Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISSA QUARTER MEETING 2015 David Eilken Co-Chair FS-ISAC Security Automation Working Group Intelligence Driven Community Defense.

Published byAlban King Modified over 9 years ago

Similar presentations

Presentation on theme: "ISSA QUARTER MEETING 2015 David Eilken Co-Chair FS-ISAC Security Automation Working Group Intelligence Driven Community Defense."— Presentation transcript:

1 ISSA QUARTER MEETING 2015 David Eilken Co-Chair FS-ISAC Security Automation Working Group Intelligence Driven Community Defense

2 OVERVIEW  Cyber Intelligence – What, Why, Where  A Vision for Community Defense  Cyber Threat Intelligence Standards  Maturing the Ecosystem  How do We Get There

3 EXTERNAL THREATS GROWING 117,339 incoming attacks every day The total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% over 2013. Findings from The Global State of Information Security Survey 2015 Graphic Source: PwC

4 Fun Technically curious individuals Fame Technically adept groups leaving their mark on public websites Fortune Cyber criminals and organized gangs stealing money, data ransom schemes and competitive information Force Nation states and non- nation state groups launching targeted attacks for strategic purposes EVOLUTION OF CYBER ATTACKS Cyber Threats on the Private Sector 20102001 2004 1988 Academic “Script Kiddies” Commodity Threats Advanced Persistent Threats (APT) – Targeting government entities APT– Targeting private sector Nature of Threat

5 WHO ARE THE ADVERSARIES? Attacker Motivation, Capability & Intent Criminals Money And more money Large number of groups Skills from basic to advanced Present in virtually every country Up to $$$ Hacktivists Protest Revenge Large number of groups Groups tend to have basic skills with a few 'standout' individuals with advanced technical and motivational skills" Up to $ -$$ Espionage Acquiring Secrets for national security or economic benefit Small but growing number of countries with capability Larger array of ‘supported’ or ‘tolerated’ groups Up to $$$$+ War Motivation is to destroy, degrade, or deny capabilities of an adversary Politics by other means Small but growing number of countries with capability Non-state actors may utilize ‘war’ like approaches Up to $$$$$ ? …but, a lot less expensive than a nuclear weapon $ - Under thousands $$ - Tens to hundreds of thousands $$$ - Millions $$$$ - Tens to hundreds of millions $$$$$ - Billions August 2014

6 THE NEED FOR SPEED Attackers Act 150x Faster Than Victims Respond  Minutes vs. Weeks/ Months Initial Attack to Initial Compromise (Shorter Time Worse) Initial Compromise to Discovery (Longer Time Worse) SecondsMinutesHoursDaysWeeksMonths 12%2%0%1% 14%25%8% 0% 2% Response is SLOW Attackers are FAST 13%29%54% Initial Compromise to Data Exfiltration (Shorter Time Worse) 10%75% 8%38%

7 EVOLUTION OF CYBER SECURITY DEFENSE Increasing Cyber Risks Malicious actors have become much more sophisticated & money driven. Losses to US companies now in the tens of millions; WW hundreds of millions. Cyber Risks are now ranked #3 overall corporate risk on Lloyd’s 2013 Risk Index. We are Solving the Problem Security standards are maturing FS-ISAC has become the trusted model for sharing industry threat intelligence. Soltra Edge Cyber Intelligence Sharing Platform revolutionizing sharing and utilization of threat intelligence. Manually Sharing Ineffective Time consuming and ineffective in raising the costs to the attackers. Not all cyber intelligence is processed; probably less than 2% overall = high risk. No way to enforce cyber intelligence sharing policy = non-compliance. Yesterday’s Security Intelligence Sharing Identify and track threats, incorporate knowledge and share what you know manually to trusted others. Network Awareness Protect the perimeter and patch the holes to keep out threats share knowledge internally. Situational Awareness Automate sharing – develop clearer picture from all observers’ input and pro- actively mitigate. Present Day ProblemFuture Solution ? ? ? ? ? ?

8 WHAT IS CYBER INTELLIGENCE Information about cyber threats Bad people, things, or events Plans to attack victims Tactics used by bad people Actions to deal with bad events Weaknesses targeted by bad people

9 WHY CYBER INTELLIGENCE IS IMPORTANT Tactical Uses  Proactively detect or defend against attacks before they happen  Diagnose infected corporate systems Strategic Uses  Compile and track bad people or things that don’t like you, your industry, or your company – report out and potentially sent to authorities  Improve your security posture - The more you understand the things, people, and organizations that are attacking you, the have the better you can defend yourself Intelligence Can Help Protect You!

