Transcription
ThreatIntelligenceAutomationer, Senior Director, CIO Office, SAPManaging Director, Deloitte & Touche LLPEO, ThreatConnectCreating an effective threat response.2e and Complexity .3.3ehind Closed Doors .3Failing .4Risk .4.4ase Efficiency & Reduce Complexity .5ent Security Operations .6o Increase Speed .7owered by SAP HANA .8.9 250,000 Threats Per Day .10.10
Threat Intelligence Automationprise DefenseSpeed of Datay’s global organizations is at the mercy of how quickly andan turn data into intelligence and make informed decisions.IntroductionOne business-focused Internet Service Provider recently released the results of ananalysis of attacks on UK organisations in the three months to the end of September2018. This suggested that the volume of internet-borne cyber-attacks alone hadincreased by more than a third over the second quarter of the year, with an averageof 774 attacks per business per day. The trouble is that it is not just attack frequencythat is evolving but threat and network complexity as well, and both impact upon theattacks percapacity of the enterprise to effectively mitigate the breach risk. If threat actors arebusiness perGruber, Senior Director,CIOOffice,SAPemploying increasingly advanced attack methodologies, and these are being useddayeckel, Managing Director, Deloitte & ToucheLLPan attack surface that is expanding courtesy of the digital transformationagainstent, CEO, ThreatConnectof businesses and all that brings with it, then it becomes ever harder to successfullysecure the enterprise. Especially when there is a shortage of skilled cybersecurityprofessionals.774According to the (ISC)2 Cybersecurity Workforce Study 2018 this skills gap hasincreased to more than 2.9 million globally. It found some 63% of respondents with.2responsibility for securing their organisations systems and data reported a shortageng in Size and Complexity .3of IT staff working on cybersecurity, and 59% said their own companies were at risk.3of attack as a result. The bottom line being that in many a security operations centreonger Behind Closed Doors .3(SOC) there are not enough skilled analysts to keep up with the volume of incidenturity is Failing .4data flooding in for incident response evaluation.tseasing Risk .4.4Indeed, it has become an impossible task to manually analyse and evaluate incidentreports to effectively filter false alarms and prioritise the remainder in terms ofor Efficient Security Operations .6required response. Talk to any clued-up cybersecurity professional and they willtform to Increase Speed .7admit that this shortfall of skilled analysts in the face of an avalanche of data inevitablylete – Powered by SAP HANA .8leads to threats either being missed entirely or taking so long to identify that the threat.9window is left open long enough for the attacker to succeed with the breach before itAnalyze 250,000 Threats Per Day .10can be shut.10to Increase Efficiency & Reduce Complexity .5 2
Threat Intelligence Automation70%of cybersecuritydecision-makersadmitted theydid not have thestaff or resourcesto successfullymonitor all threatsA threat intelligence program must be part of any robust enterprise security posture,of that there can be no doubt. The ThreatConnect Building a Threat IntelligenceProgram report revealed that more than half of those organisations that employedsuch a program saw the prevention of a broad range of common cybersecurityrisks including: phishing attack (67%), breach of customer data (60%), ransomwareattacks (58%), insider threats (57%), business email compromise (55%) and supplychain attacks (49%). Yet, while they can help build that security posture, they cannotsucceed in seeing all attacks; more than 70% of the cybersecurity decision-makersquestioned admitted they did not have the staff or resources to successfully monitor allthreats. This comes as no great surprise given that while threat intelligence was one ofthe areas expected to have the biggest future demand in that (ISC)2 study mentionedearlier, it was also the one with the lowest current expertise.prise DefenseSpeed of DataWhich does not mean that threat intelligence is failing the enterprise, but rather that they’s global organizations is at themercyof howquicklyenterpriseis failingto getthe fullandvalue from it. A proper understanding of what threatan turn data into intelligenceintelligenceand makeinformeddecisions.is, and what it isn’t for that matter, along with the application of automationto the process, will release the ‘playing field levelling’ potential of the process when itcomes to both detecting and mitigating cyber-attack risk.“You need to know what youare looking for. If you’re notlooking for anything, you’llfind it every time”Gruber, Senior Director, CIO Office, SAPeckel, Managing Director, Deloitte & Touche LLPent, CEO, ThreatConnectJohn Hurd, senior threat intelligence research engineer, ThreatConnecttsPrevention of.2cybersecurity risk whenemployingathreatintelligence programng in Size and Complexity .3.3onger Behind Closed Doors .3urity is Failing .4easing Risk .4.4to Increase Efficiency & Reduce Complexity .5or Efficient Security Operations .6tform to Increase Speed .7Phishing attackBreach ofcustomer datalete – Powered by SAP HANA .867%.960%Analyze 250,000 Threats Per Day .10Ransomwareattacks58%Insider threats57%Business emailcompromise55%Supply chainattacks49%.103
