Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat Intelligence is Like Three Day Potty Training

Threat Intelligence is Like Three Day Potty Training

2015 RSA Conference

Rick Holland

April 21, 2015
Tweet

More Decks by Rick Holland

Other Decks in Technology

Transcript

  1. SESSION ID: #RSAC Rick Holland Threat Intelligence is Like Three

    Day Potty Training CXO-T08R Principal Analyst Forrester Research @rickhholland
  2. #RSAC 2 “Potty training method that guarantees success so you

    can say goodbye to diapers permanently in 3 days or less!”
  3. #RSAC 3 We are 320 days into 3 day potty

    training.
  4. #RSAC Incentive program 4

  5. #RSAC Unexpected outcomes 5

  6. #RSAC Unexpected outcomes 6

  7. #RSAC 3 day threat intelligence? 7

  8. #RSAC 3 day threat intelligence? 8

  9. #RSAC Threat intelligence to the rescue 9

  10. #RSAC Agenda  Threat intelligence to the rescue  Threat

    intelligence maturity model  People  Process  Technology  Apply 10 #3daythreatintel
  11. #RSAC Threat intelligence maturity model

  12. #RSAC We have a guide – Intelligence lifecycle 12 For

    more: • US Army Field Manual 2-0 - Intelligence • Joint Publication 2- 0 - Joint Intelligence
  13. #RSAC Threat intelligence maturity 13 <12 months 12 - 18

    months 18 - 24 months 24 - 48 months
  14. #RSAC Perceived maturity 14

  15. #RSAC Actual maturity 15

  16. #RSAC People, Process and Technology 16

  17. #RSAC People #3daythreatintel

  18. #RSAC People 18

  19. #RSAC Example organizational structure 19

  20. #RSAC Finding a particular set of skills is difficult 

    Technical skills + soft skills required.  You must have a farm system to develop talent with the skills you need.  Work with local universities  Provide internships.  Join advisory boards. 20
  21. #RSAC Mature organizations focus on critical thinking 21

  22. #RSAC Mature organizations focus on critical thinking  Written by

    Daniel Kahneman.  Kahneman reveals “where we can and cannot trust our intuitions and how we can tap into the benefits of slow thinking.” 22
  23. #RSAC Training 23

  24. #RSAC Real world training 24  You fight like you

    train and you train like you fight.  Team based training, not just individual.  iSight Partners & Symantec provide cyber ranges.
  25. #RSAC Sponsor events at intelligence/cyber epicenters 25

  26. #RSAC Retention is critical, your program can regress 26 

    Maturity doesn’t just evolve, it can devolve.  You must be creative with retention strategies:  Remote workers  Training  Career pathing  Work with HR to create exceptions
  27. #RSAC Process #3daythreatintel

  28. #RSAC Process 28

  29. #RSAC Intel requirements are the foundation of your program 

    Occurs during the “Planning & Direction” phase of the intel cycle  Develop requirements based upon:  Your threat model  Understanding the success criteria for your business 29
  30. #RSAC Developing intelligence requirements 30

  31. #RSAC Example intelligence requirements 31  Have Chinese threat actors

    targeted health insurance provider x?  What is likelihood that Lizard Squad will seek to disrupt the online gaming services of vendor x?  What is the risk of adversary targeting the intellectual property associated with a 2017 product launch?
  32. #RSAC Collection management 32

  33. #RSAC Why reinvent the wheel? 33

  34. #RSAC Actionable intelligence 34

  35. #RSAC Mature firms invest in relevant intelligence 35

  36. #RSAC Mature firms measure threat intelligence source effectiveness 36

  37. #RSAC Avoid Expense in Depth 37

  38. #RSAC Technology #3daythreatintel

  39. #RSAC Technology 39

  40. #RSAC Operationalizing threat intelligence 40

  41. #RSAC When actionable intelligence isn’t integrated 41

  42. #RSAC Mature orgs integrate actionable intelligence 42

  43. #RSAC Threat intelligence market overview 43

  44. #RSAC Operationalizing threat intelligence – This? 44

  45. #RSAC Operationalizing threat intelligence – Or This? 45

  46. #RSAC Mature orgs rely upon Threat Intelligence Platforms 46 

    You need a quarterback to orchestrate your intelligence work.  You don’t manage threat intel, you analyze and integrate it.
  47. #RSAC Threat Intelligence Platform functions 47  Ingest threat intelligence

    and normalize it.  Rate intelligence sources (over time.)  Provide an analyst workspace.  Provide visualization and pivoting.  Provide enrichment.  Enable internal and external collaboration/sharing.
  48. #RSAC Threat intelligence sharing 48  Sharing alone does not

    a threat intel platform make.  Sharing is a function of a threat intel platform.  If you cannot take action on shared intel it has little value.
  49. #RSAC Speed of sharing 49  “We need to close

    the gap between sharing speed and attack speed.”  “75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours).”
  50. #RSAC STIX could be the answer 50  STIX gained

    momentum in 2014, but still has a long way to go.  Be on the look out for “checkbox STIX.”  Ask vendors what specific use cases do they support.  Join the conversation: https://stix.mitre.org/community/registr ation.html
  51. #RSAC Oversight 51

  52. #RSAC Prepare for the Bobs 52  How effective were

    your investments? Avoid Expense in Depth with after action reviews.  Measure and track:  Time to detection, containment, remediation.  If you cannot measure these items, invest in the situational awareness technology required to do so.
  53. #RSAC Mature firms produce strategic intelligence  Produce your own

    customized version of the Verizon DBIR.  Produce daily digest of top cybersecurity stories and their impacts.  Use strategic intelligence products to improve the external perspective of security. 53
  54. #RSAC Summary  There is no magic threat intelligence pixie

    dust.  People, process and technology are all required for success.  Threat intelligence is a long journey that ebbs and flows. 54
  55. #RSAC  Next week you should:  Begin a gap

    analysis of your existing collection capabilities.  Reach out to any commercial intelligence providers and have them explain why their intelligence products are aligned with your firm.  Start building dossiers on all future incidents and intrusions. 55 Apply what you have learned today
  56. #RSAC  In the first three months following this presentation

    you should:  Develop standing intelligence requirements.  Reevaluate all your intelligence sources, are they accurate, integrated, relevant and timely? 56 Apply what you have learned today
  57. #RSAC  Within six months you should:  Implement a

    strategy to recruit, train, and retain threat intelligence resources.  Deliver one strategic intelligence product: Analyze your intrusions and the strategic implications for your organization. 57 Apply what you have learned today
  58. #RSAC The wrong choices can be costly 58 VS

  59. #RSAC The wrong choices can be costly 59 VS $250

    / annually – It adds up
  60. #RSAC Thank you!  Rick Holland  +1 469.221.5359 

    [email protected]  @rickhholland  #3daythreatintel 60