ISSA QUARTER MEETING 2015 David Eilken Co-Chair FS-ISAC Security Automation Working Group Intelligence Driven Community Defense

OVERVIEW  Cyber Intelligence – What, Why, Where  A Vision for Community Defense  Cyber Threat Intelligence Standards  Maturing the Ecosystem  How do We Get There

EXTERNAL THREATS GROWING 117,339 incoming attacks every day The total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% over Findings from The Global State of Information Security Survey 2015 Graphic Source: PwC

Fun Technically curious individuals Fame Technically adept groups leaving their mark on public websites Fortune Cyber criminals and organized gangs stealing money, data ransom schemes and competitive information Force Nation states and non- nation state groups launching targeted attacks for strategic purposes EVOLUTION OF CYBER ATTACKS Cyber Threats on the Private Sector Academic “Script Kiddies” Commodity Threats Advanced Persistent Threats (APT) – Targeting government entities APT– Targeting private sector Nature of Threat

WHO ARE THE ADVERSARIES? Attacker Motivation, Capability & Intent Criminals Money And more money Large number of groups Skills from basic to advanced Present in virtually every country Up to $$$ Hacktivists Protest Revenge Large number of groups Groups tend to have basic skills with a few 'standout' individuals with advanced technical and motivational skills" Up to $ -$$ Espionage Acquiring Secrets for national security or economic benefit Small but growing number of countries with capability Larger array of ‘supported’ or ‘tolerated’ groups Up to $$$$+ War Motivation is to destroy, degrade, or deny capabilities of an adversary Politics by other means Small but growing number of countries with capability Non-state actors may utilize ‘war’ like approaches Up to $$$$$ ? …but, a lot less expensive than a nuclear weapon $ - Under thousands $$ - Tens to hundreds of thousands $$$ - Millions $$$$ - Tens to hundreds of millions $$$$$ - Billions August 2014

THE NEED FOR SPEED Attackers Act 150x Faster Than Victims Respond  Minutes vs. Weeks/ Months Initial Attack to Initial Compromise (Shorter Time Worse) Initial Compromise to Discovery (Longer Time Worse) SecondsMinutesHoursDaysWeeksMonths 12%2%0%1% 14%25%8% 0% 2% Response is SLOW Attackers are FAST 13%29%54% Initial Compromise to Data Exfiltration (Shorter Time Worse) 10%75% 8%38%

EVOLUTION OF CYBER SECURITY DEFENSE Increasing Cyber Risks Malicious actors have become much more sophisticated & money driven. Losses to US companies now in the tens of millions; WW hundreds of millions. Cyber Risks are now ranked #3 overall corporate risk on Lloyd’s 2013 Risk Index. We are Solving the Problem Security standards are maturing FS-ISAC has become the trusted model for sharing industry threat intelligence. Soltra Edge Cyber Intelligence Sharing Platform revolutionizing sharing and utilization of threat intelligence. Manually Sharing Ineffective Time consuming and ineffective in raising the costs to the attackers. Not all cyber intelligence is processed; probably less than 2% overall = high risk. No way to enforce cyber intelligence sharing policy = non-compliance. Yesterday’s Security Intelligence Sharing Identify and track threats, incorporate knowledge and share what you know manually to trusted others. Network Awareness Protect the perimeter and patch the holes to keep out threats share knowledge internally. Situational Awareness Automate sharing – develop clearer picture from all observers’ input and pro- actively mitigate. Present Day ProblemFuture Solution ? ? ? ? ? ?

WHAT IS CYBER INTELLIGENCE Information about cyber threats Bad people, things, or events Plans to attack victims Tactics used by bad people Actions to deal with bad events Weaknesses targeted by bad people

WHY CYBER INTELLIGENCE IS IMPORTANT Tactical Uses  Proactively detect or defend against attacks before they happen  Diagnose infected corporate systems Strategic Uses  Compile and track bad people or things that don’t like you, your industry, or your company – report out and potentially sent to authorities  Improve your security posture - The more you understand the things, people, and organizations that are attacking you, the have the better you can defend yourself Intelligence Can Help Protect You!

