C Y B E R S P A C E R E S E A R C H I N S T I T U T E

Cyberspace Research Institute

Clearing the Hurdles to Realize the Value of

Threat Intelligence

OASIS Borderless Cyber

September 8, 2016

1990 2000 2010

CERT/CC Firewalls

NCCIC

Snort

PDD-63

Virus SIEM

Stuxnet

STIX/TAXII

EO 1391

FIRST

When Are We?

C-CIP

Lofty

Webster CRI

You Are Here

The Internet of Intelligence

Public

Sector

Private

Sector

Integrators Knowledge

Data & Information

What Do We Need?

• Who You Are

• What You Have

• What It Is Doing

• What is Happening Outside

What Is Intelligence?

Consequence Based Decisions

MOVING INTELLIGENCE INTO INFRASTRUCTURE

MSS

Control Bus

Terminal Bus

Enterprise Network

HMI

EWS

CCTV Server Historian OPC Server Domain Controller

Plant Firewall

Corporate Firewall

Control Firewall

Alarm Aggregation

EPA Database ERP RTU

HMI

Monitoring

Plant Bus

Hardwired Instrumentation

Field Bus to Instrumentation

Hardwired Instrumentation

PLC PLC PLC PLC

• Identify inventory of architecture

•Baseline network behavior

•Monitor for behavior modification

•Combine with filtered Intelligence

End-to-End Intelligence

Public Sector

Private Sector Aggregation

Analysis

Enterprise Network

Industrial Operations

Active

Remediation

Edge Protection

ISAO Enterprise

OSINT

Filter

Service

Provider

Partner Submitted

Indicators

DHS Indicator

Feeds

DHS Machine

Sanitized AIS

Indicators

DHS Analyst

Enriched AIS

Indicators

Partner Submitted

Indicators

Federal Government-Led Threat Intel Automated Indicator Sharing (AIS)

US Department of Homeland Security

State/Local Tribal/Territorial

Federal Sector-Specific

Agencies

Information Sharing Analysis

Organizations O O

Private-Sector Partners

ISAOs

S

S

A

DA

TA

EN

RIC

HM

EN

T P

RO

CESS

Automated Processes

Validate +

Filter

Anonymize

Protect Privacy,

Civil Rights and Civil Liberties

Validate Automated

Info Protections Leverage AIS Enrichment

Resources

Analyst Enrichment

DA

TA

EN

RIC

HM

EN

T P

RO

CESS

Automated Processes

Validate +

Filter

Anonymize

Protect Privacy,

Civil Rights and Civil Liberties

Validate Automated

Info Protections Leverage AIS Enrichment

Resources

Analyst Enrichment

Open-Source and Commercial Threat Intelligence

Critical Manufacturing ISAO

Aeronautics ISAO

Intelligence Analytics ISAC

Defense Industrial Base ISAC

Industrial Control System ISAC

Maritime & Port Security ISAO

National Credit Union ISAO

National Cyber First Responders

(Sector-to-Sector)

Sector / Cross-Sector Threat Intelligence

Other ISAO Organizations

Sharing Among Sharers: IACI

Evolving Human Sharing

Human Sharing Portals

• C-CIP

• Global Population

• Interpol, JPCERT, US-CERT…

• Siemens, Cisco, GE…

• Utilities, Manufacturers, Enterprises…

Beer ISAC

• Human Contact is Forever

• Sharing Nodes Proliferate

• Regionally, globally, nationally, demographically

• Insurance Industry plays its role

• Actuarial processes

• Industry Aligns with Visibility

• Vendors, Service Providers, Enterprises, Governments

• Merging Business and Technology

• Situational Awareness is not about Cyber

Looking Forward

Chris Blask Global Director ICS, Unisys

Chair, ICS-ISAC Chair, IACI

+1 408-656-8732

chris@ics-isac.org