ThreatConnect, profile picture
Uploaded byThreatConnect
PDF, PPTX377 views

Intelligence driven defense webinar

The document discusses intelligence-driven defense (IDD) and how ThreatConnect supports it. IDD means increasing a team's threat defense surface area by sharing threat intelligence (TI) across security operations and analysts. ThreatConnect provides automated playbooks, a collective analytics layer, and tools to connect intelligence and operations teams. This allows indicators from alerts to be enriched, potential matches to be flagged for analysts based on known adversaries, and feedback loops to update intelligence and close investigation loops.

Technologyโ—ฆ
Related topics:
Information Securityโ€ขThreat Intelligenceโ€ข

Embed presentation

Download as PDF, PPTX
Mitigate Threats Faster with an Intelligence-Driven Defense Dan Cole Director of Product Management
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Todayโ€™s Agenda Get answers: โ€ข Intelligence-Driven Defense (IDD) : what does it mean in real terms? โ€ข How can teams at all levels of maturity take advantage of IDD? โ€ข What does IDD look like operationally in ThreatConnect? 2
Intelligence-Driven Defense (IDD) What does it mean?
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. How to Define Threat Intelligence First, what is threat intelligence? โ€œThreat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subjectโ€™s response to that menace or hazard.โ€ โ€œThe details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligenceโ€™s primary purpose is to inform business decisions regarding the risks and implications associated with threats."
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence: Simplified Now on my reading level.. โ€œKnowledge of threats that you can use to defend yourself.โ€ โ€œActionable Knowledge of Threatsโ€ Distilled even more:
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. 6 The Threat Defense Surface Area (TDSA) Bigger Targets need Bigger Shields The likelihood of having things go right in your security organization.
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Strength/capabilities/focus of your threat intelligence X People and tools to whom that TI is effectively communicated (i.e. โ€œoperationsโ€) = Your Threat Defense Surface Area 7 The Threat Defense Surface Area (TDSA) The Geometry of IDD Operations Intelligence A = I * O TI is siloed Bare bones Unclear focus False positives ++MTTD TI is shared Fleshed out Intel Requirements Fewer FPs --MTTD
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Intelligence-Driven Defense means... Your entire security team (and beyond) is dedicated to increasing your Threat Defense Surface Area by actively communicating and contributing in order to: โ— Increase actionable knowledge of threats โ— Leverage that knowledge
Intelligence-Driven Defense for All How can teams at all levels of maturity take advantage of IDD?
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Determining Whatโ€™s Right For You โ€ข Needs differ based on factors like threat landscape, maturity, risk tolerance, size, and budget โ€ข What are your threat intelligence requirements? โ€ข Are your needs more strategic or tactical? โ€ข How big of a target does your TDSA need to cover? 10 Different Teams Have Different Needs More MatureLess Mature Using Threat Intelligence Doing Threat Intelligence Prevention & Detection Assisting IR Inform Security Policy
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. TC Identify 11 The Intel Consumer Whoโ€™s it for? โ€ข The โ€œIntel Consumerโ€ โ€ข Smaller teams just getting started What do they want to do with it? โ€ข Consume Intel โ€ข Reduce False Positives in their SIEM โ€ข Get started on increasing their Threat Defense Surface Area What do they need? โ€ข Machine-Readable Threat Intelligence โ€ข ThreatConnect Intelligence โ€ข Minimal Setup and Support
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. TC Manage 12 The Under-Resourced Intel Rebel Whoโ€™s it for? โ€ข The Under-Resourced โ€œIntel Rebelโ€ โ€ข Small team, needs to do more with less What do they want to do with it? โ€ข Same as Intel Consumer โ€ข Plus automation and orchestration What do they need? โ€ข Get all teams and tools talking โ€ข Playbooks
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. TC Analyze 13 The Intel Analyst Whoโ€™s it for? โ€ข The โ€œIntel Analystโ€ โ€ข Mature teams that want to create new intel What do they want to do with it? โ€ข Consume, analyze, create and share intel โ€ข Strategic view of intel for advising, policy What do they need? โ€ข Powerful data model to support threat modelling โ€ข Sharing and reporting
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. TC Complete 14 The Ultimate Power in Threat Intelligence Whoโ€™s it for? โ€ข Mature teams โ€ข Security leaders who want to build an intelligence-driven security organization from the ground up What do they want to do with it? โ€ข Build and Customize the Platform and Apps โ€ข Create Complex Automations & Orchestration โ€ข Inform Team, Speed Response โ€ข Inform Decisions Across the Organization What do they need? โ€ข A fully extensible, intelligence-driven platform โ€ข Full threat modelling and communication support
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Putting it all together 15 How does ThreatConnect Help? Operations Intelligence A = I * C Intelligence * Operations = Your Threat Defense Surface Area
Intelligence-Driven Defense in ThreatConnect What does IDD look like operationally in ThreatConnect?
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Playbooks - Automation & Orchestration Problem โ€ข Fragmented technologies and processes in cybersecurity Solution โ€ข Create automated playbooks โ€ข Configure apps to talk to each other automatically โ€ข Share Playbooks across teams โ€ข Human-in-the-loop 17 Intelligence-Driven Automation & Orchestration Augment human intuition by freeing it from mundane tasks
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Collective Analytics Layer Provide global insights on threat data to all ThreatConnect instances 18 EvilDomain.com Public whitelists? How many sources? How many of TCโ€™s 15K other analysts have viewed it? Was it observed recently by others? Are the sources you find relevant and accurate? What about false positives?
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. The Scenario โ€ข Security team of a Fortune 500 company is on the lookout for whaling scams โ€ข Standard loadout: SOC, IR, CTI โ€ข CTI has gathered intel on several possible adversaries โ€ข SOC has several monitoring inboxes for collecting email alert data โ€ข TC Complete 19
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. An alert! Teeny-tiny TDSA Operations Intelligence Iteration One โ— SOC inbox ingests an email โ— Playbook extracts the indicators and stores them in ThreatConnect No one is notified. Nothing happens. Maybe someone will check it out later.
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Analysis and Awareness in Realtime Adding Intel and Telling Someone Operations Intelligence Iteration Two โ— Indicators sent to third party for enrichment โ— Enrichment data matched against ThreatConnect โ— SOC team notified of potential matches
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Communicating Across Teams and Time Increasing the Area Operations Intelligence Iteration Three โ— The CTI teamโ€™s intel identified an adversary that used whaling scams โ— The CTI team recorded whaling scams in ThreatConnect as a key requirement โ— This flag causes the IR team to be notified in Slack
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Avoiding False Positives Almost there... Operations Intelligence Iteration Four โ— Instead of blindly notifying the IR team, the Playbook checks CAL for false positives โ— If there are FPs, the IR team is not notified and the SOC teamโ€™s email is updated instead โ— Adversary record updated for future TI regardless of outcome
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Closing the Loop Saturation Operations Intelligence Iteration Five โ— IR team deep dives on key data in CAL โ— Hits a button to block a malicious indicator โ— CTI team gets feedback on action taken
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Intelligence-Driven Defense How does ThreatConnect Help? Operations Intelligence Intelligence โ— Enriched data using reverse WHOIS โ— Referenced intel on existing adversary โ— Use of intel requirements โ— Used CAL to mitigate false positives Operations โ— Notified all teams of Whaling Scam requirement โ— Slacked IR team on alert โ— CoA reported back to CTI โ— Used CAL to mitigate false positives
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Questions?
ยฉ 2017 ThreatConnect, Inc. All Rights Reserved. Thank You THREATCONNECT.COM

