Transcription
SOLUTION BRIEFOperationalizing Threat IntelligenceBehind just about every legitimate alert your IT security receives is an adversaryusing multiple attack techniques to penetrate your infrastructure and compromiseyour vital data assets or systems. Today’s targeted multiphase attacks consist of aseries of steps that make up the cyberattack chain: reconnaissance, scanning forvulnerabilities, exploitation, and, finally, exfiltration of valuable corporate data.Security analysts are well aware of these techniques and depend on threatintelligence to glean insights into attack methods and motivations. They can detectand interrupt advanced threats, apply appropriate remediation, and be betterprepared next time the security alarm sounds. But all too often, they either lackvisibility into certain systems or are inundated with too much data and too littleintelligence. According to the SANS Institute study, Who’s Using Cyberthreat Intelligenceand How?, “ only 11.9% of interviewees have achieved the ability to aggregate threatinformation from virtually every source, and only 8.8% have a full picture view thatcan combine events with IoCs.”11Operationalizing Threat Intelligence
SOLUTION BRIEFIn a recent report, Forrester notes that 77% of NorthAmerican and European enterprise security decisionmakers report that improving threat intelligencecapabilities is a priority.2 Cyberthreat intelligencepromises to give security practitioners advance warningof cybercriminals targeting their region, industry, or evenspecific firms so that they have time to take action, but ITsecurity still faces some big challenges: How to collect threat intelligence from external as wellas internal sources.How to correlate the data and prioritize risks.How to distribute intelligence across multivendorsecurity controls enterprise-wide.How to gain greater visibility into the IT landscape toenable appropriate and swift action.Modern enterprises need an open, integratedarchitecture that eases the adoption of threatintelligence and enables them to reap its benefits—frombasic threat data collection for forensics to using it toenrich security information and event management(SIEM) analytics. In other words, users need to put threatintelligence to work via automated processes that helpanalyze, digest, and manage it.New Threats Call for a New Approach toThreat IntelligenceAs attacks grow in complexity, precision, and volume,yesterday’s approach to threat intelligence is nolonger adequate. Investigating targeted attacks is noeasy task. The dynamic behavior of the attackers,the greater variety and availability of local and globalthreat intelligence sources, and the diversity of threatintelligence data formats can make the aggregation anddigestion of threat intelligence into security operationscenter (SOC) tools more challenging than ever before.A mixed-vendor environment, which is typical of mostenterprises, adds to the difficulty of sharing eventdata and promoting event visibility throughout theorganization. As Gartner points out in its report,Technology Overview for Threat Intelligence Platforms,“An organization’s inability to share TI is an advantageto cyber threat actors. TI sharing is a force multiplierand is becoming a key element in keeping up with theincreasing number of threat actors and the attacksthey use.” 3But sharing threat intelligence alone will not necessarilyresult in sustainable corrective action and prevention.Security analysts can quickly become overwhelmed with“For our securityinfrastructure, weneeded much morethan a technologyvendor. It wasabsolutely essentialthat we built arelationship with apartner that couldhelp us manage ourdiverse set of customerrequirements and aconstantly evolvingthreat situation.McAfee offers thatpartnership, andthe ongoing securityintelligence we receivefrom McAfee solutionsis crucial to helpingus keep our businessoperations on thecutting edge.”—Anurana Saluja, CISO andVice President of InformationSecurity, Sutherland GlobalServices2Operationalizing Threat Intelligence
SOLUTION BRIEFtoo much information. Most security teams are engagedin an exhausting manual process (see Figure 1) ofanalyzing millions of security events and suspicious filesin an effort to piece together a mountain of data andtry to reconstruct the targeted attack. Ultimately, thisimpairs the thoroughness and speed of the responseprocess. With a less than complete comprehension ofthreats, security teams are struggling to contain attacksin a timely manner. According to a recent study, IntelSecurity (now McAfee): When Minutes Count, 2014, less than25% of respondents stated that they could detect anattack within minutes.4How are you using threat intelligence (TI) feeds today?(Select all that apply)5: Other4: Use manualtechniques tocompare externalTI feeds withinternal intelligence1: Generate TIdata from oursandbox3%15%28%27%3: Use automatedtools to compareexternal TI feedswith internalintelligence27%2: ConsumeTI data in ourSIEMFigure 1. According to an Intel Security (now McAfee) survey conductedat BlackHat 2015, a large group of users still employ manual techniquesto compare external threat intelligence feeds with internal threatintelligence.3Operationalizing Threat IntelligenceOperationalize Threat IntelligenceIntelligence-driven threat detection and remediationrequire more than just manually importing adversarialIP addresses published on an open website into an SIEMwatchlist table once a week. Instead, it calls for real-timethreat intelligence ingestion and correlation of all facetsof an attack, including methods and global campaigns,so that enterprises can preempt even the stealthiest andmost rapidly adapting threats. Enterprise SOCs need away to “operationalize threat intelligence” in order to geta full picture of attacks impacting their environments.They need a way to sift through the massive amountof data to analyze, correlate, and prioritize threatintelligence and determine what’s relevant for theirindustry, their geography, and their company. And theyneed to be able to gain insights on unique attacks thatmay be occurring in the present, as well as insightson trends based on historical security event data. AsForrester points out, operationalizing threat intelligenceis critical, as 75% of attacks spread from one victim tothe next within 24 hours. Enterprises need to close thegap between “sharing speed and attack speed.”5Leverage the McAfee Integrated ArchitectureMcAfee provides a unified, collaborative platformwith all the components for operationalizing threatintelligence, including global threat intelligence feeds,local intelligence creation, real-time sharing of threatinformation across the IT infrastructure, securityinformation and event management (SIEM), and deliveryof automated, adaptive protection.