Threat Intelligence AutomationThreat intelligence explainedOK, what is threat intelligence then? It’s a simple enough question but one thatall too often attracts a number of partly right answers, and that leads to it beingmisunderstood and therefore not applied to its full capacity within the business. Themost common error is to think of threat intelligence as being firmly entrenched within asiloed ‘indicators of compromise’ (IOC) feed context. While IOC feeds do, of course,play their part in building the threat intelligence picture, they are far from an accurateportrayal of the threatscape when painted from an intelligence perspective. IOCfeeds are, in fact, information that is extracted from data; and there is a big differencebetween this information and true threat intelligence. If you cannot draw knowledgeout of the data, if you cannot use the information that is available to you to provideknowledge that will inform the decisions you make when it comes to threat prevention,y’s global organizations is at themercyhow quicklyand be thought of as intelligence.detectionandofresponsethen it cannotprise DefenseSpeed of Dataan turn data into intelligence and make informed decisions.To end up with actionable threat intelligence, rather than just a lot of interesting butultimately impotent information, your organisation will need to draw upon manydisparate sources. If you think it about it logically, this becomes an undeniable truth.There is, after all, an entire universe of different threat actors with different motivations(from hacktivists and cybercriminals to nation states) and varying levels of expertiseand access to attack methodologies. Their targets and payloads will differ along withthe maturity and complexity of their code and campaigns. Equally, your organisationmust be able to not only look to multiple intelligence-gathering sources but do sowithout the barriers erected by siloed systems. If the intelligence that you garnerGruber, Senior Director, CIO Office, SAPcannot be actioned effectively, then once again it is reduced in value to becomingeckel, Managing Director, Deloitte & ToucheLLPjust information.If you accept that intelligence does not exist in a vacuum, that it existsent, CEO, ThreatConnectto inform the decision-making process, then you can see how threat intelligencespecifically exists to inform that decision-making process for security operations,tactics and strategy.ts“Intelligence is what you get when youstart asking questions about data”.2ng in Size and Complexity .3.3onger Behind Closed Doors .3John Hurd, senior threat intelligence researchurity is Failing .4engineer, ThreatConnecteasing Risk .4.4to Increase Efficiency & Reduce Complexity .5or Efficient Security Operations .6tform to Increase Speed .7lete – Powered by SAP HANA .8.9Analyze 250,000 Threats Per Day .10.104
Threat Intelligence AutomationpriseTheDefensesingle pane of glass conceptSpeed of DataThe importance of being able to see a unified picture of the threat landscape cannot,y’s global organizations is at themercyhow quicklyPoorandthreat visibility is one of the threat actors’ greatesttherefore,be ofunderestimated.an turn data into intelligenceassets,and makeinformedand a siloedmindsetdecisions.when it comes to intelligence cannot be allowed toflourish in any enterprise that aspires to the best of security postures. Fragmentationof threat intelligence into specific silos such as endpoints and users, applications andnetworks, while bringing focus to those individual arenas ends up making the broaderpicture a fuzzy one. It is diluting true intelligence into information once again becausethe ability to investigate and analyse, to make operational decisions to respond toand mitigate threats, is lost through a haze of screen-switching and security analystfatigue. Especially bearing in mind the skills gap already mentioned, which results inanalyst time being the most valuable of security commodities.Gruber, Senior Director, CIO Office, SAPThisis where triage enters the intelligence equation; the ability to filter, contextualiseactionable intel through all the noise. ThreatConnect refers to this asent, CEO, ThreatConnectbeing the aggregation of internal and external information, normalised to a commondata model, so that it can be refined into intelligence usable for informing decisions.Just