A new class of intelligence-led security is powering the future of cyber-defense, driven by deeper and broader visibility into the attacker ecosystem. This session will look at how intelligence is influencing the development of security products/services and how defenses will benefit from the integration of data from across IT/security operations with insights on the evolving threat landscape.
(Source: RSA Conference USA 2017)
Intelligence-Led Security: Powering the Future of Cyber Defense
1. SESSION ID:SESSION ID:
#RSAC
Marshall Heilman
Intelligence-Led Security: Powering the
Future of Cyber Defense
SPO3-R03
VP, Executive Director for IR and Red Team Operations
Mandiant
2. #RSAC
Whoami
2
Exec Dir Incident Response and Red Team Operations
Mandiant investigator
Grief counselor ;)
10+ years at Mandiant/FireEye
Former military red team operator
U.S. Marine
4. #RSAC
[lack of] compromise detection
4
47% INTERNAL
DISCOVERY
OF BREACH
53% EXTERNAL
NOTIFICATION
OF BREACH
5. #RSAC
Why attackers are winning
5
146
DAYS
Median days for compromise to discovery
320 days 56 days
External Notification Internal Discovery
3 days
Average number of days for a competent red team to
gain domain administrator credentials
Lets dispell with a popular myth: Networks are
complicated thus an attacker couldn’t possibly
understand your environment quicky
6. #RSAC
State of the art security
6
HAD ANTI-VIRUS
HAD A FIREWALL
BREACH
VICTIMS
100%
12. #RSAC
Operationalizing security is complex
12
SECURITY VENDOR
MANAGEMENT
DETECTION
EFFICACY
INCREASING
COMPLEXITY OF THREATS
INCREASING
CONSEQUENCES
RAPID EVOLUTION
OF IT
INCONSISTENT
INTERNATIONAL POLICY
$
TOO MANY
ALERTS
TALENT
SHORTAGE
13. #RSAC
The SOC Reality
13
Security Operations
Center
PEOPLE
PROCESS
TECHNOLOGY
• Multiple roles
• Lack of Business understanding
• Threat and risk focus
• Sourcing and retention
• Operational chaos
• Lack of automation
• Crisis management
• Communications
• Expanding attack surface
• Reliance on SIEM
• Lack of actionable inteligence
• Too many tools
20. #RSAC
Applying intelligence to your security program
20
Define the value of your critical assets
Evaluate the actionable intelligence in your security program
Evaluate your ability to prevent, detect, and respond to a threat actor