SlideShare a Scribd company logo

str-w04_next-wave-of-security-operationalization

peter lam
peter lam

This document summarizes a presentation about operationalizing threat intelligence. It discusses challenges like multiple intelligence sources with different formats, and lack of indicator sharing across security controls. It introduces STIX and TAXII standards to address these challenges by enabling automated intelligence collection, extraction of indicators, detection of threats, and distribution of indicators across controls. It describes a proof-of-concept platform using these standards to demonstrate automated threat intelligence handling.

1 of 36
Download to read offline
SESSION ID: #RSAC Peter Lam Next Wave of Security Operationalization STR-W04 A National Bank Security Analyst
#RSAC Disclaimer 2  The views and opinions expressed in this presentation are those of the authors and do not necessarily represent of position of RSA or the author’s employer
#RSAC Speaker Bio 3  Who am I?  Peter Lam  1st Time Presenter at RSA  Information Security Staff in a national bank  20+ Year of Professional IT Experience  Experience in:  System / Platform Engineering, Application Development, Security, Incident Response
#RSAC Purpose & Audience
#RSAC Purpose & Audience 5  Purpose  Help Drive Better Adoption of Technologies (Vendor & Us)  Demand Drives Supply  Definitely NOT to Repeat Presentations around STIX/TAXII by MITRE team  Introduce A Proof-of-Concept Threat Operationalization Platform  Explain Problems These Technologies Help Solve NOW  Audience  Everyone who Wants to Learn about STIX & TAXII but Want Something that They Can Try Without Too Much Cost
#RSAC What’s the problem?
#RSAC Intelligence Sources 7 Paid Free Control System Private Vendor Open Source Govern ment Private Vendor Proprietary / System Specific Portal / Secured Email CSV / CIF / RSS PDF / RSS PDF pricetypeformat touch needed No Maybe Maybe Yes Yes e.g. Firewall ISAC / Boutique Security Firm OSINT CISCP Any (Teaser News) CIF – Collective Intelligence Framework ISAC – Information Sharing and Analysis Center OSINT – Open Source Intelligence CISCP – Cyber Information Sharing and Collaboration Program
#RSAC Challenge One 8  Ineffective and Labor Intensive, because  Multiple delivery channels  Mostly manual effort  Missed email; Staff on vacation, etc.  Format varies greatly among vendor  Comma Separated Value (CSV), Extendible Markup Language (XML), Unformatted text  Needs multiple parsers for different sources  Human error; copy & paste, field extraction  Huge amount of Intelligence
#RSAC Simplistic Control Network 9 Application End-Point Protection Firewall Vendor “Secret Sauce” proxy Desktop Users Laptop Users End-Point Protection Firewall Web Application Firewall Web Application Firewall Vendor “Secret Sauce” Proxy Vendor “Secret Sauce”End-Point Protection Vendor “Secret Sauce”
#RSAC Simplistic Control Network 10 End-Point Protection proxy Desktop Users Laptop Users End-Point Protection Proxy Vendor “Secret Sauce” End-Point Protection Vendor “Secret Sauce” End-Point Protection Laptop Users (at home) Evil
#RSAC Challenge Two 11  Vendors Most Likely Won’t Share Their “Secret Sauce”, or indicators  Unless Part of the Sharing Ring  Not Hard to Understand “Why”  Same Indicator Not Replicated Across Multiple Controls  Multi-Layer Security Control But Single-Layer Security Intelligence?
#RSAC What? 12 • Operationalization of Threat Intelligence Handling around Indicators • Automatically: • Collect • Receive Threat Intelligence • Dissect • Extract Crucial Indicators • Detect • Search for Realized Threat • Distribute • Intelligence across All Layers of Controls • Prevent • Deploy Prevention Control
#RSAC Why? 13 • Bad Guys have Malware Supply Chain • Commercialization of Crime Ware • Operationalize of Malware Development • Highly Time Sensitive Response Needed • Exponentially Expensive to Recover • Machines Should do the Heavy Lifting, NOT HUMAN, ESPECIALLY NOT the ANALYSTS
#RSAC How?
#RSAC High Level Understanding of the Enabling Technologies
#RSAC Protocol Technologies
