Intelligence Driven Community Defense IS S A Q U A R T E R
M E E T IN G 2 0 1 5 David Eilken Co-Chair FS-ISAC Security Automation Working Group OVERVIEW
Cyber Intelligence What, Why, Where A Vision for Community Defense Cyber Threat Intelligence Standards Maturing the Ecosystem How do We Get There EXTERNAL THREATS GROWING 117,339 incoming attacks every day The total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% over 2013. Findings from The Global State of Information Security Survey 2015 Graphic Source: PwC EVOLUTION OF CYBER ATTACKS Cyber Threats on the Private Sector 200 1 201 0 198 8
200 4 Academic Script Kiddies Nature of Threat Commodity Threats Advanced Persistent Threats (APT) Targeting government entities APT Targeting private sector WHO ARE THE ADVERSARIES? Attacker Motivation, Capability & Intent $ - Under thousands $$ - Tens to hundreds of thousands $$$ - Millions $$$$ - Tens to hundreds of millions $$$$$ - Billions August 2014
THE NEED FOR SPEED Attackers Response is SLOW Attackers Act 150x Faster Than Victims Respond are FAST Minutes vs. Weeks/ Months Second s Initial Attack Minute s Hours Days Weeks Months 10%
75% 12% 2% 0% 1% 8% 38% 14% 25% 8% 8% 0%
0% 2% 13% 29% 54% to Initial Compromise (Shorter Time Worse) Initial Compromise to Data Exfiltration (Shorter Time Worse) Initial Compromise to Discovery
(Longer Time Worse) EVOLUTION OF CYBER SECURITY DEFENSE Yesterdays Security ? ? Present Day Problem ? ? Future Solution ? ? Network Awareness Intelligence Sharing
Protect the perimeter and patch the holes to keep out threats share knowledge internally. Identify and track threats, incorporate knowledge and share what you know manually to trusted others. Increasing Cyber Risks Manually Sharing Ineffective Malicious actors have become much more sophisticated & money driven. Losses to US companies now in the tens of millions; WW hundreds of millions. Cyber Risks are now ranked #3 overall corporate risk on Lloyds 2013 Risk Index. Time consuming and ineffective in
raising the costs to the attackers. Not all cyber intelligence is processed; probably less than 2% overall = high risk. No way to enforce cyber intelligence sharing policy = non-compliance. Situational Awareness Automate sharing develop clearer picture from all observers input and pro-actively mitigate. We are Solving the Problem Security standards are maturing FS-ISAC has become the trusted model for sharing industry threat intelligence. Soltra Edge Cyber Intelligence Sharing Platform revolutionizing sharing and utilization of threat intelligence. WHAT IS CYBER INTELLIGENCE
Information about cyber threats Bad people, things, or events Plans to attack victims Tactics used by bad people Actions to deal with bad events Weaknesses targeted by bad people WHY CYBER INTELLIGENCE IS IMPORTANT Tactical Uses Proactively detect or defend against attacks before they happen Diagnose infected corporate systems Strategic Uses Compile and track bad people or things that dont like you, your industry, or your company report out and potentially sent to authorities Improve your security posture - The more you understand the things, people, and organizations that are attacking you, the have the better you can defend yourself Intelligence Can Help Protect You! WHERE DOES CYBER INTELLIGENCE COME FROM? Buy It
Purchase from professional intelligence providers Collect for Free From inside your organizational environment The Internet has many Open Source Intelligence (OSINT) feeds available From Friends Information Sharing Communities or ISACs Business partners, associates, peers, etc. Get from Authorities Government DHS, FBI, etc. INTELLIGENCE LIFE-CYCLE What Do We Do With It? (What are we supposed to do with it?) Security Operation s Intelligen ce Starts Here #4 Dissemin ate
#3 Analyz e #1 Collect #2 Proces s Graphic Source: FBI STEP #1 IN THE REAL-LIFE CYCLE Time Waning Cyber Cyber Analysts Analysts Eyes of Distrust Company
