Save 37% off PRO during our Black Friday Sale! »

Threat Intelligence is Like Three Day Potty Training

Threat Intelligence is Like Three Day Potty Training

2015 RSA Conference

F0c9efd79ff9ea97a28f8552fae3b645?s=128

Rick Holland

April 21, 2015
Tweet

Transcript

  1. SESSION ID: #RSAC Rick Holland Threat Intelligence is Like Three

    Day Potty Training CXO-T08R Principal Analyst Forrester Research @rickhholland
  2. #RSAC 2 “Potty training method that guarantees success so you

    can say goodbye to diapers permanently in 3 days or less!”
  3. #RSAC 3 We are 320 days into 3 day potty

    training.
  4. #RSAC Incentive program 4

  5. #RSAC Unexpected outcomes 5

  6. #RSAC Unexpected outcomes 6

  7. #RSAC 3 day threat intelligence? 7

  8. #RSAC 3 day threat intelligence? 8

  9. #RSAC Threat intelligence to the rescue 9

  10. #RSAC Agenda  Threat intelligence to the rescue  Threat

    intelligence maturity model  People  Process  Technology  Apply 10 #3daythreatintel
  11. #RSAC Threat intelligence maturity model

  12. #RSAC We have a guide – Intelligence lifecycle 12 For

    more: • US Army Field Manual 2-0 - Intelligence • Joint Publication 2- 0 - Joint Intelligence
  13. #RSAC Threat intelligence maturity 13 <12 months 12 - 18

    months 18 - 24 months 24 - 48 months
  14. #RSAC Perceived maturity 14

  15. #RSAC Actual maturity 15

  16. #RSAC People, Process and Technology 16

  17. #RSAC People #3daythreatintel

  18. #RSAC People 18

  19. #RSAC Example organizational structure 19

  20. #RSAC Finding a particular set of skills is difficult 

    Technical skills + soft skills required.  You must have a farm system to develop talent with the skills you need.  Work with local universities  Provide internships.  Join advisory boards. 20
  21. #RSAC Mature organizations focus on critical thinking 21

  22. #RSAC Mature organizations focus on critical thinking  Written by

    Daniel Kahneman.  Kahneman reveals “where we can and cannot trust our intuitions and how we can tap into the benefits of slow thinking.” 22
  23. #RSAC Training 23

  24. #RSAC Real world training 24  You fight like you

    train and you train like you fight.  Team based training, not just individual.  iSight Partners & Symantec provide cyber ranges.
  25. #RSAC Sponsor events at intelligence/cyber epicenters 25

  26. #RSAC Retention is critical, your program can regress 26 

    Maturity doesn’t just evolve, it can devolve.  You must be creative with retention strategies:  Remote workers  Training  Career pathing  Work with HR to create exceptions
  27. #RSAC Process #3daythreatintel

  28. #RSAC Process 28

  29. #RSAC Intel requirements are the foundation of your program 

    Occurs during the “Planning & Direction” phase of the intel cycle  Develop requirements based upon:  Your threat model  Understanding the success criteria for your business 29
  30. #RSAC Developing intelligence requirements 30

  31. #RSAC Example intelligence requirements 31  Have Chinese threat actors

    targeted health insurance provider x?  What is likelihood that Lizard Squad will seek to disrupt the online gaming services of vendor x?  What is the risk of adversary targeting the intellectual property associated with a 2017 product launch?
  32. #RSAC Collection management 32

  33. #RSAC Why reinvent the wheel? 33

  34. #RSAC Actionable intelligence 34

  35. #RSAC Mature firms invest in relevant intelligence 35

  36. #RSAC Mature firms measure threat intelligence source effectiveness 36

  37. #RSAC Avoid Expense in Depth 37

  38. #RSAC Technology #3daythreatintel

  39. #RSAC Technology 39

  40. #RSAC Operationalizing threat intelligence 40

  41. #RSAC When actionable intelligence isn’t integrated 41

  42. #RSAC Mature orgs integrate actionable intelligence 42

  43. #RSAC Threat intelligence market overview 43

  44. #RSAC Operationalizing threat intelligence – This? 44

  45. #RSAC Operationalizing threat intelligence – Or This? 45

  46. #RSAC Mature orgs rely upon Threat Intelligence Platforms 46 

    You need a quarterback to orchestrate your intelligence work.  You don’t manage threat intel, you analyze and integrate it.
  47. #RSAC Threat Intelligence Platform functions 47  Ingest threat intelligence

    and normalize it.  Rate intelligence sources (over time.)  Provide an analyst workspace.  Provide visualization and pivoting.  Provide enrichment.  Enable internal and external collaboration/sharing.
  48. #RSAC Threat intelligence sharing 48  Sharing alone does not

    a threat intel platform make.  Sharing is a function of a threat intel platform.  If you cannot take action on shared intel it has little value.
  49. #RSAC Speed of sharing 49  “We need to close

    the gap between sharing speed and attack speed.”  “75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours).”
  50. #RSAC STIX could be the answer 50  STIX gained

    momentum in 2014, but still has a long way to go.  Be on the look out for “checkbox STIX.”  Ask vendors what specific use cases do they support.  Join the conversation: https://stix.mitre.org/community/registr ation.html
  51. #RSAC Oversight 51

  52. #RSAC Prepare for the Bobs 52  How effective were

    your investments? Avoid Expense in Depth with after action reviews.  Measure and track:  Time to detection, containment, remediation.  If you cannot measure these items, invest in the situational awareness technology required to do so.
  53. #RSAC Mature firms produce strategic intelligence  Produce your own

    customized version of the Verizon DBIR.  Produce daily digest of top cybersecurity stories and their impacts.  Use strategic intelligence products to improve the external perspective of security. 53
  54. #RSAC Summary  There is no magic threat intelligence pixie

    dust.  People, process and technology are all required for success.  Threat intelligence is a long journey that ebbs and flows. 54
  55. #RSAC  Next week you should:  Begin a gap

    analysis of your existing collection capabilities.  Reach out to any commercial intelligence providers and have them explain why their intelligence products are aligned with your firm.  Start building dossiers on all future incidents and intrusions. 55 Apply what you have learned today
  56. #RSAC  In the first three months following this presentation

    you should:  Develop standing intelligence requirements.  Reevaluate all your intelligence sources, are they accurate, integrated, relevant and timely? 56 Apply what you have learned today
  57. #RSAC  Within six months you should:  Implement a

    strategy to recruit, train, and retain threat intelligence resources.  Deliver one strategic intelligence product: Analyze your intrusions and the strategic implications for your organization. 57 Apply what you have learned today
  58. #RSAC The wrong choices can be costly 58 VS

  59. #RSAC The wrong choices can be costly 59 VS $250

    / annually – It adds up
  60. #RSAC Thank you!  Rick Holland  +1 469.221.5359 

    rholland@forrester.com  @rickhholland  #3daythreatintel 60