Save 37% off PRO during our Black Friday Sale! »

State of Cyber Threat Intelligence Address

F0c9efd79ff9ea97a28f8552fae3b645?s=47 Rick Holland
February 02, 2015

State of Cyber Threat Intelligence Address

SANS 2015 CTI Summit

F0c9efd79ff9ea97a28f8552fae3b645?s=128

Rick Holland

February 02, 2015
Tweet

Transcript

  1. State of Cyber Threat Intelligence Address Rick Holland, Principal Analyst

    Forrester Research, Inc. 02 February 2015 @rickhholland #CTISummit
  2. © 2014 Forrester Research, Inc. Reproduction Prohibited 2 2013 –

    If It Bleeds We Can Kill It
  3. © 2014 Forrester Research, Inc. Reproduction Prohibited 3 2014 –

    Cyber Threat Intel Buyers Guide
  4. © 2014 Forrester Research, Inc. Reproduction Prohibited 4

  5. © 2014 Forrester Research, Inc. Reproduction Prohibited 5 CTI SOTU

    Drinking Game* Phrase Action Real time attack tracker Take a drink and say derp 20 times *All drinks are non-alcoholic of course its only 10:30
  6. © 2014 Forrester Research, Inc. Reproduction Prohibited 6 CTI SOTU

    Drinking Game* Phrase Action Real time attack tracker Take a drink and say derp 20 times Fusion Mix two drinks of your choice *All drinks are non-alcoholic of course its only 1pm.
  7. © 2014 Forrester Research, Inc. Reproduction Prohibited 7 CTI SOTU

    Drinking Game* Phrase Action Real time attack tracker Take a drink and say derp 20 times Fusion Mix two drinks of your choice Actionable Intelligence Get speared by Terry Tate and then take a drink *All drinks are non-alcoholic of course its only 1pm.
  8. © 2014 Forrester Research, Inc. Reproduction Prohibited 8 CTI SOTU

    Drinking Game* Phrase Action Real time attack tracker Take a drink and say derp 20 times Fusion Mix two drinks of your choice Actionable Intelligence Get speared by Terry Tate and then take a drink, you’ll need it Attribution Take a drink while getting a tattoo of Kim Jong-un on your forehead *All drinks are non-alcoholic of course its only 1pm.
  9. © 2014 Forrester Research, Inc. Reproduction Prohibited 9 CTI SOTU

    Drinking Game* Phrase Action Real time attack tracker Take a drink and say derp 20 times Fusion Mix two drinks of your choice Actionable Intelligence Get speared by Terry Tate and then take a drink, you’ll need it Attribution Take a drink while getting a tattoo of Kim Jong-un on your forehead STIX Share a drink with a colleague *All drinks are non-alcoholic of course its only 1pm.
  10. © 2014 Forrester Research, Inc. Reproduction Prohibited 10 Agenda › CTI

    investment is hot › Threat intelligence providers › Sony Pictures › Threat intelligence platforms › Sharing #CTISummit
  11. © 2014 Forrester Research, Inc. Reproduction Prohibited 11

  12. © 2014 Forrester Research, Inc. Reproduction Prohibited 12

  13. © 2014 Forrester Research, Inc. Reproduction Prohibited 13

  14. © 2014 Forrester Research, Inc. Reproduction Prohibited 14 Companies are

    investing in CTI as well › Used to be 1%er focused. › 1%er = Defense, Financial Services, High Tech, and Manufacturing. › Now it is closer to 10%. • Energy, Healthcare, Retail joining the ranks.
  15. © 2014 Forrester Research, Inc. Reproduction Prohibited 15 Agenda › CTI

    investment is hot › Threat intelligence providers › Sony Pictures › Threat intelligence platforms › Sharing #CTISummit @rickhholland
  16. © 2014 Forrester Research, Inc. Reproduction Prohibited 16 My threat

    intel can beat up your threat intel
  17. © 2014 Forrester Research, Inc. Reproduction Prohibited 17 This has

    evolved to include:
  18. © 2014 Forrester Research, Inc. Reproduction Prohibited 18 My threat

    report can beat up your threat report!
  19. © 2014 Forrester Research, Inc. Reproduction Prohibited 19 My attribution

    can beat up your attribution!
  20. © 2014 Forrester Research, Inc. Reproduction Prohibited 20 My real

    time attack tracker can beat up your real time attack tracker!
  21. © 2014 Forrester Research, Inc. Reproduction Prohibited 21 My threat

    indicator counter can beat up your threat indicator counter!
  22. © 2014 Forrester Research, Inc. Reproduction Prohibited 22 Terry Tate

    Office Linebacker “We have actionable intelligence.”
  23. © 2014 Forrester Research, Inc. Reproduction Prohibited 23 Actionable intelligence

    isn’t actionable if it isn’t relevant to you
  24. © 2014 Forrester Research, Inc. Reproduction Prohibited 24 Pyramid of

    Pain is painful for vendors PoP is challenging for CTI providers too! Source: David Bianco http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
  25. © 2014 Forrester Research, Inc. Reproduction Prohibited 25 2014 -

