State of Cyber Threat Intelligence Address

Transcript

1. State of Cyber Threat Intelligence Address Rick Holland, Principal Analyst

   Forrester Research, Inc. 02 February 2015 @rickhholland #CTISummit

2. © 2014 Forrester Research, Inc. Reproduction Prohibited 2 2013 –

   If It Bleeds We Can Kill It

3. © 2014 Forrester Research, Inc. Reproduction Prohibited 3 2014 –

   Cyber Threat Intel Buyers Guide

4. © 2014 Forrester Research, Inc. Reproduction Prohibited 4

5. © 2014 Forrester Research, Inc. Reproduction Prohibited 5 CTI SOTU

   Drinking Game* Phrase Action Real time attack tracker Take a drink and say derp 20 times *All drinks are non-alcoholic of course its only 10:30

6. © 2014 Forrester Research, Inc. Reproduction Prohibited 6 CTI SOTU

   Drinking Game* Phrase Action Real time attack tracker Take a drink and say derp 20 times Fusion Mix two drinks of your choice *All drinks are non-alcoholic of course its only 1pm.

7. © 2014 Forrester Research, Inc. Reproduction Prohibited 7 CTI SOTU

   Drinking Game* Phrase Action Real time attack tracker Take a drink and say derp 20 times Fusion Mix two drinks of your choice Actionable Intelligence Get speared by Terry Tate and then take a drink *All drinks are non-alcoholic of course its only 1pm.

8. © 2014 Forrester Research, Inc. Reproduction Prohibited 8 CTI SOTU

   Drinking Game* Phrase Action Real time attack tracker Take a drink and say derp 20 times Fusion Mix two drinks of your choice Actionable Intelligence Get speared by Terry Tate and then take a drink, you’ll need it Attribution Take a drink while getting a tattoo of Kim Jong-un on your forehead *All drinks are non-alcoholic of course its only 1pm.

9. © 2014 Forrester Research, Inc. Reproduction Prohibited 9 CTI SOTU

   Drinking Game* Phrase Action Real time attack tracker Take a drink and say derp 20 times Fusion Mix two drinks of your choice Actionable Intelligence Get speared by Terry Tate and then take a drink, you’ll need it Attribution Take a drink while getting a tattoo of Kim Jong-un on your forehead STIX Share a drink with a colleague *All drinks are non-alcoholic of course its only 1pm.

10. © 2014 Forrester Research, Inc. Reproduction Prohibited 10 Agenda › CTI

    investment is hot › Threat intelligence providers › Sony Pictures › Threat intelligence platforms › Sharing #CTISummit

11. © 2014 Forrester Research, Inc. Reproduction Prohibited 11

12. © 2014 Forrester Research, Inc. Reproduction Prohibited 12

13. © 2014 Forrester Research, Inc. Reproduction Prohibited 13

14. © 2014 Forrester Research, Inc. Reproduction Prohibited 14 Companies are

    investing in CTI as well › Used to be 1%er focused. › 1%er = Defense, Financial Services, High Tech, and Manufacturing. › Now it is closer to 10%. • Energy, Healthcare, Retail joining the ranks.

15. © 2014 Forrester Research, Inc. Reproduction Prohibited 15 Agenda › CTI

    investment is hot › Threat intelligence providers › Sony Pictures › Threat intelligence platforms › Sharing #CTISummit @rickhholland

16. © 2014 Forrester Research, Inc. Reproduction Prohibited 16 My threat

    intel can beat up your threat intel

17. © 2014 Forrester Research, Inc. Reproduction Prohibited 17 This has

    evolved to include:

18. © 2014 Forrester Research, Inc. Reproduction Prohibited 18 My threat

    report can beat up your threat report!

19. © 2014 Forrester Research, Inc. Reproduction Prohibited 19 My attribution

    can beat up your attribution!

20. © 2014 Forrester Research, Inc. Reproduction Prohibited 20 My real

    time attack tracker can beat up your real time attack tracker!

21. © 2014 Forrester Research, Inc. Reproduction Prohibited 21 My threat

    indicator counter can beat up your threat indicator counter!

22. © 2014 Forrester Research, Inc. Reproduction Prohibited 22 Terry Tate

    Office Linebacker “We have actionable intelligence.”

23. © 2014 Forrester Research, Inc. Reproduction Prohibited 23 Actionable intelligence

    isn’t actionable if it isn’t relevant to you

24. © 2014 Forrester Research, Inc. Reproduction Prohibited 24 Pyramid of

    Pain is painful for vendors PoP is challenging for CTI providers too! Source: David Bianco http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

25. © 2014 Forrester Research, Inc. Reproduction Prohibited 25 2014 -

    You have to have an actual strategy Jerry “the owner” isn’t happy with Jerry “the general manager”

26. © 2014 Forrester Research, Inc. Reproduction Prohibited 26 2014 -

    You have to have an actual strategy Jerry “the owner” isn’t happy with Jerry “the general manager”

27. © 2014 Forrester Research, Inc. Reproduction Prohibited 27 2015 Jerry

    - Executive of the Year

28. © 2014 Forrester Research, Inc. Reproduction Prohibited 28 Heavy focus

    on tactical intel › Focus is on the bottom end of the Pyramid of Pain. › Need to complement tactical with strategic intelligence.