Company Y Y CIRC CIRC Analyst Analyst Firm Firm X X SOC SOC Analysts Analysts My Wheel Bette r MACHINES CAN HELP, BUT FIRST Machines Need a Language to Talk about Threats STIX
Structured Threat Intelligence eXpression Structured language used by machines to describe cyber threats TAXII Trusted Automated eXchange of Indicator Information Transport mechanism for cyber threat information represented in STIX Like TCP/ IP Like HTML Like HTML stix.mitre.org taxii.mitre.org INTELLIGENCE DRIVEN COMMUNITY DEFENSE Machines
Organizati on Attacked Automated Defense FS-ISAC Trusted Organizatio ns Protected ISAC Extended Trusted Organizations Protected STIX CONSTRUCTS An open standard to categorize cyber threat intelligence information Atomic
What threat activity are we seeing? Tactical What threats should I look for on my networks and systems and why? Operational Where has this threat been seen? What can I do about it? Who is responsible for this threat? Why do they do this? What weaknesses does
this threat exploit? Strategic What do they do? STIX ARCHITECTURE The Power of Structured Intelligence Key to effective strategic cyber intelligence analysis and threat tracking Ability to pivot, view, analyze, and enrich complex relationships STIX SAMPLE Email Message Object
Indicator Electronic Address Observable Sender: John Smith Subject: Press Release Initial Compromise Spear Phishing Email Observed TTP WEBC2 Establish Foothold MD5: d8bb32a7465f55c368230bb52d52d885 Indicator Malware Behavior Leet Associated Actor
... Observed TTP Observed TTP Internal Reconnaissance Attack Pattern ipconfig net view net group domain admins Uses Tool Exfiltration C2 Servers IP Range: 172.24.0.0-184.108.40.206 GETMAIL LETS NOT FORGET THE TRANSPORT
STANDARD STIX without Like a wheel without an axle STIX with STIX & TAXII JUST THE BEGINNING Cyber Security Measurement and Management Architecture Standards across the Security Lifecycle Source: MITRE YOU ARE HERE STIX & TAXII Adoption Curve Maturity % Intelligence Network Adoption Intelligence
Server Trial Excel Notepad Awareness Time Ubiquity MATURING AN ECOSYSTEM Sharing Communities ISACs Government Individuals Security Vendors Service Providers Vendor Products Consumers of Security Products and Intelligence Large Medium Small
CHANGING THE ECONOMICS Cost to Firms Cost to Adversaries The current cost to process a single piece of intelligence is 7 hours. Equal to 2014 =$100m; 2015 = $1b; 2016 = $4b Adversaries must re-tool much more often and their exploits cause less damage Advantage: Attackers Max Risks from Cyber Threats Frequency and impact of threats decrease while higher adoption leads to exponential benefits
Advantage: Defenders Cost to Defend Policy Effectiveness Current State of Cyber-Symmetry (Unsophisticated Adversaries Can Play) Cost Future State of Cyber-Symmetry (Only Most Advanced Can Play) Cost to Attack Min Cyber Warfare Symmetry CYBER INTELLIGENCE MATURITY Enriched Actionable
Accessible Communities of industry verticals fight the same threats, and have the most to share about their adversaries. Structured data can be understood by machines. Machines can detect, share, and make defensive adjustments at wire-speed. Far beyond just a select few that have access to organized data; an entire community can now be empowered. Increasing Situational Awareness => Increasing Cost to Adversaries SITUATIONAL AWARENESS Pro-Active Auto-Response
JUDGM ENTKnowledge Some Contextual WISDO M Actionable Intelligence KNOWLED GE Organized Information Deductive Reasoning ANALY SISCorrelation Localized Data INFORMATI ON Linked Elements
Pattern Recognition PROCES SING and Aggregation Normalization Levels of Cyber Intelligence DAT A Discrete Elements COMMUNITY IT TAKES A VILLAGE Strategic Intelligence Operational Intelligenc CONSUMER FREEDOM HISTORY OF AVALANCHE Security Automation Working Group Started in early 2012 prior to STIX 1.0