as triage helps staff in a hospital accident and emergency department quicklyunderstand the life and death risk to each patient, and prioritise treatment accordingly,so triaging threat intelligence helps the cybersecurity analyst to prioritise threats so thattsincident response can deal with those posing the most immediate risk to the business in.2a timely fashion; and that’s where automation really comes into play.eckel, Managing Director, Deloitte & ToucheLLPand prioritiseng in Size and Complexity .3.3onger Behind Closed Doors .3urity is Failing .4“Finding usable intelligence within all of that noiseis one of my big challenges as a CISO operatingacross a global enterprise”easing Risk .4.4to Increase Efficiency & Reduce Complexity .5or Efficient Security Operations .6tform to Increase Speed .7lete – Powered by SAP HANA .8.9Mike Loginov, chief information security officer, Ascot Barclay Cyber Security GroupAnalyze 250,000 Threats Per Day .10.105
Threat Intelligence AutomationThreat intelligence automation:man and machine working togetherMention the ‘AI’ acronym, artificial intelligence, and immediately you conjure up somedystopian image where the machines remove the humans from the workplace. Whenit comes to automating threat intelligence, nothing could be further from the truth. AI, ormore accurately ML, which stands for machine learning, does not replace the analystsin the SOC but rather enables them. Given the combination of a skills shortage and anever-increasing incident reporting volume in the SOC, automating the repetitive tasksthat would otherwise need to be done manually is the missing cog in the decisionmaking wheel. Think about it, if the highly skilled (and highly paid) analysts in yourSOC can be relieved of the repetitive tasks, while at the same time be presented withy’s global organizations is at thehow quicklyand aware intelligence, then they can use theirmoremercyfocused,ofcontextand situationallyan turn data into intelligencetimeandinformeddecisions.to makemuch bettereffect. Threatintelligence automation enables security analyststo undertake the kind of advanced threat evaluation you are paying them for, byremoving the indicator enrichment and alert triage aspect of the process from theirworkload. In other words, automation helps remove ‘alert fatigue’ from the SOC,which in turn means more efficient, and more secure, threat response actions.prise DefenseSpeed of DataFeedback loopsGruber, Senior Director,CIOthreatOffice,SAPThe bestintelligencein the world iseckel, Managing Director,& ToucheLLPof little Deloittereal-worlduse in defendingyourent, CEO, ThreatConnectbusiness unless there is a feedback loopbetween the intelligence and operationalfunctions of the security team. Intelligencemust inform the decisions for operations,and those decisions drive the actions thattsare then taken. There is a cyclical, looping,.2nature to this as the actions taken (suchng in Size and Complexity .3as further investigation or a malware.3clean-up) will create more data andinformation. This might be in the form ofartefacts such as new attack patterns orlists of targeted assets for example, andthese artefacts can then be refined intointelligence that becomes available toinform future operations. This relationshipbetween intelligence and operations mustbe symbiotic and will harden your securityposture when you get it right.onger Behind Closed Doors .3urity is Failing .4easing Risk .4.4to Increase Efficiency & Reduce Complexity .5or Efficient Security Operations .6tform to Increase Speed .7lete – Powered by SAP HANA .8.9Analyze 250,000 Threats Per Day .10.106
Threat Intelligence Automationprise DefenseSpeed of Data10xWhich is all well and good, but all of this still needs to be properly co-ordinated ify’s global organizations is at thehow quicklyandto better security, and that is why orchestrationit is tomercybe trulyofproductiveand leadan turn data into intelligenceneedsand tomakeinformeddecisions.be included.As thename suggests, this is a bit like a conductor getting thebest out of an orchestra; security orchestration is the connecting and integrating ofthe various security applications and processes into a meaningful and actionableincrease in termswhole. ThreatConnect employs a playbook paradigm to achieve this level of taskof efficiencyautomation without any coding, using a drag and drop interface instead. Using athrough usingsystem of triggers, which could be anything from a new IP address indicator throughplaybooksto a phishing email arriving in an inbox, data is passed to the appropriate apps toperform data enrichment, malware analysis and blocking for example. Playbookscan be created that are initiated directly from within the threat intelligence platformitself, which means that intelligence-driven responses that might have taken ten stepsGruber, Senior Director, CIO Office, SAPto