OCTOBER 1 – 4, 2018 | WASHINGTON, D.C.

Evolving to an Intel-led Security Organization

Best Practices and Real-life ExamplesJoseph O’Laughlin, Sr. PMM, FireEye Threat Intelligence Jason Tuininga, FireEye Cyber Threat Intelligence ServicesNigel Gardner, Cyber Threat Intel Analyst, MGM Resorts Intl

©2018 FireEye

What is Cyber Threat Intelligence?Threat

Where will the hurricane go?

When will the hurricane hit me?

How strong will the hurricane be?

How much rain will I get?

What should I do to prepare?

What should I do to respond?

Considerations

Evaluated information that enables customers to make the right security decisions to manage risks.

Along the East Coast

Nov 1

Category 3

30-35 inches

Evacuate/Protect Assets

Call first responders

Intelligence

©2018 FireEye

What Does it Mean to be Intel-Led?

3

Lack of strategic insight to decide on plans & implement the right controls

Hunting analysts are not effectively uncovering “dwelling” threats

SOC analysts are overwhelmed with alert noise

IT operators don’t know which patches to prioritize

Common Challenges

Informed strategic security decisions based on understanding your risks

Effectively hunt to uncover attacks “dwelling” undetected

SOC analysts efficiently focus on alerts that matter

IT operators prioritize patches with greatest impact on security stance

Desired State

The use of finished intelligence to effectively manage security dollars and resources to counter threats

Jason Tuininga

©2018 FireEye

Intel-Led Security Program Maturation

Common point of complacency

©2018 FireEye

Establishing a Cyber Threat ProfileWhat is relevant to your organization?

§ Adversaries becoming more sophisticated

§ Increasingly sophisticated tools and TTPs

§ Cross-pollination of espionage and crime groups

Cyber Threat Profile Examples

©2018 FireEye

Assess Your Cyber Threat Landscape

§ Threat Activity Assessment

– Mapping threats to attack lifecycle

– Determine opportunistic vs. targeted

– Identify where Threat Intelligence needs to integrate

§ Mitigation Levels

– Assess people, process, and technology effectiveness

§ Improvements & Vulnerabilities

– Address key non-technical gaps

How can Threat Intelligence be applied at each phase?

What sources can fill any gaps?

©2018 FireEye

Building the Foundation

©2018 FireEye

Starts with Operational Integration

Opportunity to apply threat intelligence for

more impactful reporting

©2018 FireEye Copyright © FireEye, Inc. All rights reserved.10

v

Cyber Threat Intelligence Services

ESTABLISHING FOUNDATIONS IMPLEMENTING PRACTICES REALIZING CAPABILITIES

ORGANIZATIONALTHREAT PROFILE

•Environmental, Business and Operational Knowledge

•Threats, Vulnerabilitiesand Exposure

STAKEHOLDER ANALYSIS

•Consumer Roles•CTI Appetite(desired format / frequency

content)•ConsumptionUse Cases

INTELLIGENCE REQUIREMENTS

•IR Criteria, Categorizationand Prioritization

•Source and Methods

•Intent and Expected Actions

MANAGE CTI LIFECYCLE•Collection and Processing•Analyst Tradecraft/Expertise•Analytic Framework•Production Standards

TECHNOLOGY REQUIREMENTS•TIP•CMS•SIEM Integration

•Big Data•Supporting Analytic

Toolsets

CTI OPERATIONS

•Analytic/Tactical Support to SecOps

•COI Info Sharing•Threat Trending and Predictive Analytics

•Proactive Threat Detection•Repeatable and Effective Threat Comms

•Strategic Decision Support

MATURITY

Nigel Gardner

©2018 FireEye

What Threat Intelligence means to Us

Understanding your threats

§ Different Types of Threats and how they effect our environment

Hacktivism Cyber Crime Cyber Espionage

§ What are threat actor’s resources and capabilities?

– Helps executives know the value Security provides against groups like FIN 7

– Informs the security team of the latest TTPs – Adjust defenses as needed

©2018 FireEye

§ Helps build and track our threat profile

– Based on our specific environment

§ Drives reporting to Executive management

– Why 2FA is important

§ Threat hunting

§ Identify various campaigns

§ Adjust security tools

– How threat actors are circumventing common defenses

– Provides recommendations to remediate

Operationalize

Threat Diagnostic

Strategic

©2018 FireEye

Operationalize Threat IntelligenceThreat feeds

– Sent to our Threat Intelligence Platform

– Enrich cases with IOCs for additional context

FireEye reports

– Keep Threat Profile up to date with latest TTPs

– Summarized reports and update security team

Dedicated FireEye Analyst

– Optimization-level support (L3)

– Helps with information paralysis

– Narrows down reporting to what is relevant to your environment

– Biweekly meetings

– Assist in researching threats such as our property openings

Analyst Access request

– Required additional support for an ongoing investigation

– Was able to action on the information provided

Thank You