The document discusses the concept of security intelligence and frameworks for improving decision-making in cybersecurity. It highlights the importance of proactive defense strategies against organized and adaptable adversaries, and emphasizes the need for continuous monitoring and effective management of vulnerabilities and threats. It provides a structured approach to operationalizing security intelligence, focusing on data aggregation, threat detection, and timely response actions.

1. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
OperationalizingSecurity
Intelligence
Rafal M. Los
Principal, Strategic Security Services
HP Enterprise Security Services
#InfoSecWorld-2014

2. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Tosetyourexpectations:
Thisisasuper-ultracondensed
introductiontoaverycomplex
topic.

3. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
whatis“securityintelligence”?

4. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“collective set ofactivities, and
artifacts to make intelligence-
drivendecisions”

5. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
detect,respond,resolvemore
effectivelyintheattacklifecycle

6. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
didsomeonesay“killchain”?

7. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
reconnaissance
weaponization
delivery
exploitationinstallation
command &
control (c2)
actions on
objectives
TheLockheedMartin“KillChain”

8. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
youradversariesareorganized

9. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
youradversariesareadaptable

10. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
yourdefensesarestatic

11. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
yourdefensesarepredictable

12. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
PREVENTIONISAMYTH

13. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
timeforabetter gameplan

14. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
oldgoal:don’tgetbreached

15. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
newgoal:disrupttheattack
bonuspointsfordisruptingtheattacker

16. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
reality:
yourdefenseswillbebreached

17. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

18. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
sonowwhat?

19. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thistalkisaframeworkforyou

20. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
..changeislongoverdue.

21. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thepuzzlepieces

22. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thetoolbox

23. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thedata

24. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
theoperationalprocesses

25. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
theactions

26. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
let’sbreakthatdown…

27. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thetoolbox

28. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
datastore
aggregation
andanalyticsengine

29. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
data
data intelligence
data

30. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
scalable
flexible
extensible
fast
affordable

31. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
-variousscanningtools
-work-streamsystem
-collaborationtools

32. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thingstolookfor:
• normalized input/output data format(s)
• inter-operability
• extensibility
• scriptable automation
• scalability
• maintainability
• feature richness
• ease-of-use

33. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
pickatool-setthatmatchesyour
companyprofile

34. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thedata

35. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
internal:
knowyourenterpriseattacksurface

36. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
startwiththefundamentals

37. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
mapthenetwork
identifyexistingtechnologies
identifybusinesscriticalassets

38. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
createrepresentativedatamodels
continuouslyupdatethesemodels

39. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“currentstate”[snapshot]

40. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
whatarewevulnerabletorightnow?
whatarewedoingaboutit?

41. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
THISisyourstartingpoint.

42. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
nowaddcontext

43. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Attribute Data
asset_type <asset_type>
asset_criticality <criticality_level>
OS <os_name>
OS-patch-level <major_minor>
purpose <text>
owner <owner_name>
owner-BU <business_unit>
owner-contact-email <email>
owner-contact-phone <phone>
installed-software .
change-info .
vulnerability-info .
… …
software version
software_name <version>
software_name <version>
software_name <version>
… …
change_info data
last-change <date>
last-change-made <text>
last-change-tech <name>
… …
vuln_info data
vulnerability <severity>
… …
10.1.2.100

44. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thereisnosuchthing*as
“toomuchinformation”
* almost…

45. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“livedata”[continuousfeeds]

46. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
detectchanges
toenvironment
inassets

47. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
determinenewthreats

48. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

49. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
whatchanged?
whatisthepotentialimpact?

50. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
continuousdetectionofchange
• new (previously unseen) node on network
• unauthorized configuration change
• unauthorized change to application, or system
• new/modified user, or access rights
• new vulnerability or missing patch

51. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
requirement:
TVMprogram
(threat&vulnerabilitymanagement)

52. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
requirement:
configurationmanagementDB
(manage,authorizeconfigchanges)

53. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
requirement:
collectivelogging
(logkeyitems,onkeyassets)

54. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

55. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
logaggregateanalyzeidentify
refine

56. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Keyloggingquestionstoanswer:
• what should you be logging?
• what assets should you log from?
• what should you look for?
• how do you define ‘timely’?
• how much should I be storing for analysis?

57. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
external:
besituationallyaware

58. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
forexample–
• sentiment against your brand/organization
• threat climate of your business vertical
• attacks against similar organizations, vertical
• specific threats against your staff/resources
• geopolitical issues pertaining to your enterprise
• 3rd party reported vulnerabilities
• 3rd party reported exploits
• weaknesses in your external technologies
• reported abused enterprise assets

59. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
refining‘data’purposefully
IP address context external info analysis

60. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
definingandoperationalizing
processes

61. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
gatheringinformation

62. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
failyourinformationquickly

63. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

64. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
it’sinteresting…
butisituseful?

65. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
notallinformationisuseful

66. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
toolstoparedowninformation
• simple scripts
• data analysis applications
• relational mapping tools
• ‘big data’ platforms
• structured & unstructured data analyses

67. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
findinginformationiseasy

68. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
throwingawayjunkishard

69. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
refiningcollectedinformation

70. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
convertinformationtoknowledge

71. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

72. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
extremelydifficult

73. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
manualprocess,foranalysts

74. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
aidedbyautomation

75. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
1
2
3
4
5
6

76. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
deliveringintelligence

77. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
informationnecessary
tomakeadecision

78. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
must.be.repeatable.

79. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
must.be.actionable.

80. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
AnalysisisNOTenough.

81. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
needtoanswer:“Sowhat?”

82. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
providethoroughanalysis
backedbyactualfacts,data

83. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
inatimelyfashion

84. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
inauseful,consumableformat

85. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
takingaction

86. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
rulesofengagement
(whatareyouallowedtodo?)

87. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
take‘purposeful’action

88. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
whichprocessisactivated?
incidentresponse
securityoperations

89. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
takingaction

90. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
detect

91. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
beproactive
out-maneuverthethreat

92. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
bereactive
counteractivethreat

93. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
respond

94. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
mitigatethevulnerability

95. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
minimizetheimpactofattack

96. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
shutdownanactiveattack

97. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
activelyshiftdefenses

98. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
identifytheattacker

99. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
resolve

100. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
restoreservices

101. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Closed
Loop
Incident
Process

102. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
adjustsecurityoperations

103. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
shareIOCs

104. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
quickrecap

105. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“SecurityIntelligence”is..
the capability to
detect, respond, and resolveyour
security incidents though an
information-driven approach.

106. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Youcandothis.
Youneedtodothis.

107. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Knowmore.
Defendsmarter.