WHERE DOES CYBER INTELLIGENCE COME FROM? Buy It  Purchase from professional intelligence providers Collect for Free  From inside your organizational environment  The Internet has many Open Source Intelligence (OSINT) feeds available From Friends  Information Sharing Communities or ISACs  Business partners, associates, peers, etc. Get from Authorities  Government – DHS, FBI, etc.

INTELLIGENCE LIFE-CYCLE Graphic Source: FBI #1 Collect #2 Process #3 Analyze #4 Disseminate Security Operations Intelligence Starts Here What Do We Do With It? (What are we supposed to do with it?)

STEP #1 – IN THE REAL-LIFE CYCLE Firm X SOC Analysts Firm X SOC Analysts Company Y CIRC Analyst Company Y CIRC Analyst Time Waning Cyber Analysts Eyes of Distrust “My Wheel Better”

…Machines Need a Language to Talk about Threats STIX – Structured Threat Intelligence eXpression  Structured language used by machines to describe cyber threats TAXII – Trusted Automated eXchange of Indicator Information  Transport mechanism for cyber threat information represented in STIX MACHINES CAN HELP, BUT FIRST… Like HTML Like TCP/ IP Like HTML stix.mitre.orgtaxii.mitre.org

INTELLIGENCE DRIVEN COMMUNITY DEFENSE ISAC Organization Attacked Trusted Organizations Protected Automated Defense FS-ISAC Extended Trusted Organizations Protected Machines

An open standard to categorize cyber threat intelligence information STIX CONSTRUCTS Strategic Atomic Tactical Operational What threat activity are we seeing? What can I do about it? What threats should I look for on my networks and systems and why? Where has this threat been seen? Who is responsible for this threat? Why do they do this?What do they do? What weaknesses does this threat exploit?

STIX ARCHITECTURE The Power of Structured Intelligence  Key to effective strategic cyber intelligence analysis and threat tracking  Ability to pivot, view, analyze, and enrich complex relationships

STIX SAMPLE Message Object Fw:Draft US-China Joint Statement T12:48:50+08:00 multipart/mixed; boundary=90e6ba10b0e7fbf25104cdd9ad Microsoft CDO for Windows 2000

HOW HUMANS VIEW INTELLIGENCE Pamina Republic Army Unit Associated Actor Leet Electronic Address Initial Compromise Indicator Observable Spear Phishing Establish Foothold Observed TTP WEBC2 Malware Behavior Escalate Privilege Observed TTP Uses Tool cachedump lslsass MD5: d8bb32a7465f55c368230bb52d52d885 Indicator Observed TTP Internal Reconnaissance Attack Pattern ipconfig net view net group “domain admins” Observed TTP Exfiltration Uses Tool GETMAIL Targets Khaffeine Bronxistan Perturbia Blahniks... Leverages Infrastructure IP Range: C2 Servers Observable Sender: John Smith Subject: Press Release Hey Mom! Watch Me Pivot!

LET’S NOT FORGET THE TRANSPORT STANDARD STIX with STIX without …Like a wheel without an axle

STIX & TAXII… JUST THE BEGINNING Cyber Security Measurement and Management Architecture Source: MITRE Standards across the Security Lifecycle

YOU ARE HERE Awareness STIX & TAXII Adoption Curve Maturity % Time Excel Notepad Trial Adoption Ubiquity Intelligence Server Intelligence Network

MATURING AN ECOSYSTEM Sharing Communities  ISACs  Government  Individuals Security Vendors  Service Providers  Vendor Products Consumers of Security Products and Intelligence  Large  Medium  Small