29. © 2014 Forrester Research, Inc. Reproduction Prohibited 29 Lack of

    professional tradecraft › As the discipline matures we need more traditional tradecraft. › CIA Center for the Study of Intelligence › Cognitive biases section is well worth your time.

30. © 2014 Forrester Research, Inc. Reproduction Prohibited 30 Agenda › CTI

    investment is hot › Threat intelligence providers › Sony Pictures › Threat intelligence platforms › Sharing #CTISummit @rickhholland

31. © 2014 Forrester Research, Inc. Reproduction Prohibited 31 Sony Pictures

    North Korea

32. © 2014 Forrester Research, Inc. Reproduction Prohibited 32 Targeted-Attack Hierarchy

    Of Needs Where does attribution rank on your needs?

33. © 2014 Forrester Research, Inc. Reproduction Prohibited 33

34. © 2014 Forrester Research, Inc. Reproduction Prohibited 34 Agenda › CTI

    investment is hot › Threat intelligence providers › Sony Pictures › Threat intelligence platforms › Sharing #CTISummit @rickhholland

35. © 2014 Forrester Research, Inc. Reproduction Prohibited 35 Operationalizing threat

    intel › 1) Ingest › 2) Analyze › 3) Integrate

36. © 2014 Forrester Research, Inc. Reproduction Prohibited 36 Threat intel

    platforms (TIPs) have emerged

37. © 2014 Forrester Research, Inc. Reproduction Prohibited 37

38. © 2014 Forrester Research, Inc. Reproduction Prohibited 38 Looking ahead

    › Depending on maturity threat intel functions could be in different tools. › For many SIEM + feeds will be pinnacle of maturity. › Not everyone is the GE-CIRT or LM-CIRT.

39. © 2014 Forrester Research, Inc. Reproduction Prohibited 39 Looking ahead

    › To try and regain relevancy SIEMs will continue to add threat intel capabilities. › SIEM/analytics players will acquire TIP vendors over next 24 months.

40. © 2014 Forrester Research, Inc. Reproduction Prohibited 40 Analysis -

    Enrichment › Enrichment provides context that makes the analysts job easier: • GeoIP • Identity • Passive DNS • WHOIS • Reputation data

41. © 2014 Forrester Research, Inc. Reproduction Prohibited 41 Analysis -

    Enrichment › Vendors are exposing their threat data for enrichment. › OpenDNS Investigate tool:

42. © 2014 Forrester Research, Inc. Reproduction Prohibited 42 Taking action

    – avoid DoS’ing yourself

43. © 2014 Forrester Research, Inc. Reproduction Prohibited 43 Agenda › CTI

    investment is hot › Threat intelligence providers › Sony Pictures › Threat intelligence platforms › Sharing #CTISummit @rickhholland

44. © 2014 Forrester Research, Inc. Reproduction Prohibited 44 Threat intel

    sharing

45. © 2014 Forrester Research, Inc. Reproduction Prohibited 45

46. © 2014 Forrester Research, Inc. Reproduction Prohibited 46 Last year

    “We aren’t sure what standard is going to emerge as the leader.”

47. © 2014 Forrester Research, Inc. Reproduction Prohibited 47 Now › STIX

    gained significant momentum over 2014. › Vendors are no longer waiting to see which dot will cross home plate 1st. › Now many are waiting to see *when* STIX will be mature enough to implement. › Still a long road ahead.

48. © 2014 Forrester Research, Inc. Reproduction Prohibited 48 STIX momentum

49. © 2014 Forrester Research, Inc. Reproduction Prohibited 49 Soltra

50. © 2014 Forrester Research, Inc. Reproduction Prohibited 50 Sharing &

    TIPs › Sharing/collaboration alone does not a threat intel platform make. › Sharing/collaboration is a function of threat intel platform. › Sharing isn’t a silver bullet.

51. © 2014 Forrester Research, Inc. Reproduction Prohibited 51 Free research

    plug › Not a Forrester client, interested in free research? › If you participate in a confidential research interview, I will provide a complementary copy of the research @rickhholland

52. © 2014 Forrester Research, Inc. Reproduction Prohibited 52 RSA Conference

    teaser: “Threat Intel Is Like 3 Day Potty Training”

53. Thank you Rick Holland +1 469.221.5359 [email protected] @rickhholland #CTISummit #ThreatIntel