    You have to have an actual strategy Jerry “the owner” isn’t happy with Jerry “the general manager”
  26. © 2014 Forrester Research, Inc. Reproduction Prohibited 26 2014 -

    You have to have an actual strategy Jerry “the owner” isn’t happy with Jerry “the general manager”
  27. © 2014 Forrester Research, Inc. Reproduction Prohibited 27 2015 Jerry

    - Executive of the Year
  28. © 2014 Forrester Research, Inc. Reproduction Prohibited 28 Heavy focus

    on tactical intel › Focus is on the bottom end of the Pyramid of Pain. › Need to complement tactical with strategic intelligence.
  29. © 2014 Forrester Research, Inc. Reproduction Prohibited 29 Lack of

    professional tradecraft › As the discipline matures we need more traditional tradecraft. › CIA Center for the Study of Intelligence › Cognitive biases section is well worth your time.
  30. © 2014 Forrester Research, Inc. Reproduction Prohibited 30 Agenda › CTI

    investment is hot › Threat intelligence providers › Sony Pictures › Threat intelligence platforms › Sharing #CTISummit @rickhholland
  31. © 2014 Forrester Research, Inc. Reproduction Prohibited 31 Sony Pictures

    North Korea
  32. © 2014 Forrester Research, Inc. Reproduction Prohibited 32 Targeted-Attack Hierarchy

    Of Needs Where does attribution rank on your needs?
  33. © 2014 Forrester Research, Inc. Reproduction Prohibited 33

  34. © 2014 Forrester Research, Inc. Reproduction Prohibited 34 Agenda › CTI

    investment is hot › Threat intelligence providers › Sony Pictures › Threat intelligence platforms › Sharing #CTISummit @rickhholland
  35. © 2014 Forrester Research, Inc. Reproduction Prohibited 35 Operationalizing threat

    intel › 1) Ingest › 2) Analyze › 3) Integrate
  36. © 2014 Forrester Research, Inc. Reproduction Prohibited 36 Threat intel

    platforms (TIPs) have emerged
  37. © 2014 Forrester Research, Inc. Reproduction Prohibited 37

  38. © 2014 Forrester Research, Inc. Reproduction Prohibited 38 Looking ahead

    › Depending on maturity threat intel functions could be in different tools. › For many SIEM + feeds will be pinnacle of maturity. › Not everyone is the GE-CIRT or LM-CIRT.
  39. © 2014 Forrester Research, Inc. Reproduction Prohibited 39 Looking ahead

    › To try and regain relevancy SIEMs will continue to add threat intel capabilities. › SIEM/analytics players will acquire TIP vendors over next 24 months.
  40. © 2014 Forrester Research, Inc. Reproduction Prohibited 40 Analysis -

    Enrichment › Enrichment provides context that makes the analysts job easier: • GeoIP • Identity • Passive DNS • WHOIS • Reputation data
  41. © 2014 Forrester Research, Inc. Reproduction Prohibited 41 Analysis -

    Enrichment › Vendors are exposing their threat data for enrichment. › OpenDNS Investigate tool:
  42. © 2014 Forrester Research, Inc. Reproduction Prohibited 42 Taking action

    – avoid DoS’ing yourself
  43. © 2014 Forrester Research, Inc. Reproduction Prohibited 43 Agenda › CTI

    investment is hot › Threat intelligence providers › Sony Pictures › Threat intelligence platforms › Sharing #CTISummit @rickhholland
  44. © 2014 Forrester Research, Inc. Reproduction Prohibited 44 Threat intel

    sharing
  45. © 2014 Forrester Research, Inc. Reproduction Prohibited 45

  46. © 2014 Forrester Research, Inc. Reproduction Prohibited 46 Last year

    “We aren’t sure what standard is going to emerge as the leader.”
  47. © 2014 Forrester Research, Inc. Reproduction Prohibited 47 Now › STIX

    gained significant momentum over 2014. › Vendors are no longer waiting to see which dot will cross home plate 1st. › Now many are waiting to see *when* STIX will be mature enough to implement. › Still a long road ahead.
  48. © 2014 Forrester Research, Inc. Reproduction Prohibited 48 STIX momentum

  49. © 2014 Forrester Research, Inc. Reproduction Prohibited 49 Soltra

  50. © 2014 Forrester Research, Inc. Reproduction Prohibited 50 Sharing &

    TIPs › Sharing/collaboration alone does not a threat intel platform make. › Sharing/collaboration is a function of threat intel platform. › Sharing isn’t a silver bullet.
  51. © 2014 Forrester Research, Inc. Reproduction Prohibited 51 Free research

    plug › Not a Forrester client, interested in free research? › If you participate in a confidential research interview, I will provide a complementary copy of the research @rickhholland
  52. © 2014 Forrester Research, Inc. Reproduction Prohibited 52 RSA Conference

    teaser: “Threat Intel Is Like 3 Day Potty Training”
  53. Thank you Rick Holland +1 469.221.5359 rholland@forrester.com @rickhholland #CTISummit #ThreatIntel