTI WILL BECOME AN EXPECTED CONTROL IN MORE STANDARDS OVER TIME “… if the company had acted faster. ...”
  • 8. THREAT INTELLIGENCE HAS ALWAYS BEEN PRESENT JUST NOT RECOGNIZED AS A STAND ALONE DISCIPLINE Example: NIST SP 800-39 Assess Frame RespondMonitor Frame Establishes Context & Strategy Sources & Methods for Acquiring CTI Assess Analysis & Determination of Risk CTI Delivers Relevance for Threats/ Vulns. Respond Evaluation/ Implement Course(s) of Action CTI TTPs can Focus Evaluation/ Efficacy Monitor Verifying Implementation, Measuring Effectiveness CTI Monitors External Factors Affecting Effectiveness
  • 9. FINDING ROI IN YOUR DECISION
  • 10. • Establish information-sharing goals and objectives that support business processes and security policies. • Identify existing internal sources of cyber threat information. • Specify the scope of information-sharing activities. • Establish information-sharing rules. • Join and participate in information-sharing efforts. • Actively seek to enrich indicators by providing additional context, corrections, or suggested improvements. • Use secure, automated workflows to publish, consume, analyze, and act upon cyber threat information. • Proactively establish cyber threat-sharing agreements. • Protect the security and privacy of sensitive information. • Provide ongoing support for information-sharing activities. STARTING YOUR OWN PROGRAM NIST 800-150
  • 11. § Identify your TI Champion/ Owner/ Support § Inventory your Environment: What can you benefit from? What can you potentially share? Your SNC? § Conceptual Architecture: Integrate & Automate § Gain Management (and Legal!) Support § Baseline the Efficacy (Metrics) of Existing Controls. § Select your Sources: OSINT, Vendors, Peers § Onboard Sources § Respond/ Refine/ Resource STARTING YOUR OWN PROGRAM (2) MOST PROGRAMS ARE A PROCESS OF EVOLUTION; MOST OUT OF THE BOX SOLUTIONS ARE TOOL CENTRIC
  • 12. § RSA (2011) § Bit 9 (2013) § Sony (2014) § Dark Hotel (2014) § Lightspeed § Kaspersky § Target : Fazio § Oracle § O2 : Xsplit YOU CAN BE A TARGET BECAUSE: • YOU HAVE ACCESS • YOU HAVE INFORMATION • PEOPLE REUSE PASSWORDS SCOPE: YOUR ATTACK SURFACE
  • 13. ABSENT INDUSTRY STANDARDS CHOSING HOW TO INVEST IS DRIVEN BY BUSINESS RISK Assess Your Efforts Over Time Return Effort Heroic Ad hoc. Most often this is only Open Source Int. Results: Context is often lost Managed Information is collected & managed Result: Initial skills in tradecraft established Defined Consistent ways of working defined/ maintained Results: Emergence of Defensive TTPs Measured Process becomes a management tool Results: Mature understanding of CTI forming Improved Process is at heart of organization Results: CTI delivers value across orgs.
  • 14. CTI Contribution to Risk / Friction Reduction Risk Cost Automated Manual Respond Detect Prevent Semi- Automated Minimize Vulnerability Minimize Impact Source: Managing Risk and Information Security 2nd edition Malcolm Harkins How you Use CTI Strategic Consume / Use Create Strategy Operational MATURING CTI CAN REDUCE FRICTION AND CONSEQUENCE COSTS
  • 15. Context Drives Value Strategic Tactical Operational § Training § WarGames § Strategic Decision Making § Risk Assessments § Threat Models § 3rd Party/ Supply Network Chain § Detection § Incident Response § Forensics
  • 16. Priority Intelligence Requirements Strategic Tactical Operational Situational Awareness: § Am I affected? § Are my vendors affected? Predictive Threat Assessment: § Am I Next? § Skeeball Heat Map Controls Assessment: § Would I have been affected?
  • 17. APPLY CONTEXT TO OPEN SOURCE THREAT INTELLIGENCE INCREASES ITS VALUE THREAT REPORTS & SKEEBALL Analyzing Published Threat Reports: 50: Realized Risk 40: Supply Network Chain 30: Strategic Partners 20: Same Industry 10: Regional/ Socio-Political 0: “Minority Report”
  • 18. VALIDATING YOUR INVESTMENT ??? ??? ??? ??? ??? ??? ??? Faster Understanding of Attack/ Risk Faster More Accurate Detection/ Response? Reduction in Incidents More Value from Threat Feeds & Vendors? Management Sentiment Toward CTI CTI Program Contributes to Business Goals? Thought Leadership in your Vertical? MEASURED SUCCESS VALIDATES INVESTMENT DECISION Source: https://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767
  • 19. • You are not Alone; Unless You Chose to Be • A Policy of Isolation & Silence Works Against You • Breaking Silence: Google & Aurora • Disrupt, Deny, Degrade, Destroy, or Deceive • Built on Trust, not Documentation or NDA’s • Quid Pro Quo • Valued Partner vs. Lurking Leech ”First they came…” Martin Niemöller Ultimate Stage of Maturity THE STRONGEST MOST EFFECTIVE PROGRAMS UNDERSTAND THE ROI OF SHARING EXTERNAL TO THEIR COMPANY/ ORGANIZATION.
  • 20. Summary THREAT INTELLIGENCE HAS ALWAYS BEEN PRESENT; JUST NOT RECOGNIZED AS A STAND ALONE DISCIPLINE TRADECRAFT AND TECHNOLOGY ARE MATURING RAPIDLY; SO IS HYPE CHOSING HOW TO INVEST SHOULD DRIVEN BY BUSINESS RISK; BUT … YOU CAN BE A TARGET BECAUSE YOU HAVE ACCESS & INFORMATION COMPELLING RESULTS DRIVE INDUSTRY EXPECTATIONS FOR ADOPTION CTI WILL BECOME AN EXPECTED CONTROL IN MORE STANDARDS OVER TIME CONTEXT INCREASES THREAT INTELLIGENCE VALUE THE STRONGEST MOST EFFECTIVE PROGRAMS UNDERSTAND THE ROI OF SHARING EXTERNAL TO THEIR COMPANY/ ORGANIZATION.