#RSAC TAXII 17  Stands for  Trusted Automated eXchange of Indicator Information  Threat Intelligence Exchange Agreements  How messages are expressed and transported  Exchange Models  Source-Subscriber / Hub & Spoke / Peer-to-Peer Models  Role Models  Data Producers / Consumers  Service Models
#RSAC Exchange Model 18  Source-Subscriber Model  Typical for Current Threat Intelligence (TI) Vendor / Customer Relationship Model  Hub & Spoke Model  Suitable for used in Large Organizations  Various Contract Owners with TI vendors and become a Spoke (Consumer & Producer)  Play Attention to Sharing Agreement Source Subscriber Subscriber Subscriber Subscriber Hub Spoke (Consumer only) Spoke (Consumer & Producer) Spoke (Producer only) Spoke (Consumer & Producer)
#RSAC Role & Service Models 19  Role Models  Producer Only  Consumer Only  Producer & Consumer  Service Models  Discovery Service  Collection Management Service  Inbox Service  Poll Service
#RSAC STIX 20  Stands for  Structured Threat Information eXpression  Structured Way of Describing Cyber Threat  Eight Main Constructs
#RSAC STIX Eight Constructs 21  Observable  What activity was observed  Indicator  What should be looked for  Incident  Where was it seen  Tactics, Techniques & Procedures (TTP)  What does it do  ExploitTarget  What weakness does it exploit  Campaign  Why  ThreatActor  Who  Course of Action  Suggested Action
#RSAC Profiles 22  Contracts between Sharing Parties (Producers to Consumers)  Define In-Scope / Out-of-Scope  Which Constructs / Elements Required  More on This
#RSAC Related Standards 23  STIX’s Observable Indicators leverage CybOX to precisely describe the details  CybOX  Cyber Observable eXpression  About 80 Objects
#RSAC Which Fundamental Problems Were Solved 24  TAXII  Solves Transport / Channel Problem  No more secured emails, RSS, portal access to obtain intelligence  STIX / CyBox  Solves Intelligence Format Problem  No more free form text, or CSV  No more copy and paste  No more extracting searchable terms from emails, or portal  Precisely Describe  Allow Machine Extraction without Human Interaction
#RSAC Now What? 25  Read the XML encoded intelligence manually?  Have a way to precisely describe and share intelligence between parties  Of course NOT  At the minimum  Search for indicators like IPs / URLs  Add IPs / URLs to “Block” list  Propagate intelligence across control layers
#RSAC Platform Technologies
#RSAC Feeds 27  Compliant with Standards  Confirm Which Constructs are Supported with Vendors  Standards Very Board By Design  Data Fields Mostly Not Required  At least, Observable / Indicators
#RSAC STIX Profile 28  Without Profile  Feed Still Compliant, but Not As Rich  Time Reference  Confidence Level
#RSAC POC Platform 29 Host FireWallProxyFireWall Control Defenses Threat Intelligence Feeds (FS-ISAC / Hailataxii) Security Information & Event Management (Splunk) Indicator Extractor (SPLICE) Intel. SIEM Threat Gateway (Soltra Edge) Threat Gateway
#RSAC Platform 30  Threat Intelligence Gateway  Receive Threat Intelligence  Talk TAXII  Decompose STIX  Indicator Extractor  Extract Indicator of Compromise from STIX  Search for Realized Threat against SIEM  Security Information and Event Management (SIEM)  Initiate Incident Response Upon Match  Initiate First Response  Block IP/URL at perimeter  Scripts  Add Indicators to “Block” list
#RSAC POC Platform 31 Host FireWallProxyFireWall Control Defenses Threat Intelligence Feeds Security Information & Event Management (Splunk) Indicator Extractor (SPLICE) Intel. SIEM Threat Gateway (Soltra Edge) Threat Gateway Feed 1 Feed 2 Feed X Intelligence Pool Atomic Intelligence Compound Intelligence
#RSAC Demo Screen 32
#RSAC Apply
#RSAC Summary  Threat Intelligence Sharing Technologies are Maturing  Feed Readily Available (Hailataxii & FS-ISAC if member)  POC Platform can be Created with Minimum Cost  Automatic  Detect Indicator for Realized Threat  Deploy Indicator to “Block” list 34
#RSAC Apply  Obtain Quality Vendor Feed  Deploy POC Platform  Create Automatic Mechanism 35
#RSAC Reference & Tool  Feed  Hailataxii.com (Open Source)  FS-ISAC  Soltra EDGE (www.soltra.com)  Splunk SA-Splice (splunkbase.splunk.com/app/2637)  Script to Extract All Atomic Indicators 36

