Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with Threat Intelligence

© 2015 IBM Corporation

IBM Security

1© 2015 IBM Corporation

(Security) Ignorance Isn’t Bliss:

5 Ways to Advance Security Decisions with

Threat Intelligence

Jim Brennan

Director of Strategy and Product Management

Infrastructure Security & X-Force


IBM Security

2

Agenda

Threat Intelligence Overview

Current Challenges

Solutions

X-Force Exchange

The 5 Things You Can Do

Questions


IBM Security

3

What is threat intelligence?

*Gartner, Definition: Threat Intelligence, Rob McMillan, May 2013, refreshed September 3, 2014, G00249251

Evidence-based knowledge, including

context, mechanisms, indicators,

implications, and actionable advice

about an existing or emerging menace

or hazard to assets that can be used to

inform decisions regarding the subject’s

response to that menace or hazard.


IBM Security

4

The Threat Intelligence market is growing …

1 Gartner, Competitive Landscape: Threat Intelligence Services, Worldwide, 2015, October 2014 G00261001

Threat Intelligence Services

market size1

SANS Cyber Threat Intelligence Summit

2015

Courses

Instructors

Disciplines

2014

Courses

Instructors

Disciplines


IBM Security

5

… and maturing from an industry perspective

Importance as part of any organization’s suite of tools

The criteria for evaluation

– Where is it sourced from?

– How often is it updated?

– Is it vetted by humans?

– And many others …


IBM Security

6

Threat intelligence does help

Attacks: Increased efficiencies

achieved

More efficiency in security

processing to help clients focus

on identified malicious events

Events: up 12% year

on year to 91m

Observable occurrences

in a system or network

Incidents: up 22% year

on year

Attacks deemed worthy

of deeper investigation

Monthly7,647,121

Security events

Annual16,857

Monthly1,405

Security attacks

Annual109.37

Monthly9.11

Security incidents

Security Intelligence

Correlation and analytics toolsSecurity Intelligence

Human security analysts

Weekly

1,764,121Weekly

324

Weekly

2.10

Annual91,765,453

Utilization of threat intelligence can yield a significant reduction in security incidents, as well as speed to respond


IBM Security

7

Security teams are using multiple sources of intelligence to identify cyber threats, but they come with new challenges

65%of enterprise firms use external threat intelligence

to enhance their security decision making 1

However, security teams lack critical

support to make the most of these resources

It takes too long to make information actionable

Data is gathered from untrusted sources

Analysts can’t separatethe signal from the noise

1 Source: ESG Global

http://research.esg-global.com/reportaction/blog0715201401/TOC?include=threat intelligence


IBM Security

8

Ever-increasing proliferation of cyber

threat intelligence feeds

External

Malware

Hashes /

MD5

Brand

abuse

phishing

indicator

s

Malware

campaigns/

indicators

Fraud

payment

logs

Top tier

phishing

indicators

Customer

asset /

credentials

Threat

landsca

pe intel

(TTPs)

Intel as a

service

(IaaS)

Staff

asset /

credentia

ls

Industry

threat

intel

sharing

Public

sector

threat

intel

ISAC

threat

intel

Law

enforcemt

threat

intel

Passiv

e DNS

intel

OSINT

sentiment

analysis

Undergd

dark Web

intel

IP

reputatio

n intel

Human

Intel

(HUMINT)

Technical

Intel

(TECHINT)

Actor

intel/ind

icators

Internal

Firewall

logs

Proxy

logs

IDS/IPS

logs

Web

logs

Application

logs

Authent-

ication

logs

Malware

detection

logs

Email

logs

Network

Security

logs

Building

access

logs

Fraud

payment

logs

CSIRT

incidents

Vulner-

ability

patch

mgmt

DNS/

DHCP

logs

Call/

IVR

logs

Endpoi

nt

security

logs

Employee

directory

SSO/

LDAP

contex

t

Application

inventory

Website

marketing

analytics

Advanced analytics and human intelligence must be applied and integrated into the organization to leverage the value of all the data

When shopping for intelligence sources, organizations can be overwhelmed by choices as well as the cost and complexity to

operationalize and gain a return on investment

Operationalizing it can be costly and complex


IBM Security

9

The bad actors are already collaborating


IBM Security

10

Ideal requirements for key capabilities in a solution

Know everything about the particular observable that starts your

investigation, i.e. historical information

Know everything your colleagues in the same industry know about

that particular observable

Apply everything you and your colleagues know to the controls that

exist in your infrastructure in order to better protect your organization


IBM Security

11

The real value of threat intelligence lies in its application to your business – to turn insight into action

Without insight, organizations struggle to

understand and stay ahead of the threat.

