overview - hitrust · • worst case: a breach • malware detection and response? • delayed...
TRANSCRIPT
OVERVIEW June 21, 2016
Healthcare Solution for Automated Threat Exchange and Collaboration • Most healthcare
organizations actively participating
hitrustalliance.net/cyber-threat-xchange/
“Limit infiltration of my organization and exfiltration of data in an efficient and effective manner.”
−CISO, Health Plan
“My organization needs the ability to streamline processes and based on the quality of the intel determine where best to place capital and operating expenses in defense of the organization.”
−CISO, Hospital
2
Industry Challenge • Low quality intelligence combined with historical and low
Fidelity Data creates non-actionable alerts
– Intelligence sourced contained many false positives including hosting IP addresses and legitimate domain names
• Time to value – The timeliness of the data was a major concern as they discovered they were several days behind the industry
– Not Consumable because of inherent lack of automation
• Internal Development Cycles
– Rather than focusing on the analysis analysts spent their time fixing scripts and working on content in the SIEM
• Lack of Collaboration – Unable to automate the desired collaboration with other organizations in the industry
– Collaboration is limited to conference calls and back of napkin discussions lacking detection and response capability
• Threat data packaged for human consumption
– PDF reports are being manually collected and triaged by analysts who spend time copy and pasting observable data
hitrustalliance.net/cyber-threat-xchange/ 3
Intelligence Driven Security • Proactive Detection • Situational Awareness • Community Collaboration • Proactive • Robust Set of IOCs • Active and Timely • Relevant to Healthcare
hitrustalliance.net/cyber-threat-xchange/
Analysis
Enterprise Distribution
Security Operations Collaboration
Observable Acquisition
4
Legacy Process (1-2 weeks)
Threat IntelCollected
Threat Team
Manual Analysis
Threat Team
Data: Pre-Process/Format
Threat Team
Upload toInternal Site
Threat Team
Retrieval of Threat Intel
OPS Team
Manual Load to SIEM
OPS Team
Analysis and Feedback to Threat Team
OPS Team
hitrustalliance.net/cyber-threat-xchange/ 5
Operational Intelligence (1 hour or less)
hitrustalliance.net/cyber-threat-xchange/ 6
Enterprise Integration • Integrate to existing Security
Infrastructure • Delivered from the Cloud • Correlation Instructions
– Rules, Reports, Dashboards
• One Click Browser • Rest API • STIX
Enterprise Distribution
7 https://hitrustalliance.net/cyber-threat-xchange/
New HITRUST CTX Features • HITRUST CTX brings many new features
including: – Threat Modeling – Enhanced Community – Indicator Details – Threat Explorer – New Integrations
8 https://hitrustalliance.net/cyber-threat-xchange/
Threat Modeling Enhanced Actor, Campaign, TTP
9 https://hitrustalliance.net/cyber-threat-xchange/
Enhanced Community Full social features to enable inter- and intra-organization workflow
10 https://hitrustalliance.net/cyber-threat-xchange/
Enhanced Details Details and insights about indicators including relationship browsing
11 https://hitrustalliance.net/cyber-threat-xchange/
Security Maturity Scale
I
Initial Operational Intermediate Advanced
• No SIEM • Limited logging • No dedicated security
staff • MSSP driven • No intelligence function
• Log management solution
• Shared security/IT staff • No intelligence function
• Limited SIEM use cases
• Limited staff – No 24/7 support
• Limited IR • Compliance driven • Limited intelligence
function
• Fully deployed SIEM • Custom monitoring
and alerting • Dedicated
intelligence and operations staff
• Collaboration
CTX Reports -> CTX Threat Bulletins
CTX Reports -> CTX Threat Bulletins Threat Research
CTX Reports -> CTX Threat Bulletins SIEM Integration Operational Components
CTX Threat Bulletins SIEM Integration Operational Components Enhanced IOC Sharing