More Related Content

PDF
Save Time and Act Faster with Playbooks
byThreatConnect
ย 
PDF
Managing Indicator Deprecation in ThreatConnect
byThreatConnect
ย 
PPTX
Advanced Threat Hunting - Botconf 2017
byKevin Finley
ย 
PPTX
Operationalizing Threat Intelligence to Battle Persistent Actors
byThreatConnect
ย 
PPTX
Episode IV: A New Scope
byThreatConnect
ย 
PPTX
The Business Benefits of Threat Intelligence Webinar
byThreatConnect
ย 
PPTX
Open Source Malware Lab
byThreatConnect
ย 
PPTX
Maltego Webinar Slides
byThreatConnect
ย 
Save Time and Act Faster with Playbooks
byThreatConnect
ย 
Managing Indicator Deprecation in ThreatConnect
byThreatConnect
ย 
Advanced Threat Hunting - Botconf 2017
byKevin Finley
ย 
Operationalizing Threat Intelligence to Battle Persistent Actors
byThreatConnect
ย 
Episode IV: A New Scope
byThreatConnect
ย 
The Business Benefits of Threat Intelligence Webinar
byThreatConnect
ย 
Open Source Malware Lab
byThreatConnect
ย 
Maltego Webinar Slides
byThreatConnect
ย 

