tech talk: operationalize threat intelligence
TRANSCRIPT
.
McAfee Confidential
Scott Taschler, Technical Director, Advanced Threat Detection
Intelligent Security Operations
Operationalizing Threat Intelligence
.
McAfee Confidential
Introduction
Through Intelligent Security Operations you can
• Identify and disrupt complex attacks
• Find, monitor and investigate emerging threats
• Effectively detect, analyze, repair affected systems, and adapt to future attacks
Today we’ll explore how Threat Intelligence operates as a critical piece of a mature security operations.
2
.
McAfee Confidential
Agenda
• Threat Intelligence as a critical component of Security Operations
• Intel Security solution for Intelligent Security Operations
• Cyber Resilience Maturity Model
• Threat Intelligence in action
• Foundation
• Operational
• Trusted
• Outcomes delivered through mature Threat Intelligence
3
.
McAfee Confidential
A challenging and stressful environment
Security’s Perfect Storm
Many Tools andLimited Expertise
Masses ofSecurity Data
1
0
1
0
1
1
1
0
0
0
1
0
0
1
1
0
1
1
1
0
0
0
1
0
1
0
1
1
0
1
0
1
1
1
0
0
0
1
0
Time to Detectand Respond
1
1
0
0
0
1
0
1
0
0
0
1
0
1
0
1
1
0
1
1
0
!
Many organizations are turning to Threat Intelligence to get a leg up
.
McAfee Confidential
What is Threat Intelligence?
There are many different types of Threat Intelligence.
For our discussion we’ll focus on Observables and Indicators.
.
McAfee Confidential
Trends with Threat Intelligence
6*Source: SANS IR Survey, August 2015
Who’s using it?
• 75% of organizations find TI important to security operations
Where are they getting it?
• 56% use vendorfeeds
• 54% use community feeds
• 53% use open source feeds
What’s it doing for them?
• 48% report fewer incidents due to improved prevention
• 51% see faster, more accurate detection and response
.
McAfee Confidential
Optimize operations by integrating threat, security, and risk management
The Intel Security Solution
7
Collect, correlate and prioritize critical events for effective threat visibility
Move from an “alert and investigations” model to an “active response” model
Integrate third party threat intelligence, reputation feeds, and vulnerability status
McAfee Enterprise Security Manager
.
McAfee Confidential
Evolution into a Cyber Resilience Maturity Model
8
Security by products
Protection
Poor visibility
Many process are manuals
There aren't SLAs
There aren't standard process
High confidence in persons and their knowledge
FOUNDATIONLEVEL
OPERATIONALLEVEL
TRUSTED LEVEL
BASICLEVEL
Focused to Cyber Defense
Compliance
Security by Silos
Process aren't sophisticated andpersons are trained in products
SLAs defined but there is not complete coverage, its metrics are not consistent
Not intelligence shared
Balanced Cyber Defense capability to protect, detect and correct on key attack vectors
Security by integration coordinated
Intelligence shared
Hunt and Respond using Threat Intelligence (IOC)
Better quality in the indicators
Process and Procedures more efficient (much of them are automatic)
Less person-dependency (less TCO and better ROI)
Measurable and Balanced Cyber Defense capability to protect, detect and correct against external and insider threats
High capabilities to do forensic analysis and analytic research
Security model that supports directly the corporate objectives according to the vertical market
Well defined indicators and process to get it
Indicators to support the SLA
.
McAfee Confidential
Threat Intelligence Maturity
9
FOUNDATIONLEVEL
OPERATIONALLEVEL
TRUSTED LEVEL
BASICLEVEL
Drowning in Intelligence
Harnessing Intelligence
Creating and Acting on
Intelligence
Blissful Ignorance
EVOLUTION TO A MATURITY MODEL
DEFINING A ROADMAP (SOLUTIONS AND SERVICE PATHS)
.
McAfee Confidential
Foundation Level: Drowning in Intelligence
10
Collect Collate and Hunt Act and Validate…Repeat
.
McAfee Confidential
Explanation and Live Demo
Operational Level: Harnessing Intelligence
To better take advantage of Threat Intelligence, we require:
• A unified repository to keep it
• Streamlined workflows
• Look for hits past, present, and future
• Take immediate, decisive action when hits are discovered
• Validate that the problem is resolved
.
McAfee Confidential
Operational Level: Harnessing Intelligence
121212
Collect Collate and Hunt Act and Validate
McAfee Threat Intelligence
Exchange (TIE)
McAfee Enterprise Security Manager
(ESM)
McAfee Active Response
(MAR)
.
McAfee Confidential
Trusted Level: Creating and Acting on Intelligence
13
Explanation and Live Demo
To take the next step, we need to automate
• Creation and collection of Threat Intelligence
• Analysis of Threat Intelligence
• Acting on Threat Intelligence
.
McAfee Confidential
Trusted Level: Creating and Acting on Intelligence
14
Collect Collate and Hunt
McAfee Threat Intelligence
Exchange (TIE)
McAfee Enterprise Security Manager
(ESM)
McAfee Active Response
(MAR)
McAfee Advanced Threat Defense
(ATD)
Act and Validate
.
McAfee Confidential
Real Outcomes
15
Results of Operationalizing Threat Intelligence
MetricFoundation
LevelOperational
LevelTrusted
LevelTime to detect Hours+ 60 min 2 minTime to protect 1 day+ 65 min 3 minTime to complete response Days 90 min 10 minConsoles Many 2 2Manual Steps Many 7 1
.
McAfee Confidential
1 slide
Technical and Business Benefits Summarized
• Greatly reduced time to protection
• Automated detection and remediation
• Significant reduction in labor
• Instant validate threat has been properly dealt with
• Much broader visibility - 100% situational awareness
16
.
McAfee Confidential
Intel Security, the right security partner
• Breadth of solution set needed for mature solution
• Broad, mature services organization to help deliver success
• Open framework, to support wide range of intelligence sources
17
.
McAfee Confidential
Next steps
• Let’s discuss how we can help you better leverage Threat Intelligence
• Pilot project
18
.
McAfee Confidential19