12 https://hitrustalliance.net/cyber-threat-xchange/
HITRUST Report • Designed to Automate intelligence analysis • No SIEM, no Threat Intelligence, No problem • Benefits of analysis without the analyst • Integrates directly to CTX • Secure / HIPAA-Ready
– End to end encryption – Password protected
• Live links to adversary information • “How to read the report” video
13 https://hitrustalliance.net/cyber-threat-xchange/
Download & Install Universal Link
Encrypts data and sends to Harmony
Anomali matches IOCs
Report Generation and
Send to User
TLS/SSL AES 256
Password Protected PDF or HTML
Anomali Reports Architecture
14 https://hitrustalliance.net/cyber-threat-xchange/
Cyber ISAO 2.0 – High-tech / Low-touch
• Partnership: HITRUST, TrendMicro • Breach Discovery Devices / Advanced Network Sensors • IOC Contextualization • Automated and Anonymized IOC Sharing • Trust Circles of ‘Like’ organizations • Community Alerting • Integrations
15 https://hitrustalliance.net/cyber-threat-xchange/
Advanced IOC Collection
16 https://hitrustalliance.net/cyber-threat-xchange/
Immediate Community Benefits • Global attack trending • Cross organization correlation and analysis • Automated Threat Bulletin Creation • Prioritization and Analytics
17 https://hitrustalliance.net/cyber-threat-xchange/
Data in HITRUST CTX
18 https://hitrustalliance.net/cyber-threat-xchange/
Preliminary Findings – Actionable IOCs
Intel Types Shared: * url: 184 * domain: 158 * md5: 138 * user-agents: 37 * ip: 17
VirusTotal Evaluation of Pilot MD5s * No detections: 89 * More than 4 detections: 28 * less than 4 detections: 21
VirusTotal Evaluation of Pilot URLs * More than 4 detections: 85 * No detections: 67 * less than 4 detections: 32
19 https://hitrustalliance.net/cyber-threat-xchange/
Preliminary Findings – Timely Delivery
20
Historical Analysis of Pilot IOC * 527 observations * 122 (23.15%) overlapped with some IOCs in Anomali (opensource, commercial, customer). * Of all overlapping IOCs, 91 (74.59%) were seen by HITRUST first. Hours difference between HITRUST seeing
an IOC and others. Negative values mean HITRUST saw it after the others * Mean observation range: 1.5 Days * Min observation range: -1.7 Days * Max observation range: 25 Days
https://hitrustalliance.net/cyber-threat-xchange/
Return on Investment Cost your organization?
• Worst Case: A breach
• Malware detection and response?
• Delayed access to threat observables from industry breaches?
• Inaccurate Intelligence?
CTX Provides:
• Analyst force multiplication
• Speed of identification and accuracy of information.
• Decrease time to detection of malware and targeted attacks
• Reduce SIEM content and use case building costs
• Indicator consolidation reduced the man-hours spent acquiring and operationalizing indicators
• External context and enrichment in a single pane of glass
hitrustalliance.net/cyber-threat-xchange/
“To more rapidly identify and subsequently eradicate active threats in my environment is extremely valuable and offers a much quicker ROI to the acquiring entity…”
−CISO, Major Healthcare
21
Summary Q&A Proactive Detection and Situational Awareness
• Observables directly integrated into existing security infrastructure
Community Collaboration
• CTX customers benefit from receiving threat details that have already been tested and vetted.
• Relevant to healthcare
• Ability to share threat information in an efficient, managed and secure process
• CTX enables real-time controlled collaboration between trusted partners.
• Allows for organizational oversight and facilitation of sharing by CTX
Actionable and Timely
• Automated analytics removes invalid IOCs
Bi-Directional SIEM integration allows for threat validation by CTX
hitrustalliance.net/cyber-threat-xchange/ 22
Get Involved – Register Today • https://hitrustalliance.net/ctx-registration/
23 https://hitrustalliance.net/cyber-threat-xchange/
Appendix
hitrustalliance.net/cyber-threat-xchange/ 24