What's hot

PPTX
Dollars and Sense of Sharing Threat Intelligence
byThreatConnect
ย 
PPTX
The Diamond Model for Intrusion Analysis - Threat Intelligence
byThreatConnect
ย 
PPTX
Become a Threat Hunter by Hamza Beghal
byNull Singapore
ย 
PDF
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
byPriyanka Aash
ย 
PDF
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
ย 
PDF
Threat Hunting
bySplunk
ย 
PDF
Security Automation and Orchestration
byGreg Foss
ย 
PDF
Threat Hunting 102: Beyond the Basics
byCybereason
ย 
PDF
Outpost24 webinar - Improve your organizations security with red teaming
byOutpost24
ย 
PDF
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
byOutpost24
ย 
PPTX
Cyber Threat Hunting with Phirelight
byHostway|HOSTING
ย 
PDF
Threat Intelligence in Cyber Risk Programs
byRahul Neel Mani
ย 
PDF
Threat Hunting with Splunk Hands-on
bySplunk
ย 
PPTX
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
byThreatConnect
ย 
PDF
Dreaming of IoCs Adding Time Context to Threat Intelligence
byPriyanka Aash
ย 
PPTX
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
byRahul Neel Mani
ย 
PPTX
Threat hunting - Every day is hunting season
byBen Boyd
ย 
PDF
Threat Intelligence Is Like Three Day Potty Training
byPriyanka Aash
ย 
PPTX
Abstract Tools for Effective Threat Hunting
bychrissanders88
ย 
PDF
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
ย 
Dollars and Sense of Sharing Threat Intelligence
byThreatConnect
ย 
The Diamond Model for Intrusion Analysis - Threat Intelligence
byThreatConnect
ย 
Become a Threat Hunter by Hamza Beghal
byNull Singapore
ย 
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
byPriyanka Aash
ย 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
ย 
Threat Hunting
bySplunk
ย 
Security Automation and Orchestration
byGreg Foss
ย 
Threat Hunting 102: Beyond the Basics
byCybereason
ย 
Outpost24 webinar - Improve your organizations security with red teaming
byOutpost24
ย 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
byOutpost24
ย 
Cyber Threat Hunting with Phirelight
byHostway|HOSTING
ย 
Threat Intelligence in Cyber Risk Programs
byRahul Neel Mani
ย 
Threat Hunting with Splunk Hands-on
bySplunk
ย 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
byThreatConnect
ย 
Dreaming of IoCs Adding Time Context to Threat Intelligence
byPriyanka Aash
ย 
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
byRahul Neel Mani
ย 
Threat hunting - Every day is hunting season
byBen Boyd
ย 
Threat Intelligence Is Like Three Day Potty Training
byPriyanka Aash
ย 
Abstract Tools for Effective Threat Hunting
bychrissanders88
ย 
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
ย 

Similar to Intelligence driven defense webinar

PDF
How To Turbo-Charge Incident Response With Threat Intelligence
byResilient Systems
ย 
PPTX
How Threat Intelligence Fuels a Modern SOC
bywininlifeacademy5
ย 
PPTX
Need for Threat Intelligence & How to Operationalize it for your Organisation.
byAditya Mukherjee Information Security
ย 
PPTX
Cyber Threat Intelligence introduction.pptx
bysrisoundharyaaprabhu
ย 
PPTX
Cyber Threat Intelligence,Threat intelligence Analyst.pptx
bysrisoundharyaaprabhu
ย 
PPTX
How To Turbo-Charge Incident Response With Threat Intelligence
byResilient Systems
ย 
PPTX
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
bySurfWatch Labs
ย 
PDF
Intelligence Driven Threat Detection and Response
byEMC
ย 
PDF
Intelligence-Driven Security Strategy
byEMC
ย 
PDF
What is threat intelligence ?
byAariyaRathi
ย 
DOCX
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docx
bymanas23pgdm157
ย 
PPTX
How to build a cyber threat intelligence program
byMark Arena
ย 
PDF
Threat Intelligence in the daily life of a SOC Analyst
bypriyanshamadhwal2
ย 
PDF
SOC Analyst a Practical Walkthrough.pdf
byinfosec train
ย 
PDF
How threat intelligence fuels a modern SOC.pdf
byWin In Life Academy
ย 
PDF
How Threat Intelligence Fuels a Modern SOC
byWin In Life Academy
ย 
PDF
Road map for actionable threat intelligence
byabhisheksinghcs
ย 
PDF
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
byJoAnna Cheshire
ย 
PPT
13734729.ppt
byAmitPandey388410
ย 
PPTX
Cyber Threat Intelligence
bySyed Peer
ย 
How To Turbo-Charge Incident Response With Threat Intelligence
byResilient Systems
ย 
How Threat Intelligence Fuels a Modern SOC
bywininlifeacademy5
ย 
Need for Threat Intelligence & How to Operationalize it for your Organisation.
byAditya Mukherjee Information Security
ย 
Cyber Threat Intelligence introduction.pptx
bysrisoundharyaaprabhu
ย 
Cyber Threat Intelligence,Threat intelligence Analyst.pptx
bysrisoundharyaaprabhu
ย 
How To Turbo-Charge Incident Response With Threat Intelligence
byResilient Systems
ย 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
bySurfWatch Labs
ย 
Intelligence Driven Threat Detection and Response
byEMC
ย 
Intelligence-Driven Security Strategy
byEMC
ย 
What is threat intelligence ?
byAariyaRathi
ย 
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docx
bymanas23pgdm157
ย 
How to build a cyber threat intelligence program
byMark Arena
ย 
Threat Intelligence in the daily life of a SOC Analyst
bypriyanshamadhwal2
ย 
SOC Analyst a Practical Walkthrough.pdf
byinfosec train
ย 
How threat intelligence fuels a modern SOC.pdf
byWin In Life Academy
ย 
How Threat Intelligence Fuels a Modern SOC
byWin In Life Academy
ย 
Road map for actionable threat intelligence
byabhisheksinghcs
ย 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
byJoAnna Cheshire
ย 
13734729.ppt
byAmitPandey388410
ย 
Cyber Threat Intelligence
bySyed Peer
ย 