SOLUTION BRIEFThreat IntelligenceRequirementsMcAfee ThreatIntelligence ExchangeMcAfee AdvancedThreat DefenseMcAfee EnterpriseSecurity ManagerMcAfee Global ThreatIntelligenceCollects threat intelligencefrom external sourcesSTIX, McAfee GlobalThreat Intelligence (McAfeeGTI) import, and VirusTotalMcAfee GTI ImportMcAfee GTI, TAXII/STIXimport, and HTTP threatfeeds via the McAfeeEnterprise SecurityManager cyberthreatmanagerMcAfee GTI aggregatesthreat intelligence frommultiple Cyber ThreatAlliance partners andpublic sources. McAfee GTIextracts threat intelligencefrom millions of sensorson customer-deployedMcAfee products, suchas endpoint, web, mail,network intrusionprevention systems (IPS),and firewall devices.Collects internal threatintelligenceCollects samples fromMcAfee VirusScan ,McAfee ApplicationControl, McAfee WebGateway, McAfeeAdvanced Threat Defense,McAfee Enterprise SecurityManager, and from thirdparty vendor productssending information overMcAfee Data ExchangeLayerConsumes sample filesfor detonation fromMcAfee Threat IntelligenceExchange or via thenetworkVia STIX/TAXII and McAfeeData Exchange LayerProduces local threatintelligenceRecords incidents ofsuspicious files and createsa local database thatrecords first contact andthe trajectory of threatsDissects and convictsmalware, generates localthreat intelligence, anddistributes over McAfeeData Exchange Layer or asa STIX-formatted APICreates threat intelligencewatchlists, reports, andviews based on correlatedeventsDistributes threatintelligence across securitycontrolsVia McAfee Data ExchangeLayerVia McAfee Data ExchangeLayer and product APIVia McAfee Data ExchangeLayer, product API andscript integrationMcAfee GTI is integratedwith numerous McAfeeproducts, such as McAfeeWeb Gateway, McAfeeEnterprise SecurityManager, and McAfeeendpoint solutionsOffers visibility intocollected threatintelligenceVia McAfee ThreatIntelligence ExchangedashboardsVia reportsVia dashboards, views,and reports provided incontent packs or customergeneratedVia McAfee Threat Centerand quarterly McAfeeThreats ReportTable 1. The McAfee integrated threat intelligence platform4Operationalizing Threat Intelligence
SOLUTION BRIEFIngest, Analyze, and PropagateMcAfee Global Threat IntelligenceA good place to start building your integrated threatintelligence platform is McAfee Global Threat Intelligence(McAfee GTI), a comprehensive, real-time, cloud-basedreputation service that is fully integrated into McAfeeproducts and enables them to better block cyberthreatsacross all vectors—file, web, message, and network—swiftly. McAfee GTI provides reputation scores for billionsof files, URLs, domains, and IP addresses based on threatdata gathered from multiple sources: millions of globalsensors monitored and analyzed by McAfee Labs, threatfeeds from research partners and via the Cyber ThreatAlliance, and cross-vector intelligence from web, email,and network threat data. Backed by high-quality, relevantthreat feeds, McAfee GTI provides accurate risk advicethat fosters informed policy decision-making and enablescontrols to block, clean, or allow, as required.and transports, such as Structured Threat InformationeXpression (STIX)/Trusted Automated eXchange ofIndicator Information (TAXII) and Cybox, typically publishedby community or industry groups like the Financial ServicesInformation Sharing and Analysis Center (FS-ISAC).Through advanced analytics, it translates the gatheredinformation into understandable, actionable securityintelligence. More significantly, it provides deepervisibility to emerging threats via real-time views andaccess to historical security information. This allowsyou to investigate backwards in time to understandthe prevalence and patterns of an attack and also tocreate automated watchlists to detect occurrence orre-occurrence of events in the future. By enriching yoursystem’s sensitivity to events known to be malicious, youincrease your ability to detect suspicious activities andpatterns of activity at various phases of the attack chainand then prioritize response.McAfee Enterprise Security ManagerMcAfee Enterprise Security Manager (SIEM) takes threatintelligence ingestion and analysis to the next level,providing a consolidation, analysis, and action hub forevery type of threat intelligence. This 360-degree viewallows full visibility and situational awareness to speeddetection and response to targeted attacks. Its advanceddata management system is purpose-built to store andassimilate high volumes of contextual data in real