33 - idnog03 - guy rosefelt (nsfocus) - threat intelligence
TRANSCRIPT
SESSIONID:
#RSAC
GuyRosefelt
ThreatIntelligence:Isitanygood?
GPS2-R02
Dir,ThreatIntelligenceNSFOCUS,INC
#RSAC
Agenda
2
Whythebadrap?
WhatisThreatIntelligencereally?
Whydowecare?
Somecasestudiesthatshowvalue
Somepromisingresearch
HowcanyoubetterapplyThreatIntelligence?
#RSAC
Whythebadrap?
#RSAC
ImplosionofNorseCorp
• Liar,Liar,KPMGCapital'sInvestmentIntoNorseCorp.OnFire• Forbes– Feb01,2016
• FiredNorseCorpCEOBlamestheMedia• TheRegisterUK– Feb04,2016
• Sources:SecurityFirmNorseCorp.Imploding• KrebsonSecurity – Jan30,2016
• NorseCorpdisappearsshortlyafterCEOisaskedtostepdown• CSOOnline.com– Feb01,2016
#RSAC
CascadeEffect
• No,NorseisNotaBellwetheroftheThreatIntelIndustrybutDoesHoldLessonsLearned
• RobertM.Lee – Jan30,2016
• NorseIsInTrouble-Justacompany-specificblow,orraisingbiggerquestionsaboutthreatintel.
• peerlyst – Jan30,2016
• AfterNorse:VCs,proseyecyberinvestments• SCMagazine– Feb3,2016
• Only42%ofinfosecprosusethreatintelligence,surveyshows• ComputerWeekly–Mar22,2016
• ThreatIntelligence- TheAnswer toThreatsorAnotherFad?• Infosecurity–May24,2016
#RSAC
WhatisThreatIntelligencereally?
#RSAC
DifferentThingstoDifferentPeople
Auto NGFW/IPS/WAF Policy Creation
#RSAC
Gartnersays…
8
"Threatintelligenceisevidence-based knowledge, includingcontext,mechanisms, indicators, implicationsandactionable
advice,aboutanexistingoremergingmenaceorhazardtoassetsthatcanbeusedtoinformdecisions regarding thesubject's
response tothatmenaceorhazard."-Definition:ThreatIntelligence,Gartner16May2013(https://www.gartner.com/doc/2487216/definition-threat- inte lligence)
#RSAC
Gartnersays…
9
"Threatintelligenceisevidence-based knowledge, includingcontext,mechanisms, indicators, implicationsandactionable
advice,aboutanexistingoremergingmenaceorhazardtoassetsthatcanbeusedtoinformdecisions regarding thesubject's
response tothatmenaceorhazard.“-Definition:ThreatIntelligence,Gartner16May2013(https://www.gartner.com/doc/2487216/definition-threat- inte lligence)
#RSAC
WhatisaThreatIntelligenceDataFeed?
10
Youmightbesurprised……
LogsareyourfriendWAF,IDS,webserver,firewalls….
YouhaveyourowncuratorSEIM,logaggregator,Splunk…
OpenSourceTons!... HailaTAXII,I-Blocklist,OpenPhish Feeds,CVEdatabase…
CommercialNSFOCUS, FireEye/iSight,Symantec,Cyveillance,…
#RSAC
Whydowecare?
#RSAC
BuyaSubscription/Service Everything isWarmandFuzzy
ThreatIntelligenceiswhatyoudowithit!
Data
Data
Data
Data
#RSAC
Whatdoyouwanttodowithit?
Proactivelyblockpotentialattacks
Proactivelyblockinformationleakage
Detectthreatsfaster
Providemorecontexttosecurityalerts
Providemorecontexttovulnerabilities,exploits,etc.
Providebetterriskassessmentaboutmyinternetpresence,myorganization,myindustry,etc.
#RSAC
ReduceTimetoRespond
Measure(M)
Counter-measure(CM)
EarlyDaysOfSecurity
Time
Currently
M CM
Future
Howdoweclose thisgap
M CM
#RSAC
65%OfOrganizationssay
attacksevadeexistingpreventive
tools
54%OfBreachesremainundiscovered for
months
DetectionTimevs.Impact
Sources:CiscoAMPResearch,TrendMicro,Fortinet
#RSAC
MovetoShareData
Preventive, static, reactive
Current Security Model
Fire
wal
l
IDS/
IPS
A/V
Anti-
DD
oS
Hardware Software
Adaptive, dynamic, proactive
Advanced Network SecurityInternet
ThreatIntelligence
Security Platform
Fire
wal
l
IDS/
IPS
A/V
Anti-
DD
oS
Hardware Software Cloud
From Security Silos to a Security Platform
#RSAC
TI-driven Security Solution
Alert totimelyfix
Analytics
IPS/ Sandbox
WAF
Cloud Service
Device ->Ability
Close ->Open
APIs 3rd-PartySOC
AdjacentTechniquesincludingDAST,Anti-DDoS, etc.
Collaboration
ThreatIntelligenceDataSharing
SOC
Web Reputation
IPReputation
FileReputation
Threat Intelligence Feeds
Services & Expertise
Some types of indicators• IP (GeoIP, Tor, CDN)• File reputation (hash)• Tools (scanners)• Stolen credentials & weak
passwords
#RSAC
ReducedTimetoPrepare&Respond
Measure(M)
Counter-measure(CM)
EarlyDaysOfSecurity
Time
Currently
M CM
Future
Leveraging TIwithNextGenproducts
Crowdsourcing customerswillhavecountermeasures inplace fasterthananyone
else!
M CM
#RSAC
Somecasestudiesthatshowvalue
#RSAC
Somepromisingresearch
#RSAC
HowcanyoubetterapplyThreatIntelligence?
#RSAC
ReducedTimetoPrepare&Respond
Measure(M)
Counter-measure(CM)
EarlyDaysOfSecurity
Time
Currently
M CM
Future
Leveraging TIwithNextGenproducts
Crowdsourcing customerswillhavecountermeasures inplace fasterthananyone
else!
M CM
#RSAC
Thankyou!