Small group of security professionals Steadily grew STIX & TAXII awareness and involvement Started with an idea to automate sharing of intelligence Listened to security analysts Broke down the problem Prioritized and built in chunks Didnt boil the ocean Relied on open standards as the base and became STIX & TAXII experts Built an initial Central Intelligence Repository for the SAWG members Utilized scripts to pull data, then push data (the SAWG community helped a lot) Realized we needed not just a server and some client side scripts WHAT IS SOLTRA A Company for the Community Increasing adoption of STIX & TAXII to reduce friction in security operations Formed with the support of the FS-ISAC community & backing of DTCC scalability Market Changing - created for the good of the information security consumer At-Cost Business Model generates revenue just to keep the lights on
Continue Driving the Technology Innovate on open standards to automate the sharing of cyber threat intelligence A Platform for Everyone can be extended to all sizes of financial services firms, other sharing communities and industry verticals Enabling seamless integration across security lifecycle solutions (threat intelligence, firewalls, intrusion detection, anti-virus, etc.) 10x reduction to collect/ process intelligence & cost to respond S O LT R A | A N F S - I S A C D T C C C O M P A N Y SOLTRA EDGE OVERVIEW Basis for an Cyber Intelligence Sharing Network Like an Intelligence Server and Router Big Data STIX Store, Sends & Receives via TAXII w/ Access Control Key Features Instant Aggregation of Intelligence from Sources You Choose On-Premise you own and control your data and sharing Collect, Process, and Disseminate (Internal & External) to Standards Based Devices De-Duplication and Automatic Sightings (+1) Trust Groups and Traffic Light Protocol Control Data Access Hides Complex STIX & TAXII with simple user interface S O LT R A | A N F S - I S A C D T C C C O M P A N Y
R FO U NG YO ATI K IP C O M N C A. A TI T R L H O T AR . S PW W W David Eilken VP Product Strategy Soltra SOLTRA EDGE The Center of an Open Framework Primary Data Store for Structured Intelligence Connects your STIX and TAXII enabled tools SOLTRA EDGE
Foundation of a Security Network Structured Intelligence Server and Router Can act as a TAXII Gateway to other STIX sources SOLTRA EDGE Hides Complexity of STIX & TAXII Simple and Intuitive Interface Visualize, Create, and Move Intelligence
Do Now: In what kinds of jobs is it routine to risk one's life and why are some people attracted to these jobs? ELACC9/10RL5: Analyze how an author's choices of structure create effects such as mystery, tension, or surprise.
Additional information id the total charge seen by a pad over the 88us: Xfc The basic readout chain consists of: A Charge sensitive amplifier, which converts 1000e in 2mV (or 1mV) a shaper amplifier Semi-Gaussian shaper. A low power 10-bit...
PBLG ionomers with a small amount of ionic groups develop thermotropic liquid crystalline behavior due to partial disruption of -helical structure in contrast to PBLG and acid form PBLG, which maintain helical structures and, as a result, are difficult to...
EIS Progress Report Steering Committee Meeting December 3, 2008 * * Major Milestones Achieved September - October 2008 Planned milestones Results Acquisition of EIS hardware Board approved the purchase 7/7/2008. Purchase Order issued 7/31/2008. Equipment arrived the week of 9/15/2008....
Unit 2 Atomic Theory * Matter All matter is made of atoms Alone as elements Au, Na, O, He In combination of elements as compounds H2O, NaCl, LiO2 Democritus (460-370 B.C.) proposed & believed that Matter was not infinitely divisible...
fast feet forward trauma program. In this time he had turned 18, lost his SW, was told he needed to move from his accommodation and his mother who is still . in Sudan was ill and needed surgery. He was...
Ready to download the document? Go ahead and hit continue!