time.McAfee Enterprise Security Manager collects activity andevent data from all your systems, databases, networks,and applications. It also imports global threat feedsand consumes threat intelligence in standard formats5Operationalizing Threat IntelligenceFigure 2. McAfee GTI view.What Is the Cyber ThreatAlliance?The Cyber Threat Alliance is agroup of security practitioners fromorganizations that work togetherto share threat information andhelp improve defenses againstadversaries across memberorganizations and their customers.McAfee is among the foundingmembers that have dedicatedtheir resources to determinethe most effective ways to sharethreat data, foster collaborationamong members, and makeunited progress in the fight againstsophisticated cybercriminals.
SOLUTION BRIEFMcAfee GTI for McAfee Enterprise Security Managerbrings the power of McAfee Labs research capabilities toenterprise security monitoring. This constantly updated,rich McAfee GTI feed enhances situational awarenessby enabling rapid discovery of events involvingcommunications with suspicious or malicious IPs andallows security administrators to determine whichenterprise hosts have communicated or are currentlycommunicating with known bad actors.McAfee Threat Intelligence ExchangeThe third component you can add as you develop anintegrated, threat intelligence ecosystem is McAfeeThreat Intelligence Exchange, which aggregates andshares file reputation intelligence across the entiresecurity infrastructure. McAfee Threat IntelligenceExchange receives threat information from McAfeeGTI, STIX file imports, threat feeds coming via McAfeeEnterprise Security Manager, and information comingfrom endpoint, application control, mobile devices,gateway, data centers, and sandboxing technologies fromboth McAfee solutions and solutions from other vendors.Collecting data from all points in your infrastructureprovides information on threats that may be presentonly in your environment, as many targeted attacks tendto be. In turn, file reputation information is instantlyshared across the entire ecosystem to all productsand solutions connected to McAfee Threat IntelligenceExchange via the McAfee Data Exchange Layer. Forexample, if McAfee Threat Intelligence Exchange pushesout information about a malicious executable file,McAfee Data Loss Prevention receives this information6Operationalizing Threat Intelligenceover the McAfee Data Exchange Layer and will then startmonitoring that executable for any sensitive file access.Threat data shared over McAfee Data Exchange Layerincludes file reputations, data classifications, applicationintegrity, and user context data, which is shared withand among products integrated into the McAfee DataExchange Layer fabric. Any product or solution canbe integrated onto the McAfee Data Exchange Layerand then configured to determine what information topublish to the system and what information to listen forand subscribe to.McAfee Threat Intelligence Exchange works closelywith the advanced sandbox solution, McAfee AdvancedThreat Defense, which feeds malware analysis data toMcAfee Threat Intelligence Exchange. If a file is found tobe malicious, McAfee Threat Intelligence pushes out afile reputation update to all connected systems over theMcAfee Data Exchange Layer. This also works the otherway around. When McAfee Threat Intelligence Exchangeenabled endpoints encounter files with unknownreputations, they can be submitted to McAfee AdvancedThreat Defense to determine if the object is malicious,eliminating blind spots from out-of-band payloaddelivery. These two products work together to deliverautomated, adaptive protection from emerging threats.Information about discovered attacks is delivered acrossyour environment to help block the cyberattack chainbefore more damage is done.McAfee Threat Intelligence Exchange enables adaptivethreat detection and response by operationalizingintelligence across your endpoint, gateway, network, and
