Threat Intelligence is Like Three Day Potty Training

Transcript

1. SESSION ID: #RSAC Rick Holland Threat Intelligence is Like Three

   Day Potty Training CXO-T08R Principal Analyst Forrester Research @rickhholland

2. #RSAC 2 “Potty training method that guarantees success so you

   can say goodbye to diapers permanently in 3 days or less!”

3. #RSAC 3 We are 320 days into 3 day potty

   training.

4. #RSAC Incentive program 4

5. #RSAC Unexpected outcomes 5

6. #RSAC Unexpected outcomes 6

7. #RSAC 3 day threat intelligence? 7

8. #RSAC 3 day threat intelligence? 8

9. #RSAC Threat intelligence to the rescue 9

10. #RSAC Agenda  Threat intelligence to the rescue  Threat

    intelligence maturity model  People  Process  Technology  Apply 10 #3daythreatintel

11. #RSAC Threat intelligence maturity model

12. #RSAC We have a guide – Intelligence lifecycle 12 For

    more: • US Army Field Manual 2-0 - Intelligence • Joint Publication 2- 0 - Joint Intelligence

13. #RSAC Threat intelligence maturity 13 <12 months 12 - 18

    months 18 - 24 months 24 - 48 months

14. #RSAC Perceived maturity 14

15. #RSAC Actual maturity 15

16. #RSAC People, Process and Technology 16

17. #RSAC People #3daythreatintel

18. #RSAC People 18

19. #RSAC Example organizational structure 19

20. #RSAC Finding a particular set of skills is difficult 

    Technical skills + soft skills required.  You must have a farm system to develop talent with the skills you need.  Work with local universities  Provide internships.  Join advisory boards. 20

21. #RSAC Mature organizations focus on critical thinking 21

22. #RSAC Mature organizations focus on critical thinking  Written by

    Daniel Kahneman.  Kahneman reveals “where we can and cannot trust our intuitions and how we can tap into the benefits of slow thinking.” 22

23. #RSAC Training 23

24. #RSAC Real world training 24  You fight like you

    train and you train like you fight.  Team based training, not just individual.  iSight Partners & Symantec provide cyber ranges.

25. #RSAC Sponsor events at intelligence/cyber epicenters 25

26. #RSAC Retention is critical, your program can regress 26 

    Maturity doesn’t just evolve, it can devolve.  You must be creative with retention strategies:  Remote workers  Training  Career pathing  Work with HR to create exceptions

27. #RSAC Process #3daythreatintel

28. #RSAC Process 28

29. #RSAC Intel requirements are the foundation of your program 

    Occurs during the “Planning & Direction” phase of the intel cycle  Develop requirements based upon:  Your threat model  Understanding the success criteria for your business 29

30. #RSAC Developing intelligence requirements 30

31. #RSAC Example intelligence requirements 31  Have Chinese threat actors

    targeted health insurance provider x?  What is likelihood that Lizard Squad will seek to disrupt the online gaming services of vendor x?  What is the risk of adversary targeting the intellectual property associated with a 2017 product launch?

32. #RSAC Collection management 32

33. #RSAC Why reinvent the wheel? 33

34. #RSAC Actionable intelligence 34

35. #RSAC Mature firms invest in relevant intelligence 35

36. #RSAC Mature firms measure threat intelligence source effectiveness 36

37. #RSAC Avoid Expense in Depth 37

38. #RSAC Technology #3daythreatintel

39. #RSAC Technology 39

40. #RSAC Operationalizing threat intelligence 40

41. #RSAC When actionable intelligence isn’t integrated 41

42. #RSAC Mature orgs integrate actionable intelligence 42

43. #RSAC Threat intelligence market overview 43

44. #RSAC Operationalizing threat intelligence – This? 44

45. #RSAC Operationalizing threat intelligence – Or This? 45

46. #RSAC Mature orgs rely upon Threat Intelligence Platforms 46 

    You need a quarterback to orchestrate your intelligence work.  You don’t manage threat intel, you analyze and integrate it.

47. #RSAC Threat Intelligence Platform functions 47  Ingest threat intelligence

    and normalize it.  Rate intelligence sources (over time.)  Provide an analyst workspace.  Provide visualization and pivoting.  Provide enrichment.  Enable internal and external collaboration/sharing.

48. #RSAC Threat intelligence sharing 48  Sharing alone does not

    a threat intel platform make.  Sharing is a function of a threat intel platform.  If you cannot take action on shared intel it has little value.

49. #RSAC Speed of sharing 49  “We need to close

    the gap between sharing speed and attack speed.”  “75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours).”

50. #RSAC STIX could be the answer 50  STIX gained

    momentum in 2014, but still has a long way to go.  Be on the look out for “checkbox STIX.”  Ask vendors what specific use cases do they support.  Join the conversation: https://stix.mitre.org/community/registr ation.html

51. #RSAC Oversight 51

52. #RSAC Prepare for the Bobs 52  How effective were

    your investments? Avoid Expense in Depth with after action reviews.  Measure and track:  Time to detection, containment, remediation.  If you cannot measure these items, invest in the situational awareness technology required to do so.

53. #RSAC Mature firms produce strategic intelligence  Produce your own

    customized version of the Verizon DBIR.  Produce daily digest of top cybersecurity stories and their impacts.  Use strategic intelligence products to improve the external perspective of security. 53

54. #RSAC Summary  There is no magic threat intelligence pixie

    dust.  People, process and technology are all required for success.  Threat intelligence is a long journey that ebbs and flows. 54

55. #RSAC  Next week you should:  Begin a gap

    analysis of your existing collection capabilities.  Reach out to any commercial intelligence providers and have them explain why their intelligence products are aligned with your firm.  Start building dossiers on all future incidents and intrusions. 55 Apply what you have learned today

56. #RSAC  In the first three months following this presentation

    you should:  Develop standing intelligence requirements.  Reevaluate all your intelligence sources, are they accurate, integrated, relevant and timely? 56 Apply what you have learned today

57. #RSAC  Within six months you should:  Implement a

    strategy to recruit, train, and retain threat intelligence resources.  Deliver one strategic intelligence product: Analyze your intrusions and the strategic implications for your organization. 57 Apply what you have learned today

58. #RSAC The wrong choices can be costly 58 VS

59. #RSAC The wrong choices can be costly 59 VS $250

    / annually – It adds up

60. #RSAC Thank you!  Rick Holland  +1 469.221.5359 

    [email protected]  @rickhholland  #3daythreatintel 60