Recommended

conf2014_PeterLam_Splunk_Security
conf2014_PeterLam_Splunk_Securityconf2014_PeterLam_Splunk_Security
conf2014_PeterLam_Splunk_Security
peter lam
 
Understanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyUnderstanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security Strategy
Priyanka Aash
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
Priyanka Aash
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It Right
Priyanka Aash
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
Priyanka Aash
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
Priyanka Aash
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
Priyanka Aash
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
Priyanka Aash
 

Recommended

conf2014_PeterLam_Splunk_Security
conf2014_PeterLam_Splunk_Securityconf2014_PeterLam_Splunk_Security
conf2014_PeterLam_Splunk_Security
peter lam
 
Understanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyUnderstanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security Strategy
Priyanka Aash
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
Priyanka Aash
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It Right
Priyanka Aash
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
Priyanka Aash
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
Priyanka Aash
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
Priyanka Aash
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
Priyanka Aash
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
Priyanka Aash
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Priyanka Aash
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
David Sweigert
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
Priyanka Aash
 
Cloud Breach – Preparation and Response
Cloud Breach – Preparation and ResponseCloud Breach – Preparation and Response
Cloud Breach – Preparation and Response
Priyanka Aash
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Splunk
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
Gabrielle Knowles
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Priyanka Aash
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
Priyanka Aash
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an Hour
Priyanka Aash
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
Priyanka Aash
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
 
Cyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsCyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber Criminals
David Sweigert
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
Narudom Roongsiriwong, CISSP
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
Priyanka Aash
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
Priyanka Aash
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
James Wickett
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
 

More Related Content

What's hot

Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
Priyanka Aash
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Priyanka Aash
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
David Sweigert
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
Priyanka Aash
 
Cloud Breach – Preparation and Response
Cloud Breach – Preparation and ResponseCloud Breach – Preparation and Response
Cloud Breach – Preparation and Response
Priyanka Aash
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Splunk
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
Gabrielle Knowles
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Priyanka Aash
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
Priyanka Aash
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an Hour
Priyanka Aash
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
Priyanka Aash
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
 
Cyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsCyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber Criminals
David Sweigert
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
Narudom Roongsiriwong, CISSP
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
Priyanka Aash
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
Priyanka Aash
 

What's hot (20)

Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
 
Cloud Breach – Preparation and Response
Cloud Breach – Preparation and ResponseCloud Breach – Preparation and Response
Cloud Breach – Preparation and Response
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an Hour
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
Cyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsCyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber Criminals
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
 

Similar to str-w04_next-wave-of-security-operationalization

A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
James Wickett
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!
Priyanka Aash
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
Aaron Rinehart
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
Priyanka Aash
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
Priyanka Aash
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and Often
Priyanka Aash
 
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_oftenstr-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
Michael Hammer
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
Priyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
Priyanka Aash
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure Protection
Priyanka Aash
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
Priyanka Aash
 
Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51
martinvoelk
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
Ulf Mattsson
 
inSOC Sales Deck Dec 2020.pdf
inSOC Sales Deck Dec 2020.pdfinSOC Sales Deck Dec 2020.pdf
inSOC Sales Deck Dec 2020.pdf
ChristopherSumner7
 
The Pivot
The PivotThe Pivot
The Pivot
Priyanka Aash
 

Similar to str-w04_next-wave-of-security-operationalization (20)

A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and Often
 
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_oftenstr-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure Protection
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
 
Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
 
inSOC Sales Deck Dec 2020.pdf
inSOC Sales Deck Dec 2020.pdfinSOC Sales Deck Dec 2020.pdf
inSOC Sales Deck Dec 2020.pdf
 