10 WHERE DOES CYBER INTELLIGENCE COME FROM? Buy It  Purchase from professional intelligence providers Collect for Free  From inside your organizational environment  The Internet has many Open Source Intelligence (OSINT) feeds available From Friends  Information Sharing Communities or ISACs  Business partners, associates, peers, etc. Get from Authorities  Government – DHS, FBI, etc.

11 INTELLIGENCE LIFE-CYCLE Graphic Source: FBI #1 Collect #2 Process #3 Analyze #4 Disseminate Security Operations Intelligence Starts Here What Do We Do With It? (What are we supposed to do with it?)

12 STEP #1 – IN THE REAL-LIFE CYCLE Firm X SOC Analysts Firm X SOC Analysts Company Y CIRC Analyst Company Y CIRC Analyst Time Waning Cyber Analysts Eyes of Distrust “My Wheel Better”

13 …Machines Need a Language to Talk about Threats STIX – Structured Threat Intelligence eXpression  Structured language used by machines to describe cyber threats TAXII – Trusted Automated eXchange of Indicator Information  Transport mechanism for cyber threat information represented in STIX MACHINES CAN HELP, BUT FIRST… Like HTML Like TCP/ IP Like HTML stix.mitre.orgtaxii.mitre.org

14 INTELLIGENCE DRIVEN COMMUNITY DEFENSE ISAC Organization Attacked Trusted Organizations Protected Automated Defense FS-ISAC Extended Trusted Organizations Protected Machines

15 An open standard to categorize cyber threat intelligence information STIX CONSTRUCTS Strategic Atomic Tactical Operational What threat activity are we seeing? What can I do about it? What threats should I look for on my networks and systems and why? Where has this threat been seen? Who is responsible for this threat? Why do they do this?What do they do? What weaknesses does this threat exploit?

16 STIX ARCHITECTURE The Power of Structured Intelligence  Key to effective strategic cyber intelligence analysis and threat tracking  Ability to pivot, view, analyze, and enrich complex relationships

17 STIX SAMPLE Email Message Object jsmith@gmail.com jdoe@state.gov Fw:Draft US-China Joint Statement 2011-01-05T12:48:50+08:00 CAF=+=fCSNqaNnR=wom=Y6xP09r_wfKjsm0hvY3wJYTGEzGyPkw@mail.gmail.com multipart/mixed; boundary=90e6ba10b0e7fbf25104cdd9ad08 1.0 Microsoft CDO for Windows 2000

18 HOW HUMANS VIEW INTELLIGENCE Pamina Republic Army Unit 31459 Associated Actor Leet Electronic Address Initial Compromise Indicator Observable Spear Phishing Email Establish Foothold Observed TTP WEBC2 Malware Behavior Escalate Privilege Observed TTP Uses Tool cachedump lslsass MD5: d8bb32a7465f55c368230bb52d52d885 Indicator Observed TTP Internal Reconnaissance Attack Pattern ipconfig net view net group “domain admins” Observed TTP Exfiltration Uses Tool GETMAIL Targets Khaffeine Bronxistan Perturbia Blahniks... Leverages Infrastructure IP Range: 172.24.0.0-112.25.255.255 C2 Servers Observable Sender: John Smith Subject: Press Release Hey Mom! Watch Me Pivot!

19 LET’S NOT FORGET THE TRANSPORT STANDARD STIX with STIX without …Like a wheel without an axle

20 STIX & TAXII… JUST THE BEGINNING Cyber Security Measurement and Management Architecture Source: MITRE Standards across the Security Lifecycle

21 YOU ARE HERE Awareness STIX & TAXII Adoption Curve Maturity % Time Excel Notepad Trial Adoption Ubiquity Intelligence Server Intelligence Network

22 MATURING AN ECOSYSTEM Sharing Communities  ISACs  Government  Individuals Security Vendors  Service Providers  Vendor Products Consumers of Security Products and Intelligence  Large  Medium  Small

23 CHANGING THE ECONOMICS Cyber Warfare Symmetry Cost to Defend Cost to Attack Policy Effectiveness Advantage: DefendersAdvantage: Attackers Cost Min Max Future State of Cyber-Symmetry (Only Most Advanced Can Play) Current State of Cyber-Symmetry (Unsophisticated Adversaries Can Play) Cost to Firms  The current cost to process a single piece of intelligence is 7 hours. Equal to 2014 =$100m; 2015 = $1b; 2016 = $4b Cost to Adversaries  Adversaries must “re-tool” much more often and their exploits cause less damage Risks from Cyber Threats  Frequency and impact of threats decrease while higher adoption leads to exponential benefits