complete can now be achieved in a single click. As well as that tenfold increase ineckel, Managing Director, Deloitte & Toucheterms LLPof efficiency, it also means a tenfold decrease in the potential errors that couldent, CEO, ThreatConnecthave crept into the process.By using automated threat intelligence and orchestration together, your businesshas the advantage of situational awareness and historical knowledge at hand todetermine what and how processes should be handled. Using this double-whammytsof speed and accuracy, your security analysts can automate almost any cybersecurity.2task, which drives workflow efficiency and reduces costs at the same time asng in Size and Complexity .3hardening security.3onger Behind Closed Doors .3urity is Failing .4“We want to help facilitate a feedback loopbetween analysts developing threat intelligenceand operations teams that are acting upon it”easing Risk .4.4to Increase Efficiency & Reduce Complexity .5or Efficient Security Operations .6tform to Increase Speed .7lete – Powered by SAP HANA .8.9John Hurd, senior threat intelligence research engineer, ThreatConnectAnalyze 250,000 Threats Per Day .10.107
Threat Intelligence AutomationThe DIKI pyramidWhen it comes to threat intelligence, less can often be more. Contrary to instinct, monitoringa higher number of threat intel feeds does not equate to a higher level of security; just theopposite in fact. Too. Much. Information. It can be useful, when contemplating how to filter themost relevant threat intel feeds to your business, to employ something called the DIKI pyramid.DIKI stands for Data, Information, Knowledge and Intelligence and is a hierarchy that can helpyou add context to turn data into information, that information into knowledge and ultimatelyinto the intelligence that drives your incident response decisions.prise DefenseSpeed of DataRaw data, given context, becomes information, which in and of itself is useful, but with meaningthis can then become knowledge. All three of which can be thought of as the what and why ofthe past. Onceinsightknowledge,it transforms into intelligence and thaty’s global organizationsis at youthe addmercyof tohowquicklyhowever,andis whatyou need andto ultimatelythe actionabledecisions that are made by analysts in thean turn data intointelligencemake driveinformeddecisions.security operations centre.Given purpose,becomesAnalyticsGiven insight,becomesmeaning,Gruber, Senior Director, CIO Office,GivenSAPbecomeseckel, Managing Director, Deloitte & Touche LLPent, CEO, ThreatConnectGiven context,becomesDecisionsChange, movementIntelligenceUnderstanding, integrated, actionableKnowledgeContextual, synthesisedInformationUseful, organised, structuredDataSignals, know-nothingFuture what action?Reveals directionWHAT IS BEST?Reveals principlesPastWHY?Reveals patternsWHAT?Reveals relationshipsts.2ng in Size and Complexity .3.3onger Behind Closed Doors .3urity is Failing .4easing Risk .4.4to Increase Efficiency & Reduce Complexity .5“Bringing all the information together andfinding usable intelligence within thatinformation is key and critical.”or Efficient Security Operations .6tform to Increase Speed .7lete – Powered by SAP HANA .8.9Analyze 250,000 Threats Per Day .10.10Mike Loginov, Chief Information Security Officer, Ascot Barclay Cyber Security Group8
Threat Intelligence AutomationConnect intelligence to your entire teamOrganisations worldwide leverage the power of ThreatConnect every day to broadenand deepen their intelligence, validate it, prioritise it and act on it. Leveraging advancedanalytics capabilities, ThreatConnect offers a superior understanding of relevant cyberthreats to business operations. With ThreatConnect, your team works as a single cohesiveunit, reinforced by a global community of peers.prise DefenseSpeed of DataTo find out more and sign up for a free account,go to threatconnect.com/free or email sales@threatconnect.comy’s global organizations is at the mercy of how quickly andan turn data into intelligence and make informed decisions.“More than 19,000 users who work for 1,600 organisations worldwide use ThreatConnect today”Gruber, Senior Director, CIO Office, SAPeckel, Managing Director, Deloitte & Touche LLPent, CEO, ThreatConnectts.2ng in Size and Complexity .3.3onger Behind Closed Doors .3urity is Failing .4easing Risk .4.4to Increase Efficiency & Reduce Complexity .5or Efficient Security Operations .6tform to Increase Speed .7lete – Powered by SAP HANA .8.9Analyze 250,000 Threats Per Day .10.109
The importance of being able to see a unified picture of the threat landscape cannot, therefore, be underestimated. Poor threat visibility is one of the threat actors' greatest assets, and a siloed mindset when it comes to intelligence cannot be allowed to flourish in any enterprise that aspires to the best of security postures. Fragmentation