The Pivot
The PivotThe Pivot
The Pivot
 

str-w04_next-wave-of-security-operationalization

  • 1. SESSION ID: #RSAC Peter Lam Next Wave of Security Operationalization STR-W04 A National Bank Security Analyst
  • 2. #RSAC Disclaimer 2  The views and opinions expressed in this presentation are those of the authors and do not necessarily represent of position of RSA or the author’s employer
  • 3. #RSAC Speaker Bio 3  Who am I?  Peter Lam  1st Time Presenter at RSA  Information Security Staff in a national bank  20+ Year of Professional IT Experience  Experience in:  System / Platform Engineering, Application Development, Security, Incident Response
  • 5. #RSAC Purpose & Audience 5  Purpose  Help Drive Better Adoption of Technologies (Vendor & Us)  Demand Drives Supply  Definitely NOT to Repeat Presentations around STIX/TAXII by MITRE team  Introduce A Proof-of-Concept Threat Operationalization Platform  Explain Problems These Technologies Help Solve NOW  Audience  Everyone who Wants to Learn about STIX & TAXII but Want Something that They Can Try Without Too Much Cost
  • 7. #RSAC Intelligence Sources 7 Paid Free Control System Private Vendor Open Source Govern ment Private Vendor Proprietary / System Specific Portal / Secured Email CSV / CIF / RSS PDF / RSS PDF pricetypeformat touch needed No Maybe Maybe Yes Yes e.g. Firewall ISAC / Boutique Security Firm OSINT CISCP Any (Teaser News) CIF – Collective Intelligence Framework ISAC – Information Sharing and Analysis Center OSINT – Open Source Intelligence CISCP – Cyber Information Sharing and Collaboration Program
  • 8. #RSAC Challenge One 8  Ineffective and Labor Intensive, because  Multiple delivery channels  Mostly manual effort  Missed email; Staff on vacation, etc.  Format varies greatly among vendor  Comma Separated Value (CSV), Extendible Markup Language (XML), Unformatted text  Needs multiple parsers for different sources  Human error; copy & paste, field extraction  Huge amount of Intelligence
  • 9. #RSAC Simplistic Control Network 9 Application End-Point Protection Firewall Vendor “Secret Sauce” proxy Desktop Users Laptop Users End-Point Protection Firewall Web Application Firewall Web Application Firewall Vendor “Secret Sauce” Proxy Vendor “Secret Sauce”End-Point Protection Vendor “Secret Sauce”
  • 10. #RSAC Simplistic Control Network 10 End-Point Protection proxy Desktop Users Laptop Users End-Point Protection Proxy Vendor “Secret Sauce” End-Point Protection Vendor “Secret Sauce” End-Point Protection Laptop Users (at home) Evil
  • 11. #RSAC Challenge Two 11  Vendors Most Likely Won’t Share Their “Secret Sauce”, or indicators  Unless Part of the Sharing Ring  Not Hard to Understand “Why”  Same Indicator Not Replicated Across Multiple Controls  Multi-Layer Security Control But Single-Layer Security Intelligence?
  • 12. #RSAC What? 12 • Operationalization of Threat Intelligence Handling around Indicators • Automatically: • Collect • Receive Threat Intelligence • Dissect • Extract Crucial Indicators • Detect • Search for Realized Threat • Distribute • Intelligence across All Layers of Controls • Prevent • Deploy Prevention Control
  • 13. #RSAC Why? 13 • Bad Guys have Malware Supply Chain • Commercialization of Crime Ware • Operationalize of Malware Development • Highly Time Sensitive Response Needed • Exponentially Expensive to Recover • Machines Should do the Heavy Lifting, NOT HUMAN, ESPECIALLY NOT the ANALYSTS
  • 15. #RSAC High Level Understanding of the Enabling Technologies
  • 17. #RSAC TAXII 17  Stands for  Trusted Automated eXchange of Indicator Information  Threat Intelligence Exchange Agreements  How messages are expressed and transported  Exchange Models  Source-Subscriber / Hub & Spoke / Peer-to-Peer Models  Role Models  Data Producers / Consumers  Service Models