Recently uploaded

PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
ย 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
ย 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
ย 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
ย 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
ย 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
ย 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
ย 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
ย 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
ย 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
ย 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
ย 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
ย 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
ย 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
ย 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
ย 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
ย 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
ย 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
ย 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
ย 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
ย 
PPTX game guess the logo with a twistppt
byAdrianAnig
ย 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
ย 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
ย 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
ย 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
ย 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
ย 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
ย 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
ย 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
ย 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
ย 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
ย 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
ย 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
ย 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
ย 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
ย 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
ย 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
ย 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
ย 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
ย 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
ย 

Intelligence driven defense webinar

  • 1.
    Mitigate Threats Fasterwith an Intelligence-Driven Defense Dan Cole Director of Product Management
  • 2.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Todayโ€™s Agenda Get answers: โ€ข Intelligence-Driven Defense (IDD) : what does it mean in real terms? โ€ข How can teams at all levels of maturity take advantage of IDD? โ€ข What does IDD look like operationally in ThreatConnect? 2
  • 3.
  • 4.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. How to Define Threat Intelligence First, what is threat intelligence? โ€œThreat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subjectโ€™s response to that menace or hazard.โ€ โ€œThe details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligenceโ€™s primary purpose is to inform business decisions regarding the risks and implications associated with threats."
  • 5.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Threat Intelligence: Simplified Now on my reading level.. โ€œKnowledge of threats that you can use to defend yourself.โ€ โ€œActionable Knowledge of Threatsโ€ Distilled even more:
  • 6.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. 6 The Threat Defense Surface Area (TDSA) Bigger Targets need Bigger Shields The likelihood of having things go right in your security organization.
  • 7.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Strength/capabilities/focus of your threat intelligence X People and tools to whom that TI is effectively communicated (i.e. โ€œoperationsโ€) = Your Threat Defense Surface Area 7 The Threat Defense Surface Area (TDSA) The Geometry of IDD Operations Intelligence A = I * O TI is siloed Bare bones Unclear focus False positives ++MTTD TI is shared Fleshed out Intel Requirements Fewer FPs --MTTD
  • 8.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Intelligence-Driven Defense means... Your entire security team (and beyond) is dedicated to increasing your Threat Defense Surface Area by actively communicating and contributing in order to: โ— Increase actionable knowledge of threats โ— Leverage that knowledge
  • 9.
    Intelligence-Driven Defense forAll How can teams at all levels of maturity take advantage of IDD?
  • 10.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Determining Whatโ€™s Right For You โ€ข Needs differ based on factors like threat landscape, maturity, risk tolerance, size, and budget โ€ข What are your threat intelligence requirements? โ€ข Are your needs more strategic or tactical? โ€ข How big of a target does your TDSA need to cover? 10 Different Teams Have Different Needs More MatureLess Mature Using Threat Intelligence Doing Threat Intelligence Prevention & Detection Assisting IR Inform Security Policy
  • 11.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. TC Identify 11 The Intel Consumer Whoโ€™s it for? โ€ข The โ€œIntel Consumerโ€ โ€ข Smaller teams just getting started What do they want to do with it? โ€ข Consume Intel โ€ข Reduce False Positives in their SIEM โ€ข Get started on increasing their Threat Defense Surface Area What do they need? โ€ข Machine-Readable Threat Intelligence โ€ข ThreatConnect Intelligence โ€ข Minimal Setup and Support