24 CYBER INTELLIGENCE MATURITY Accessible Far beyond just a select few that have access to organized data; an entire community can now be empowered. D ATA Discrete Elements Linked Elements I NFORMATION K NOWLEDGE Organized Information Actionable Intelligence P ROCESSING A NALYSIS J UDGMENT S ITUATIONAL A WARENESS W ISDOM Aggregation and Normalization Localized Data Correlation Pattern Recognition Some Contextual Knowledge Deductive Reasoning Pro-Active Auto-Response Increasing Situational Awareness => Increasing Cost to Adversaries Levels of Cyber Intelligence Enriched Communities of industry verticals fight the same threats, and have the most to share about their adversaries. Actionable Structured data can be understood by machines. Machines can detect, share, and make defensive adjustments at wire-speed.

25 COMMUNITY – IT TAKES A VILLAGE… Operational Intelligence Strategic Intelligence

26 CONSUMER FREEDOM

27 HISTORY OF AVALANCHE Security Automation Working Group  Started in early 2012 prior to STIX 1.0  Small group of security professionals  Steadily grew STIX & TAXII awareness and involvement Started with an idea to automate sharing of intelligence Listened to security analysts – Broke down the problem Prioritized and built in chunks – Didn’t boil the ocean  Relied on open standards as the base and became STIX & TAXII experts  Built an initial Central Intelligence Repository for the SAWG members  Utilized scripts to pull data, then push data (the SAWG community helped a lot)  Realized we needed not just a server and some client side scripts…

28 WHAT IS SOLTRA A Company for the Community  Increasing adoption of STIX & TAXII to reduce friction in security operations  Formed with the support of the FS-ISAC community & backing of DTCC scalability  Market Changing - created for the good of the information security consumer  At-Cost Business Model – generates revenue just to keep the lights on Continue Driving the Technology  Innovate on open standards to automate the sharing of cyber threat intelligence  A Platform for Everyone – can be extended to all sizes of financial services firms, other sharing communities and industry verticals  Enabling seamless integration across security lifecycle solutions (threat intelligence, firewalls, intrusion detection, anti-virus, etc.)  10x reduction to collect/ process intelligence & cost to respond SOLTRA | AN FS-ISAC DTCC COMPANY

29 SOLTRA EDGE OVERVIEW Basis for an Cyber Intelligence Sharing Network  Like an Intelligence Server and Router  Big Data STIX Store, Sends & Receives via TAXII w/ Access Control Key Features  Instant Aggregation of Intelligence from Sources You Choose  On-Premise – you own and control your data and sharing  Collect, Process, and Disseminate (Internal & External) to Standards Based Devices  De-Duplication and Automatic Sightings (+1)  Trust Groups and Traffic Light Protocol Control Data Access  Hides Complex STIX & TAXII with simple user interface SOLTRA | AN FS-ISAC DTCC COMPANY

30 THANK YOU FOR PARTICIPATING WWW.SOLTRA.COM David Eilken VP Product Strategy Soltra

31 SOLTRA EDGE The Center of an Open Framework  Primary Data Store for Structured Intelligence  Connects your STIX and TAXII enabled tools

32 SOLTRA EDGE Foundation of a Security Network  Structured Intelligence Server and Router  Can act as a TAXII Gateway to other STIX sources

33 SOLTRA EDGE Hides Complexity of STIX & TAXII  Simple and Intuitive Interface  Visualize, Create, and Move Intelligence

Download ppt "ISSA QUARTER MEETING 2015 David Eilken Co-Chair FS-ISAC Security Automation Working Group Intelligence Driven Community Defense."

Similar presentations

Company Name Sample Template Presenter Name

Company Name Sample Template Presenter Name
Chapter 3 E-Strategy.

Chapter 3 E-Strategy.
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Mike Goffin and Wesley Shields 2014-11-14 Approved for Public Release; Distribution Unlimited. Case Number 14-3467.

Mike Goffin and Wesley Shields Approved for Public Release; Distribution Unlimited. Case Number
Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.

Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.
© 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov 2013 https://stix.mitre.org Sponsored by the US Department of Homeland Security PRACTICAL.

© 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov Sponsored by the US Department of Homeland Security PRACTICAL.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Mike Goffin 2014-10-17. Who am I? Mike Goffin Lead DeveloperProject Manager Senior Cyber Security Research Engineer The MITRE Corporation.

Mike Goffin Who am I? Mike Goffin Lead DeveloperProject Manager Senior Cyber Security Research Engineer The MITRE Corporation.
Preparedness for cybersecurity threats domestic aspects of cyber security Jaan Priisalu.

Preparedness for cybersecurity threats domestic aspects of cyber security Jaan Priisalu.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Similar presentations

Ads by Google