CHANGING THE ECONOMICS Cyber Warfare Symmetry Cost to Defend Cost to Attack Policy Effectiveness Advantage: DefendersAdvantage: Attackers Cost Min Max Future State of Cyber-Symmetry (Only Most Advanced Can Play) Current State of Cyber-Symmetry (Unsophisticated Adversaries Can Play) Cost to Firms  The current cost to process a single piece of intelligence is 7 hours. Equal to 2014 =$100m; 2015 = $1b; 2016 = $4b Cost to Adversaries  Adversaries must “re-tool” much more often and their exploits cause less damage Risks from Cyber Threats  Frequency and impact of threats decrease while higher adoption leads to exponential benefits

CYBER INTELLIGENCE MATURITY Accessible Far beyond just a select few that have access to organized data; an entire community can now be empowered. D ATA Discrete Elements Linked Elements I NFORMATION K NOWLEDGE Organized Information Actionable Intelligence P ROCESSING A NALYSIS J UDGMENT S ITUATIONAL A WARENESS W ISDOM Aggregation and Normalization Localized Data Correlation Pattern Recognition Some Contextual Knowledge Deductive Reasoning Pro-Active Auto-Response Increasing Situational Awareness => Increasing Cost to Adversaries Levels of Cyber Intelligence Enriched Communities of industry verticals fight the same threats, and have the most to share about their adversaries. Actionable Structured data can be understood by machines. Machines can detect, share, and make defensive adjustments at wire-speed.

COMMUNITY – IT TAKES A VILLAGE… Operational Intelligence Strategic Intelligence

CONSUMER FREEDOM

HISTORY OF AVALANCHE Security Automation Working Group  Started in early 2012 prior to STIX 1.0  Small group of security professionals  Steadily grew STIX & TAXII awareness and involvement Started with an idea to automate sharing of intelligence Listened to security analysts – Broke down the problem Prioritized and built in chunks – Didn’t boil the ocean  Relied on open standards as the base and became STIX & TAXII experts  Built an initial Central Intelligence Repository for the SAWG members  Utilized scripts to pull data, then push data (the SAWG community helped a lot)  Realized we needed not just a server and some client side scripts…

WHAT IS SOLTRA A Company for the Community  Increasing adoption of STIX & TAXII to reduce friction in security operations  Formed with the support of the FS-ISAC community & backing of DTCC scalability  Market Changing - created for the good of the information security consumer  At-Cost Business Model – generates revenue just to keep the lights on Continue Driving the Technology  Innovate on open standards to automate the sharing of cyber threat intelligence  A Platform for Everyone – can be extended to all sizes of financial services firms, other sharing communities and industry verticals  Enabling seamless integration across security lifecycle solutions (threat intelligence, firewalls, intrusion detection, anti-virus, etc.)  10x reduction to collect/ process intelligence & cost to respond SOLTRA | AN FS-ISAC DTCC COMPANY

SOLTRA EDGE OVERVIEW Basis for an Cyber Intelligence Sharing Network  Like an Intelligence Server and Router  Big Data STIX Store, Sends & Receives via TAXII w/ Access Control Key Features  Instant Aggregation of Intelligence from Sources You Choose  On-Premise – you own and control your data and sharing  Collect, Process, and Disseminate (Internal & External) to Standards Based Devices  De-Duplication and Automatic Sightings (+1)  Trust Groups and Traffic Light Protocol Control Data Access  Hides Complex STIX & TAXII with simple user interface SOLTRA | AN FS-ISAC DTCC COMPANY

THANK YOU FOR PARTICIPATING David Eilken VP Product Strategy Soltra

SOLTRA EDGE The Center of an Open Framework  Primary Data Store for Structured Intelligence  Connects your STIX and TAXII enabled tools

SOLTRA EDGE Foundation of a Security Network  Structured Intelligence Server and Router  Can act as a TAXII Gateway to other STIX sources

SOLTRA EDGE Hides Complexity of STIX & TAXII  Simple and Intuitive Interface  Visualize, Create, and Move Intelligence