  • 18. #RSAC Exchange Model 18  Source-Subscriber Model  Typical for Current Threat Intelligence (TI) Vendor / Customer Relationship Model  Hub & Spoke Model  Suitable for used in Large Organizations  Various Contract Owners with TI vendors and become a Spoke (Consumer & Producer)  Play Attention to Sharing Agreement Source Subscriber Subscriber Subscriber Subscriber Hub Spoke (Consumer only) Spoke (Consumer & Producer) Spoke (Producer only) Spoke (Consumer & Producer)
  • 19. #RSAC Role & Service Models 19  Role Models  Producer Only  Consumer Only  Producer & Consumer  Service Models  Discovery Service  Collection Management Service  Inbox Service  Poll Service
  • 20. #RSAC STIX 20  Stands for  Structured Threat Information eXpression  Structured Way of Describing Cyber Threat  Eight Main Constructs
  • 21. #RSAC STIX Eight Constructs 21  Observable  What activity was observed  Indicator  What should be looked for  Incident  Where was it seen  Tactics, Techniques & Procedures (TTP)  What does it do  ExploitTarget  What weakness does it exploit  Campaign  Why  ThreatActor  Who  Course of Action  Suggested Action
  • 22. #RSAC Profiles 22  Contracts between Sharing Parties (Producers to Consumers)  Define In-Scope / Out-of-Scope  Which Constructs / Elements Required  More on This
  • 23. #RSAC Related Standards 23  STIX’s Observable Indicators leverage CybOX to precisely describe the details  CybOX  Cyber Observable eXpression  About 80 Objects
  • 24. #RSAC Which Fundamental Problems Were Solved 24  TAXII  Solves Transport / Channel Problem  No more secured emails, RSS, portal access to obtain intelligence  STIX / CyBox  Solves Intelligence Format Problem  No more free form text, or CSV  No more copy and paste  No more extracting searchable terms from emails, or portal  Precisely Describe  Allow Machine Extraction without Human Interaction
  • 25. #RSAC Now What? 25  Read the XML encoded intelligence manually?  Have a way to precisely describe and share intelligence between parties  Of course NOT  At the minimum  Search for indicators like IPs / URLs  Add IPs / URLs to “Block” list  Propagate intelligence across control layers
  • 27. #RSAC Feeds 27  Compliant with Standards  Confirm Which Constructs are Supported with Vendors  Standards Very Board By Design  Data Fields Mostly Not Required  At least, Observable / Indicators
  • 28. #RSAC STIX Profile 28  Without Profile  Feed Still Compliant, but Not As Rich  Time Reference  Confidence Level
  • 29. #RSAC POC Platform 29 Host FireWallProxyFireWall Control Defenses Threat Intelligence Feeds (FS-ISAC / Hailataxii) Security Information & Event Management (Splunk) Indicator Extractor (SPLICE) Intel. SIEM Threat Gateway (Soltra Edge) Threat Gateway
  • 30. #RSAC Platform 30  Threat Intelligence Gateway  Receive Threat Intelligence  Talk TAXII  Decompose STIX  Indicator Extractor  Extract Indicator of Compromise from STIX  Search for Realized Threat against SIEM  Security Information and Event Management (SIEM)  Initiate Incident Response Upon Match  Initiate First Response  Block IP/URL at perimeter  Scripts  Add Indicators to “Block” list
  • 31. #RSAC POC Platform 31 Host FireWallProxyFireWall Control Defenses Threat Intelligence Feeds Security Information & Event Management (Splunk) Indicator Extractor (SPLICE) Intel. SIEM Threat Gateway (Soltra Edge) Threat Gateway Feed 1 Feed 2 Feed X Intelligence Pool Atomic Intelligence Compound Intelligence
  • 34. #RSAC Summary  Threat Intelligence Sharing Technologies are Maturing  Feed Readily Available (Hailataxii & FS-ISAC if member)  POC Platform can be Created with Minimum Cost  Automatic  Detect Indicator for Realized Threat  Deploy Indicator to “Block” list 34
  • 35. #RSAC Apply  Obtain Quality Vendor Feed  Deploy POC Platform  Create Automatic Mechanism 35
  • 36. #RSAC Reference & Tool  Feed  Hailataxii.com (Open Source)  FS-ISAC  Soltra EDGE (www.soltra.com)  Splunk SA-Splice (splunkbase.splunk.com/app/2637)  Script to Extract All Atomic Indicators 36