Potential attacks can be overlooked if the

attacker’s methods and motives are unknown

Armed with this intelligence, organizations can

take action ahead of threat to proactively adapt

security strategy, remediate vulnerabilities and

monitor for impact

By applying intelligence upfront, an organization

can optimize security resources, increase

efficiencies, reduce costs and improve risk

management


IBM Security

12

Threat Intelligence sharing

It helps provide insight, context, and confidence with respect to the

information that is being observed, i.e. an isolated attack or part of a

broader industry-wide attack

It benefits both the organization and the broader community

Ranges from technical information on a particular piece of malware to

more strategic, unstructured content


IBM Security

13

The current state of threat intelligence sharing

E-mail and informal gatherings

ISACs – Information Sharing and Analysis Center

– Financial Services, National Health, Information Technology

Threat Intelligence Platforms

– Dynamic market populated by both established players and startups

Machine Readable Threat Intelligence

– STIX - Structured Threat Information Expression

– TAXII – Trusted Automated Exchange of Indicator Information


IBM Security

14

Backed by the reputation

and scale of IBM X-Force

Introducing IBM X-Force Exchange

Research and collaboration platform and API

Security Analysts and Researchers

Security Operations

Centers (SOCs)

Security Products and Technologies

OPENa robust platform with access to a wealth of threat intelligence data

SOCIALa collaborative platform for sharing threat intelligence

ACTIONABLEan integrated solution to help quickly stop threats

A new platform to consume, share, and act

on threat intelligence

IBM X-Force Exchange is:


IBM Security

15

OPENA robust platform with access to a wealth of threat intelligence data

• Over 700 terabytes of machine-generated intelligence

from crawler robots, honeypots, darknets, and

spamtraps

• Multiple third party and partner sources of intelligence

• Up to thousands of malicious indicators classified

every hour

Quickly gain access to threat data from curated

sources:

Leverage the scale of IBM Security and partner ecosystem

Human intelligence adds context to machine-

generated data:

• Insights from security experts, including industry

peers, IBM X-Force, and IBM Security

professionals

• Collaborative interface to organize and annotate

findings, bringing priority information to the

forefront


IBM Security

16

IBM Security

Network Protection

XGSIBM Security QRadar

Security Intelligence

IBM Security

Trusteer Apex

Malware

Protection

ACTIONABLEAn integrated solution to help quickly stop threats

STIX / TAXII(future feature)

API

• Integration between IBM Security

products and X-Force Exchange-

sourced actionable intelligence

• Designed for third-party integration

with planned future support for STIX

and TAXII, the established standard for

automated threat intelligence sharing

• Leverage the API to connect threat

intelligence to security products

Push intelligence to enforcement

points for timely protection

3rd Party Products


IBM Security

17

SOCIALA collaborative platform for sharing threat intelligence

Add context to threats

via peer collaboration

• Connect with industry peers to

validate findings

• Share a collection of Indicators

of Compromise (IOCs) to aid in

forensic investigations

Discovers a new malware domain and marks it as malicious in the X-Force Exchange

INCIDENT

RESPONDER

1

Finds the domain and applies blocking rules to quickly stop malicious traffic. Shares with his CISO using the Exchange

SECURITY

ANALYST

2

Adds the domain to a public collection named “Malicious Traffic Sources Targeting Financial Industry” to share with industry peersCISO

3

For the first time, clients can interact with IBM X-Force security researchers and experts directly

IBM

X-FORCE

4


IBM Security

18

Steps you can take today … on tools

Understand your threat intelligence– Relevance

– Integration

– Efficiency in sharing among products and teams

Understand machine readable threat intelligence– STIX – stix.mitre.org

– TAXII – taxii.mitre.org

– APIs

1

2


IBM Security

19

Steps you can take today … on processes

At a security team level– Identify information you have

– Collaborate effectively within the organization

At a company level– Team with CIO/CISO

– Understand and address silos and legal issues

At an industry level– Participate in industry security consortiums

– Contribute to online threat intelligence sharing communities

*Source: Rick Holland, Forrester Research

4

3

5


IBM Security

21

www.ibm.com/security

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available

in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s

sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in

any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the

United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and

response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,

misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or

product should be considered completely secure and no single product, service or security measure can be completely effective in preventing

improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will

necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES

NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE

FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with Threat Intelligence

Technology

Transcript of Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with Threat Intelligence