Threat Central Update - Hewlett Packard · PDF filereal-time analyzed, correlate, and...
32
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All about Threat Central Ted Ross & Nadav Cohen #HPProtect
Transcript of Threat Central Update - Hewlett Packard · PDF filereal-time analyzed, correlate, and...
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
All about Threat Central Ted Ross & Nadav Cohen #HPProtect
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
This is a rolling (up to three year) Roadmap and is subject to change without notice.
Forward-looking statements
This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Hewlett Packard's predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
This is a rolling (up to three year) Roadmap and is subject to change without notice.
HP confidential information
This Roadmap contains HP Confidential Information. If you have a valid Confidential Disclosure Agreement with HP, disclosure of the Roadmap is subject to that CDA. If not, it is subject to the following terms: for a period of 3 years after the date of disclosure, you may use the Roadmap solely for the purpose of evaluating purchase decisions from HP and use a reasonable standard of care to prevent disclosures. You will not disclose the contents of the Roadmap to any third party unless it becomes publically known, rightfully received by you from a third party without duty of confidentiality, or disclosed with HP’s prior written approval.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Agenda
Threat Central journey Why HP Threat Central? Offering vision What is Threat Central? Use cases Technical walkthrough Questions
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
Threat Central journey
• Building a high fidelity threat intelligence sharing community for our customers! • Automate and correlate crowd-source threat intelligent feeds
Please join Protect724 ArcSight product announcement forum for Threat Central product launch updates. Join Threat Central community to advance the cause for cyber threat defense for your company!
Target GA: Soon!
Building community with ArcSight customers, ESP customers, partners, security researcher, open source threat intelligence community
Beta: Today
• Beta testing with HP internal customers
• ArcSight customers beta testing
• Threat intelligence partners beta testing
Alpha: 2013
• Multiple Iterations of Alpha testing with customers
• Announced & demo’d at Protect2013
Innovation Project: 2013
• Project out of HP Innovation Initiative
• Interview and validate use cases with many ArcSight Security Operation Center customers
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Crowd-source actionable threat intelligence
Why HP Threat Central?
Industry is still learning how to collaborate effectively • Companies spend time combatting the same threat • The adversary collaborates in an effective eco-system
Government alone can’t fix the problem • Can’t hire resources fast enough • Limited visibility: Need intelligence/data from industry
Feedback regarding existing sharing models: • Limited participation – not comfortable sharing • Data is not actionable – lacks context • Overly manual – not timely
Threat Central
Threat Central enables • Automated bi-directional
sharing • Ability to analyze the data • Actionable derived results • Existing community of
advanced security customers
• Product-agnostic sharing
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
Vision
An open and automated cloud based platform for high fidelity threat intelligence that enables ArcSight and enterprise customers to consume and share community driven threat intelligence. Threat Central differentiates itself by providing near real-time analyzed, correlate, and actionable threat intelligence to ArcSight customers and members of the Threat Central community.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
HP ESP leads to create an open threat intelligence sharing community!
Threat Central community
Threat intelligence
partners
HP Security Research
ESP customers
Threat intelligenc
e community
ArcSight customers
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
Customer benefits
Actionable intelligence Confidence Feedback Anonymous sharing Community
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is Threat Central?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
SIEM, STIX & Portal
Threat Central
Threat DB Privacy-
enhanced TC forum
HP Security Research
Sector community
STIX SIEM
SIEM
Portal
SIEM
SIEM STIX
Private community
Global community
Partners’ feeds
Open source
Threat Central
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
Automated action influenced by context
TC Portal
Collect Normalize Analyze/correlate Distribute/ACT
Compare & Correlate
\
IP address match?
Domain match?
File Hash match?
Signature match?
URL match?
CHANGE SCORE
HP TippingPoint
ArcSight ESM
TC community ESM Connector, STIX, TAXII, CSV,
etc.
