Post on 21-Jan-2017
transcript
1© Cyber Squared Inc. 2014
THE BUSINESS BENEFITS OF THREAT INTELLIGENCE
3-12-2014
2© Cyber Squared Inc. 2014
WHO AM I?• CEO of Cyber Squared Inc., the company behind
ThreatConnectTM.• Founding member of the company, started in 2011.• Experience in programming, network security, penetration
testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security.
3© Cyber Squared Inc. 2014
AGENDA• Background• Defining ROI for Threat Intelligence• Making Assumptions Up Front • Modeling Your Expectations• Measuring the Reality• Taking Action
4© Cyber Squared Inc. 2014
WHAT MAKES GOOD THREAT INTELLIGENCE?
Aggregate Analyze ActLifecycle
• Accurate• Aligned with your
requirements• Integrated
• Predictive• Relevant• Tailored• TimelySource: Rick Holland (Principal Forrester Analyst) Blog Post Titled “Actionable
Intelligence, Meet Terry Tate, Office Linebacker”
Attributes to Measure Threat Intelligence:
5© Cyber Squared Inc. 2014
BUSINESS NEED
ERP/Manufacturing
2015
1980’s
Every other part of the business has evolved to necessitate a platform to increase productivity and measure effectiveness. It’s your turn!
Enterprise Security
Support/Helpdesk
CRM/Sales
Finance/HR
Marketing
6© Cyber Squared Inc. 2014
CONNECTED COLLABORATION
SOC
Incident Response
Threat Analysts
IT/Compliance
Malware Analysts
CISO/CIO
Intelligence Sources
Commercial
Open Source
Communities
Sharing
Internal
Actionable Integrations
SIEM
IPS/IDS, Firewalls
Gateways
Endpoint, Response
DLP, NAV
7© Cyber Squared Inc. 2014
TM FORUM CATALYST PHASE 2• Going beyond: “This Threat Intelligence stuff is a great
idea!”: • AT&T, Bell Canada, Birmingham City University, cVidya, ThreatConnect, Edge
Technologies, EMC/RSA, MITRE, Orange, Security Fabric Alliance, Symantec, Telecom New Zealand, Telstra, and the UK MOD’s Defence Science and Technology Laboratory (DSTL) .
• TM Forum Sharing Threat Intelligence Catalyst Phase 2• Phase 1: Sharing Threat Intelligence Architecture & Whitepaper• Phase 2: Defined Security Personnel Personas• Phase 2: Produced Threat Intelligence ROI Calculator• Phase 2: Demonstration showing successful implementation of Threat Intelligence
sharing in support of a sophisticated Distributed Denial of Service (DDoS) use case.
8© Cyber Squared Inc. 2014
ROI OF THREAT INTELLIGENCE
CostSecurity Investment
Threat Intelligence
Knowledge Assumptions
Existing Automate Collaborate
+ =
9© Cyber Squared Inc. 2014
FIND MORE THREATS, FASTER
4x/Day
1x/Day
4x/Day
5x/Day
100x/Day
Threat Discovery and Focused Pursuit Activities
Time Comparison:with and without TI
Spearphish Email Analysis and Conviction
Malware Correlation with past targeting
Analyze, Correlate, Database New Domains, IP Addresses, Registrant Info
Track Malicious Domains, IP addresses, Registrant Info
Analyst IR and Threat Correlation Tasks
10© Cyber Squared Inc. 2014
SECURITY PROCESSES• Calculator Example: 8 Step Incident Response Process:
• Identify the Intrusion• Step 1: Create and task defensive signatures• Step 2: Maintain awareness of adversary changes to Threat Activity/Infrastructure
• Scope the Intrusion• Step 3: Perform exploit/malware analysis• Step 4: Update signature base• Step 5: Link activity to any known groups of related activity
• Mitigate/Step the Intrusion• Step 6: Take action to cut off intruder access to the network• Step 7: Monitor for changes in Threat Activity
• Strategically React to Threats• Step 8: Generate reports on Threat trends for executives
11© Cyber Squared Inc. 2014
USER TYPES
SOC
Incident Response
Threat Analysts
IT/Compliance
Malware Analysts
CISO/CIO
12© Cyber Squared Inc. 2014
THREAT INTELLIGENCE PERSONAS
Name: Joe Role: Security Executive
Motivation/Problem
My company is at risk and we need to be keeping up with threat trends
Other executives I know in my industry are being / have been targeted
Identified Four Main Categories of Users: Threat Intelligence, Security Operations, Business Executives, and IT Leadership/Staff
Name: Peter Role: IT Operations
I need to protect my assets
My company is at risk and we need to be keeping up with threats to my business operations
Name: Jane Role: Threat Analyst
I need to make my threat analysis faster, easier, and more thorough without spending more money and time
Name: Jack Role: Security Operations
My company and/or industry is likely being targeted
I need to protect corporate data but don’t have the resources internally or don’t know where to start
13© Cyber Squared Inc. 2014
ASSUMPTIONS• Process Assumptions:
• Persona Costs – What is the hourly cost per Persona?• Steps – What are steps of the security process? • Personas Involved – Who are the actors of the process?
• Knowledge Assumptions (Defined Per Process Step):• Existing – How likely is it that you will find knowledge in a finished state when you
need it?• Automation – How much efficiency is gained via automation?• Collaboration – What is the efficiency gained by working with others?
• Cost Assumptions: • Incidents per Year – How many events will you have that require process?• Average Cost of an Intrusion – What is the average cost of an intrusion?
14© Cyber Squared Inc. 2014
MODELINGHourly Cost per Persona
Existing
AutomationCollaboration
Make Assumptions
Potential Cost of Compromise
Model & Measure
V1.0 contributed to TM Forum for incorporation to
Fx13.5 release
15© Cyber Squared Inc. 2014
RESULTS (FROM SAMPLE)Measurement Topics Type ValueTime Commitment to understand Threat to business operations Hours 200Lower Costs to obtain a larger understanding of the threat $$ Savings $33,450Obtain insights that would not be otherwise obvious (from existing knowledge) Insights 37%Increase Automation to increase efficiencies Efficiency 45%Increase insights due to collaboration Additional Insights 2%Total Efficiencies from applying CTI Total Efficiency/Insights 84%
Number of Incidents per Year 5Projected Annual Cost without CTI $199,000Projected Annual Cost with CTI $31,750Projected Annual Savings $167,250Savings Percentage 84%
16© Cyber Squared Inc. 2014
Prioritize
Plan
TAKING ACTION
Defend
Learn
Understand Threats to
your Organization
17© Cyber Squared Inc. 2014
TAKE AWAY• You don’t have a choice
• Cyber Threat Intelligence starts with understanding “Your Needs”
• Sharing is a new paradigm in cyber security
• This calculator helps you measure something that historically has not been measured
• We would love to help you customize the calculator to quantify your own cyber threat sharing needs and efforts
18© Cyber Squared Inc. 2014
THANK YOU & QUESTIONS
Download the Threat Intelligence Sharing ROI Calculator from:
http://bit.ly/threatcalc
Adam Vincent, CEO, avincent@cybersquared.com Visit www.ThreatConnect.com for more information.