C Y B E R S P A C E R E S E A R C H I N S T I T U T E
Cyberspace Research Institute
Clearing the Hurdles to Realize the Value of
Threat Intelligence
OASIS Borderless Cyber
September 8, 2016
1990 2000 2010
CERT/CC Firewalls
NCCIC
Snort
PDD-63
Virus SIEM
Stuxnet
STIX/TAXII
EO 1391
FIRST
When Are We?
C-CIP
Lofty
Webster CRI
You Are Here
The Internet of Intelligence
Public
Sector
Private
Sector
Integrators Knowledge
Data & Information
What Do We Need?
• Who You Are
• What You Have
• What It Is Doing
• What is Happening Outside
What Is Intelligence?
Consequence Based Decisions
MOVING INTELLIGENCE INTO INFRASTRUCTURE
MSS
Control Bus
Terminal Bus
Enterprise Network
HMI
EWS
CCTV Server Historian OPC Server Domain Controller
Plant Firewall
Corporate Firewall
Control Firewall
Alarm Aggregation
EPA Database ERP RTU
HMI
Monitoring
Plant Bus
Hardwired Instrumentation
Field Bus to Instrumentation
Hardwired Instrumentation
PLC PLC PLC PLC
• Identify inventory of architecture
•Baseline network behavior
•Monitor for behavior modification
•Combine with filtered Intelligence
End-to-End Intelligence
Public Sector
Private Sector Aggregation
Analysis
Enterprise Network
Industrial Operations
Active
Remediation
Edge Protection
ISAO Enterprise
OSINT
Filter
Service
Provider
Partner Submitted
Indicators
DHS Indicator
Feeds
DHS Machine
Sanitized AIS
Indicators
DHS Analyst
Enriched AIS
Indicators
Partner Submitted
Indicators
Federal Government-Led Threat Intel Automated Indicator Sharing (AIS)
US Department of Homeland Security
State/Local Tribal/Territorial
Federal Sector-Specific
Agencies
Information Sharing Analysis
Organizations O O
Private-Sector Partners
ISAOs
S
S
A
DA
TA
EN
RIC
HM
EN
T P
RO
CESS
Automated Processes
Validate +
Filter
Anonymize
Protect Privacy,
Civil Rights and Civil Liberties
Validate Automated
Info Protections Leverage AIS Enrichment
Resources
Analyst Enrichment
DA
TA
EN
RIC
HM
EN
T P
RO
CESS
Automated Processes
Validate +
Filter
Anonymize
Protect Privacy,
Civil Rights and Civil Liberties
Validate Automated
Info Protections Leverage AIS Enrichment
Resources
Analyst Enrichment
Open-Source and Commercial Threat Intelligence
Critical Manufacturing ISAO
Aeronautics ISAO
Intelligence Analytics ISAC
Defense Industrial Base ISAC
Industrial Control System ISAC
Maritime & Port Security ISAO
National Credit Union ISAO
National Cyber First Responders
(Sector-to-Sector)
Sector / Cross-Sector Threat Intelligence
Other ISAO Organizations
Sharing Among Sharers: IACI
Evolving Human Sharing
Human Sharing Portals
• C-CIP
• Global Population
• Interpol, JPCERT, US-CERT…
• Siemens, Cisco, GE…
• Utilities, Manufacturers, Enterprises…
Beer ISAC
• Human Contact is Forever
• Sharing Nodes Proliferate
• Regionally, globally, nationally, demographically
• Insurance Industry plays its role
• Actuarial processes
• Industry Aligns with Visibility
• Vendors, Service Providers, Enterprises, Governments
• Merging Business and Technology
• Situational Awareness is not about Cyber
Looking Forward
Chris Blask Global Director ICS, Unisys
Chair, ICS-ISAC Chair, IACI
+1 408-656-8732