  • 12.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. TC Manage 12 The Under-Resourced Intel Rebel Whoโ€™s it for? โ€ข The Under-Resourced โ€œIntel Rebelโ€ โ€ข Small team, needs to do more with less What do they want to do with it? โ€ข Same as Intel Consumer โ€ข Plus automation and orchestration What do they need? โ€ข Get all teams and tools talking โ€ข Playbooks
  • 13.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. TC Analyze 13 The Intel Analyst Whoโ€™s it for? โ€ข The โ€œIntel Analystโ€ โ€ข Mature teams that want to create new intel What do they want to do with it? โ€ข Consume, analyze, create and share intel โ€ข Strategic view of intel for advising, policy What do they need? โ€ข Powerful data model to support threat modelling โ€ข Sharing and reporting
  • 14.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. TC Complete 14 The Ultimate Power in Threat Intelligence Whoโ€™s it for? โ€ข Mature teams โ€ข Security leaders who want to build an intelligence-driven security organization from the ground up What do they want to do with it? โ€ข Build and Customize the Platform and Apps โ€ข Create Complex Automations & Orchestration โ€ข Inform Team, Speed Response โ€ข Inform Decisions Across the Organization What do they need? โ€ข A fully extensible, intelligence-driven platform โ€ข Full threat modelling and communication support
  • 15.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Putting it all together 15 How does ThreatConnect Help? Operations Intelligence A = I * C Intelligence * Operations = Your Threat Defense Surface Area
  • 16.
    Intelligence-Driven Defense inThreatConnect What does IDD look like operationally in ThreatConnect?
  • 17.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Playbooks - Automation & Orchestration Problem โ€ข Fragmented technologies and processes in cybersecurity Solution โ€ข Create automated playbooks โ€ข Configure apps to talk to each other automatically โ€ข Share Playbooks across teams โ€ข Human-in-the-loop 17 Intelligence-Driven Automation & Orchestration Augment human intuition by freeing it from mundane tasks
  • 18.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Collective Analytics Layer Provide global insights on threat data to all ThreatConnect instances 18 EvilDomain.com Public whitelists? How many sources? How many of TCโ€™s 15K other analysts have viewed it? Was it observed recently by others? Are the sources you find relevant and accurate? What about false positives?
  • 19.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. The Scenario โ€ข Security team of a Fortune 500 company is on the lookout for whaling scams โ€ข Standard loadout: SOC, IR, CTI โ€ข CTI has gathered intel on several possible adversaries โ€ข SOC has several monitoring inboxes for collecting email alert data โ€ข TC Complete 19
  • 20.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. An alert! Teeny-tiny TDSA Operations Intelligence Iteration One โ— SOC inbox ingests an email โ— Playbook extracts the indicators and stores them in ThreatConnect No one is notified. Nothing happens. Maybe someone will check it out later.
  • 21.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Analysis and Awareness in Realtime Adding Intel and Telling Someone Operations Intelligence Iteration Two โ— Indicators sent to third party for enrichment โ— Enrichment data matched against ThreatConnect โ— SOC team notified of potential matches
  • 22.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Communicating Across Teams and Time Increasing the Area Operations Intelligence Iteration Three โ— The CTI teamโ€™s intel identified an adversary that used whaling scams โ— The CTI team recorded whaling scams in ThreatConnect as a key requirement โ— This flag causes the IR team to be notified in Slack
  • 23.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Avoiding False Positives Almost there... Operations Intelligence Iteration Four โ— Instead of blindly notifying the IR team, the Playbook checks CAL for false positives โ— If there are FPs, the IR team is not notified and the SOC teamโ€™s email is updated instead โ— Adversary record updated for future TI regardless of outcome
  • 24.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Closing the Loop Saturation Operations Intelligence Iteration Five โ— IR team deep dives on key data in CAL โ— Hits a button to block a malicious indicator โ— CTI team gets feedback on action taken
  • 25.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Intelligence-Driven Defense How does ThreatConnect Help? Operations Intelligence Intelligence โ— Enriched data using reverse WHOIS โ— Referenced intel on existing adversary โ— Use of intel requirements โ— Used CAL to mitigate false positives Operations โ— Notified all teams of Whaling Scam requirement โ— Slacked IR team on alert โ— CoA reported back to CTI โ— Used CAL to mitigate false positives
  • 26.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Questions?
  • 27.
    ยฉ 2017 ThreatConnect,Inc. All Rights Reserved. Thank You THREATCONNECT.COM