The document discusses the importance of security intelligence in identifying and addressing cyber attacks, highlighting that traditional tools are often inadequate. It emphasizes the need for a behavior-based analysis approach and increased understanding of network security, alongside the integration of non-traditional data sources. The author advocates for legitimizing and training for security intelligence roles within organizations to improve security analysis capabilities.

1. Big Data, Security
Intelligence,
(And Why I Hate This Title)

2. Introduction / Who Am I
• Matt Yonchak
• Director of Security
Services
• Hurricane Labs
• Avid Cleveland
sports cynic

3. What are we going to
talk about?
Security Intelligence

5. Fact #1
Attacks are happening on our networks and we don't know:
•How it happened
•Who got in
•How pervasive this attack is

6. Fact #2
Traditional tools are insufficient to the task of real
security analysis

7. Intrusion Prevention
Systems (IPS)

8. Firewalls

9. Incredible tool or amazing distraction?
SIEM

10. Fact #3
All Data Is Security Relevant

11. • WAF
• IPS
• Proxy
• Firewall
Typical Security Data

12. Non-Typical Data
(but still relevant to security)
• Web Application Data
• Voice and Communication
• Email
• Performance Monitoring
• ID Management
• External Data Sources

13. Problem
We’ve Been Attacked

14. How Did It Happen?
Social Engineering
Attacking the User

15. What Does It Look Like?
• Evades normal security controls
• Moves slow and stays quiet
• Knows what data it's after
• Propagates itself internally

16. We've Been Compromised

17. Looking At The Problem
Differently

18. Security Intelligence Is:
Analysis Outside the Box

19. Security Intelligence Is:
Behavior-Based Analysis

20. Security Intelligence Is:
Working a Little Harder

21. Security Intelligence Is:
Understanding the
Big Picture

22. Security Intelligence: How
Do We Get It?
Understand the Attack / Attackers

23. Logs
Security Intelligence: How
Do We Get It?

24. Understand Your Network
Security Intelligence: How
Do We Get It?

25. Understand Your Network
Security Intelligence: How
Do We Get It?

26. Back to Our Problem
How would we have detected/stopped the
attack?

27. Finding The Attack

28. Finding The Attack
Bring In Some
External Data
• GeoIP
• Blacklists / Watchlists
• Our own intelligence

29. Finding The Attack
Think Outside the Box

30. Going Forward
How do we build out this practice within
our organizations?

31. Going Forward
Accept that what we're doing now:
• Traditional Incident
Response
• Our typical security
controls
• Our SIEMs

32. Going Forward
Legitimize the Security
Intelligence Concept

33. Security Intelligence
Legitimacy
Train For It

34. Security Intelligence
Legitimacy
• Security
Intelligence
Analyst?
• Security
Intelligence
Engineer?
• Security
Intelligence...
Ninja?

35. Security Intelligence
Legitimacy

36. Results

37. Results

38. Closing
The only way to really get where we need to
be in security analysis is if we:
•Put in the work to get there
•Think outside the box
•Change what is normal for security analysis

39. Questions?
• Twitter: @mattyonchak
• Email: matt@hurricanelabs.com