SOLUTION BRIEFThe following McAfee productssupport STIX-formatted threatintelligence: Figure 3. McAfee Threat Intelligence Exchange dashboard.data center security solutions in real time. Combiningimported global threat information with locally collectedintelligence and sharing it instantly, it allows yoursecurity solutions to operate as one, exchanging andacting on shared intelligence.Interrupt the cyberattack chainRegardless of where the first point of contact by anunknown malware file occurs, once it is convicted, theentire connected environment is updated immediately.When a file is convicted by McAfee Advanced ThreatDefense, McAfee Threat Intelligence Exchange willpublish this conviction via a reputation update, whichis disseminated through McAfee Data Exchange Layerto all security controls within your organization. McAfeeThreat Intelligence Exchange-enabled gateways preventthe file from entering your infrastructure. Throughcoordinated sharing of threat intelligence across all yoursecurity controls, it becomes easier to interrupt theattack chain and prevent further harm without the needfor manual intervention.7Operationalizing Threat IntelligenceDigest and Apply: Detect with Accuracy andMake Better DecisionsAfter threat data is consumed, McAfee EnterpriseSecurity Manager acts as a central point of visibility,correlating the McAfee GTI, McAfee Threat IntelligenceExchange feeds, and STIX/TAXII-formatted indicatorsof compromise (IoCs) with event data, detected in realtime or historically when nodes on your network arecommunicating with known bad actors or suspiciousdomains. The threat management dashboard providesanalysts with a single, comprehensive view of collectedthreat indicators, the source feeds, hit rate against theindicators, and the most significant human-readabledetails on indicators of compromise (IoCs).Using the McAfee SIEM system in conjunction with othercollaborative threat intelligence tools results in reducedoperational expenses associated with configuringcorrelation rules, which is usually a cumbersomemanual process. For instance, security analysts canMcAfee Threat IntelligenceExchangeMcAfee Advanced ThreatDetectionMcAfee Enterprise SecurityManager
SOLUTION BRIEFSince threats blaze their paths through the ITinfrastructure quickly and are designed to change overtime, McAfee Enterprise Security Manager can periodicallyrefresh all acquired threat intelligence, eliminating old,less relevant data. For example, removed commandand control servers or cleaned-up websites with lowermalicious reputation scores are automatically cleared outto eliminate false positives that can distract your securitystaff and keep them from chasing real threats.SummaryFigure 4. McAfee Enterprise Security Manager cyberthreat indicators,backtrace hits, and IoC threat details.directly review the newly received threat informationin a human-readable format, allowing for betterunderstanding of new detected threats. More important,received threat intelligence can automatically beadopted by real-time or historical correlation rules, thusreducing the time to detect ongoing or new adversarialactivity. Users can also follow the progress of reportedthreats throughout your IT environment, as well as viacontextual information in alarm views, enabling better,more informed decisions. All of this collected intelligenceimproves and speeds up detection and investigation oftargeted attacks.2821 Mission College BoulevardSanta Clara, CA 95054888 847 8766www.mcafee.com8Operationalizing Threat IntelligenceIntegrated threat intelligence from McAfee operationalizesthe ingestion, digestion, and management of threatintelligence, enabling you to increase threat detectionaccuracy, eliminate manual efforts, and stop adversariesfrom harming your business. With improved visibilityand enhanced insights on malicious activity across yourentire security ecosystem, you are better prepared toidentify and preempt targeted attacks today and preventthem in the future.Learn MoreFor more information on thebuilding blocks of the McAfeeintegrated threat intelligenceplatform, visit: McAfee Global Threat IntelligenceMcAfee Threat IntelligenceExchangeMcAfee Advanced Threat DefenseMcAfee Enterprise SecurityManagerHow to Use a TAXII Feed withMcAfee Enterprise SecurityManager1. yst/who-039-scyberthreat-intelligence-how-357672. https://www.forrester.com/The State Of The Cyberthreat Intelligence Market/fulltext/-/E-RES1230113. rview-threatintelligence-platforms4. -minutes-count.pdf5. ns/file ay-potty-training.pdfMcAfee and the McAfee logo and VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and othercountries. Other marks and brands may be claimed as the property of others. Copyright 2017 McAfee, LLC.62161brf threat-intel 1015OCTOBER 2015
threat intelligence sources, and the diversity of threat intelligence data formats can make the aggregation and digestion of threat intelligence into security operations center (SOC) tools more challenging than ever before. A mixed-vendor environment, which is typical of most enterprises, adds to the difficulty of sharing event
