Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014
-
Upload
rafal-los -
Category
Technology
-
view
953 -
download
0
description
Transcript of Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014
![Page 1: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/1.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Operationalizing Security Intelligence for the Mid-Market
Rafal M. Los
Principal, Strategic Security Services
HP Enterprise Security Services
RSA Conference -2014
![Page 2: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/2.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
what is “security intelligence”?
![Page 3: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/3.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“collective set of activities, and artifacts to make intelligence-driven decisions”
![Page 4: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/4.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
detect, respond, resolve more effectively in the attack lifecycle
![Page 5: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/5.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
When you think of“Security Intelligence”…
![Page 6: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/6.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“something big enterprises do”
![Page 7: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/7.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
why not you?
![Page 8: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/8.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
this talk is a framework for you
![Page 9: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/9.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
..to get you thinking, motivated
![Page 10: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/10.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
requirements
![Page 11: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/11.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
high quality internal & external data + telemetry
![Page 12: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/12.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
internal processes + workstreams
![Page 13: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/13.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
qualified personnel
![Page 14: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/14.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
intelligent, optimized technology
![Page 15: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/15.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
let’s break that down…
![Page 16: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/16.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
internal information/data –know your enterprise attack surface
![Page 17: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/17.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
for example –• internal business plans
• internal IT technology stack
• known vulnerabilities
• known, accepted risks
• strict change management
• configuration awareness
• unauthorized change detection
• employee activities, habits
![Page 18: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/18.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
external information/data-be situationally aware
![Page 19: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/19.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
for example –• sentiment against your brand/organization
• threat climate of your business vertical
• attacks against similar organizations, vertical
• specific threats against your staff/resources
• geopolitical issues pertaining to your enterprise
• 3rd party reported vulnerabilities
• 3rd party reported exploits
• weaknesses in your external technologies
• reported abused enterprise assets
![Page 20: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/20.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
internal processes + workstreams
![Page 21: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/21.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
convert information into action
![Page 22: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/22.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
for example –• handling of inbound, external data sources
• formats: csv, pdf, dashboards and text
• distilling data for relevance
• collating and categorizing with internal data
• prioritizing alerts based on prescribed formulas
• alerting appropriate internal & external entities
• creating actionable items from trusted data
• triage of event(s)
• incident management and handling
• incident response, dfir
![Page 23: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/23.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
qualified personnel
![Page 24: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/24.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
difficult to “add on” responsibility
![Page 25: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/25.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SOC analyst Security Intelligence analyst ..no
![Page 26: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/26.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
highly specialized skill set
![Page 27: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/27.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
for example –• ability to quickly parse different log types
• ability to quickly make sense of disparate data
• ability to collate and correlate unstructured data
• ability to write code on-the-fly (script)
• proficient in many different security technologies
• able to perform collaborative tasks effectively
• ability to triage incidents quickly, effectively
• proficiency with forensics tools
• strong decision-making capabilities
![Page 28: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/28.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
intelligent, optimized technology
![Page 29: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/29.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
tech that works together
![Page 30: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/30.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
prefer integrated over disparate
![Page 31: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/31.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
tech that makes analysis more efficient, adds certainty
![Page 32: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/32.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
we may know a little something about this…
![Page 33: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/33.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
quick recap
![Page 34: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/34.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“Security Intelligence” is..
the capability todetect, respond, and resolve your security incidents though an information-driven approach.
![Page 35: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/35.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
You can do this.You need to do this.
![Page 36: Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014](https://reader033.fdocuments.us/reader033/viewer/2022051211/554a0ff1b4c905825d8b49b4/html5/thumbnails/36.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Know more.Defend smarter.