STIX, TAXII, CSV, etc
Open source
Feeds
HP Security Research
Actionable intel \
IP address
Domain
File hash
Signature
URL
Contextual intel \
Actor
Campaign
Tools
Techniques
Procedures
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Threat Central use cases
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Source 1.1.1.1
Invalid login
Brute force login
Use case: Automated actions
Key assets
Attacker IPS
Source 1.1.1.1
Source 1.1.1.1
Invalid login
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Current approach
Use case: Automated actions
Attacker IPS
Company A
Source 1.1.1.1
Source 1.1.1.1
Invalid login Source 1.1.1.1
Invalid login
Attacker IPS
Company B
Source 1.1.1.1
Source 1.1.1.1
Invalid login Source 1.1.1.1
Invalid login
Attacker IPS
Company C
Source 1.1.1.1
Source 1.1.1.1
Invalid login Source 1.1.1.1
Invalid login
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
New approach
Use case: Automated actions
Attacker IPS
Company A
Source 1.1.1.1
Source 1.1.1.1
Invalid login Source 1.1.1.1
Invalid login
Attacker IPS
Company C
Source 1.1.1.1
Source 1.1.1.1
Invalid login Source 1.1.1.1
Invalid login
Threat Central
Attacker IPS
Company B
Source 1.1.1.1
Source 1.1.1.1
Invalid login Source 1.1.1.1
Invalid login
SCORE 1
SCORE 1 SCORE 3 SCORE 9
Company D
HP TippingPoint
If score > 5, push IP to IPS SCORE 1
SCORE 1
SCORE 9
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Source 1.1.1.X
Current approach
Use case: Proactive block lists – recon
Recon source
Attack source(s)
IPS
Source 1.1.1.1
Key assets
Source 1.1.1.1
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
With Threat Central
Use case: Proactive block lists – recon
Recon source
Source 1.1.1.1
Attack source(s)
IPS Reco
n IP
Atta
ck IP
s
Attack IP List
Source 1.1.1.1
Key assets Source 2.2.2.X
Threat Central
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Threat Central
Use case: Leveraging the community
Company A New event Zero day
Company B
Company C Malicious IP address
Malware variant
BAD IP BAD IP MALWARE MALWARE ZERO DAY ZERO DAY
New event
New event
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Threat Central walkthrough
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Screenshot tour
In the following example we will see how TC can be used to • Query about an incident • Distribute indicator information to communities • Collaborate with security experts • Get derived intelligence directly into SIEM • Mitigate risks
Create case Distribute Collaborate Get results Mitigate
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
Create a case
CaptnProton runs into suspicious behavior with LGCScanner.exe
This is a rolling (up to 3 year) roadmap and is subject to change without notice
All product views are illustrations and might not represent actual product screens
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24
Distribute indicators
CaptnProton submits the case. Indicators are now extracted and sent to community members
This is a rolling (up to 3 year) roadmap and is subject to change without notice
All product views are illustrations and might not represent actual product screens
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
ESM customers benefit from direct integration and targeted intelligence
Distribute indicators (2)
This is a rolling (up to 3 year) roadmap and is subject to change without notice
All product views are illustrations and might not represent actual product screens
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
Collaborate with experts HP Security Researcher enhances indicators with contextual information
This is a rolling (up to 3 year) roadmap and is subject to change without notice
All product views are illustrations and might not represent actual product screens
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27
Get results
By the end of the process, CaptnProton’s case is filled out with relevant and contextual information
This is a rolling (up to 3 year) roadmap and is subject to change without notice
All product views are illustrations and might not represent actual product screens
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28
Easily quarantine bad IPs/domains using ESM and TippingPoint SMS
Mitigate
This is a rolling (up to 3 year) roadmap and is subject to change without notice
All product views are illustrations and might not represent actual product screens
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 29
For more information
Attend these sessions
• TB3169, Correlating advanced threat information feeds
Visit these demos
• Threat Central Demo – Booth 307
After the event
• Web: www.hp.com/go/threatcentral
• Blog: hp.com/go/hpsrblog • Whitepaper:
http://hpsw.co/z4L7ZbX
Your feedback is important to us. Please take a few minutes to complete the session survey.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Questions?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 31
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session TB3013 Speakers Ted Ross & Nadav Cohen
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
