evolving to an intel-led security organization · october 1 – 4, 2018 | washington, d.c. evolving...
TRANSCRIPT
OCTOBER 1 – 4, 2018 | WASHINGTON, D.C.
Evolving to an Intel-led Security Organization
Best Practices and Real-life ExamplesJoseph O’Laughlin, Sr. PMM, FireEye Threat Intelligence Jason Tuininga, FireEye Cyber Threat Intelligence ServicesNigel Gardner, Cyber Threat Intel Analyst, MGM Resorts Intl
©2018 FireEye
What is Cyber Threat Intelligence?Threat
Where will the hurricane go?
When will the hurricane hit me?
How strong will the hurricane be?
How much rain will I get?
What should I do to prepare?
What should I do to respond?
Considerations
Evaluated information that enables customers to make the right security decisions to manage risks.
Along the East Coast
Nov 1
Category 3
30-35 inches
Evacuate/Protect Assets
Call first responders
Intelligence
©2018 FireEye
What Does it Mean to be Intel-Led?
3
Lack of strategic insight to decide on plans & implement the right controls
Hunting analysts are not effectively uncovering “dwelling” threats
SOC analysts are overwhelmed with alert noise
IT operators don’t know which patches to prioritize
Common Challenges
Informed strategic security decisions based on understanding your risks
Effectively hunt to uncover attacks “dwelling” undetected
SOC analysts efficiently focus on alerts that matter
IT operators prioritize patches with greatest impact on security stance
Desired State
The use of finished intelligence to effectively manage security dollars and resources to counter threats
Jason Tuininga
©2018 FireEye
Intel-Led Security Program Maturation
Common point of complacency
©2018 FireEye
Establishing a Cyber Threat ProfileWhat is relevant to your organization?
§ Adversaries becoming more sophisticated
§ Increasingly sophisticated tools and TTPs
§ Cross-pollination of espionage and crime groups
Cyber Threat Profile Examples
©2018 FireEye
Assess Your Cyber Threat Landscape
§ Threat Activity Assessment
– Mapping threats to attack lifecycle
– Determine opportunistic vs. targeted
– Identify where Threat Intelligence needs to integrate
§ Mitigation Levels
– Assess people, process, and technology effectiveness
§ Improvements & Vulnerabilities
– Address key non-technical gaps
How can Threat Intelligence be applied at each phase?
What sources can fill any gaps?
©2018 FireEye
Building the Foundation
©2018 FireEye
Starts with Operational Integration
Opportunity to apply threat intelligence for
more impactful reporting
©2018 FireEye Copyright © FireEye, Inc. All rights reserved.10
v
Cyber Threat Intelligence Services
ESTABLISHING FOUNDATIONS IMPLEMENTING PRACTICES REALIZING CAPABILITIES
ORGANIZATIONALTHREAT PROFILE
•Environmental, Business and Operational Knowledge
•Threats, Vulnerabilitiesand Exposure
STAKEHOLDER ANALYSIS
•Consumer Roles•CTI Appetite(desired format / frequency
content)•ConsumptionUse Cases
INTELLIGENCE REQUIREMENTS
•IR Criteria, Categorizationand Prioritization
•Source and Methods
•Intent and Expected Actions
MANAGE CTI LIFECYCLE•Collection and Processing•Analyst Tradecraft/Expertise•Analytic Framework•Production Standards
TECHNOLOGY REQUIREMENTS•TIP•CMS•SIEM Integration
•Big Data•Supporting Analytic
Toolsets
CTI OPERATIONS
•Analytic/Tactical Support to SecOps
•COI Info Sharing•Threat Trending and Predictive Analytics
•Proactive Threat Detection•Repeatable and Effective Threat Comms
•Strategic Decision Support
MATURITY
Nigel Gardner
©2018 FireEye
What Threat Intelligence means to Us
Understanding your threats
§ Different Types of Threats and how they effect our environment
Hacktivism Cyber Crime Cyber Espionage
§ What are threat actor’s resources and capabilities?
– Helps executives know the value Security provides against groups like FIN 7
– Informs the security team of the latest TTPs – Adjust defenses as needed
©2018 FireEye
§ Helps build and track our threat profile
– Based on our specific environment
§ Drives reporting to Executive management
– Why 2FA is important
§ Threat hunting
§ Identify various campaigns
§ Adjust security tools
– How threat actors are circumventing common defenses
– Provides recommendations to remediate
Operationalize
Threat Diagnostic
Strategic
©2018 FireEye
Operationalize Threat IntelligenceThreat feeds
– Sent to our Threat Intelligence Platform
– Enrich cases with IOCs for additional context
FireEye reports
– Keep Threat Profile up to date with latest TTPs
– Summarized reports and update security team
Dedicated FireEye Analyst
– Optimization-level support (L3)
– Helps with information paralysis
– Narrows down reporting to what is relevant to your environment
– Biweekly meetings
– Assist in researching threats such as our property openings
Analyst Access request
– Required additional support for an ongoing investigation
– Was able to action on the information provided
Thank You