Threat Intelligence Program Model
Threat Intelligence Program Model v3.5 March 26th, 2015 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. The problem Threat Intelligence The solution (also a problem) An opportunity Static enterprise security programs aren’t evolving to meet modern threats to the business. A highly specialized and fractured solution market is creating more problems than it’s solving. Complementing your enterprise security program with threat intelligence in a pragmatic, measurable approach. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. PROGRAM FOUNDATIONS 3 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Defining Threat Intelligence Working definition: “An ecosystem of contextually relevant and evidence-based knowledge – integrated into platforms and tools – to quickly and accurately address dangers to individuals, organizations, or assets in a standardized, consumable format” 4 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Making the Business Case 3 Common threat intelligence program drivers 1. Improve efficiency of current resources • 2. Increase speed & efficiency of detection • 3. answer the “are we spending, operationalizing smartly?” question with better intelligence, malicious activity can be detected sooner, and more effectively Increase efficiency of response • having in-depth knowledge of an adversary or piece of malware means IR teams can be more effective at remediation/forensics Bonus: Reduce overall attack exposure/opportunity • 5 intelligence can help drive IT and business decisions – future planning is more effective Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. The Foundation for the Program Foundational operational proficiencies (things you should already do fairly well) 1. Data classification and governance 2. ITIL fundamentals • Change, configuration and asset management 3. Vulnerability management 6 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Operational Goals Threat Intelligence empowers security operations 1. Prevent known threats more effectively • How? Timely, accurate, shared threat data 2. Detect malicious activity more quickly • How? Reduce noise in the telemetry 3. Respond more effectively • How? Deliver timely actionable threat information 4. Recover more completely • How? Incorporate business context into threat knowledge 7 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. ANALYZING THE SOLUTION MARKETPLACE 8 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Analyzing the Solution Marketplace Intelligence Sources PEOPLE Threat Intelligence Solution + PROCESS Mitigating Technologies Fusion and Analytics Platforms 9 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Intelligence Sources Components Higher-level strategic intelligence focused on specific threat actors or campaigns, meant to drive long-term action. strategic reports strategic value Directly actionable intelligence highlighting a specific threat actor or ongoing campaign. tactical reports Composite indicators focusing on comprehensive profiling aiding (mainly) automated systems. signatures Atomic indicators focusing on fidelity, severity, timeliness feeding automated prevention, detection response platforms static indicators data volume 10 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Another View of Intelligence Content Static Indicators Half-life: short Volume: very high Focus: blocking, infrastructure level Primary consumption: machine 11 Signatures Half-life: moderate Volume: high Focus: detection, analysis, blocking Primary consumption: machine, human Tactical Reports Half-life: moderate Volume: low Focus: response Primary consumption: human Strategic Reports Half-life: extensive Volume: low Focus: strategic Primary consumption: human Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Fusion and Analytics Platforms Analytics Platform Response Procedures Raw Internal Telemetry Raw Intelligence Triage Inbound Raw Intelligence Data Enrichment Procedures Fusion Platform 12 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Raw External Data Mitigating Technologies 01Prevention 13 – Platforms focused on eliminating known threats 02Detection – Platforms focused on decreasing time to discovery and minimizing impact of a potential incident 03Response – Platforms focused on full or partially automated attack and incident response capabilities 04Recovery – Platforms focused on post-incident investigation and restoration of services, processes and systems Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. MATURITY MODEL 14 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. 5 goals of a maturity model 2. Define an achievable roadmap 1. Help organizations focus on their security goals 15 4. Define a complete operational, actionable framework 3. Focus on maturing capabilities delivered through resources Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. 5. Provide a framework for measurable results Program Maturity Model Aware Enterprise acquires threat data mainly to understand general threats, define strategy, program architecture and develop a business case. 16 Reactive Enterprise deploys product-centric response functions in existing technologies leveraging intelligence w/o extensive human intervention to decrease threats. Adaptive Purposeful Enterprise leverages intelligence vetted with human-driven processes to improve security operations; focus on repeatability, scalability, efficiency. Refined Threat intelligence is leveraged to drive focused action in detection, response, and recovery utilizing bi-directional knowledge sharing. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Strategic Threat intelligence program is key to decision support, used to drive future strategy and forward risk reduction; focusing on longterm strategic planning. Program Maturity Model Maturity Aware Enterprise acquires threat data mainly to understand general threats, define strategy, program architecture and develop a business case. 17 Reactive Enterprise deploys product-centric response functions in existing technologies leveraging intelligence w/o extensive human intervention to decrease threats. Adaptive Purposeful Enterprise leverages intelligence vetted with human-driven processes to improve security operations; focus on repeatability, scalability, efficiency. Refined Threat intelligence is leveraged to drive focused action in detection, response, and recovery utilizing bi-directional knowledge sharing. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Strategic Threat intelligence program is key to decision support, used to drive future strategy and forward risk reduction; focusing on longterm strategic planning. Program Maturity Model Aware Enterprise acquires threat data mainly to understand general threats, define strategy, program architecture and develop a business case. 18 Reactive Adaptive Purposeful Maturity in business alignment Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Strategic Threat intelligence program is key to decision support, used to drive future strategy and forward risk reduction; focusing on longterm strategic planning. Program Maturity Model Maturity in technical capabilities Aware Reactive Enterprise deploys product-centric response functions in existing technologies leveraging intelligence w/o extensive human intervention to decrease threats. 19 Adaptive Purposeful Enterprise leverages intelligence vetted with human-driven processes to improve security operations; focus on repeatability, scalability, efficiency. Refined Threat intelligence is leveraged to drive focused action in detection, response, and recovery utilizing bi-directional knowledge sharing. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Strategic ADDRESSING THREATS 20 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Distinguishing Threat Types Keys to differentiating threat types: • • 21 Targeting –whether the victim is one of opportunity, or specifically tasked (individually, by industry, or in another manner) Persistence –whether the intent is a long-term embedded or short-term infiltration; generally speaking to a level of stealth and extent of infiltration Category Targeting Persistence Example Generic no no ransomware Targeted yes no credential thief Persistent yes yes embedded RAT Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Program Maturity Model Threat Addressed: Persistent Aware Enterprise acquires threat data mainly to understand general threats, define strategy, program architecture and develop a business case. Reactive Adaptive Threat Addressed: Targeted Enterprise deploys Enterprise leverages product-centric intelligence vetted response functions in with human-driven existing technologies processes to improve Threat Addressed: Generic leveraging intelligence security operations; w/o extensive human focus on intervention to repeatability, decrease threats. scalability, efficiency. 22 Purposeful Refined Threat intelligence is leveraged to drive focused action in detection, response, and recovery utilizing bi-directional knowledge sharing. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Strategic Threat intelligence program key to decision support, used to drive future strategy and forward risk reduction; focusing on longterm strategic planning. MODEL COMPONENTS 23 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Program Maturity Model Aware Enterprise acquires threat data mainly to understand general threats, define strategy, program architecture and develop a business case. 24 Reactive Adaptive KPIs Purposeful Enterprise deploys product-centric response functions in existing technologies leveraging intelligence w/o extensive human intervention to decrease threats. Enterprise leverages intelligence vetted with human-driven processes to improve security operations; focus on repeatability, scalability, efficiency. Refined Threat intelligence is leveraged to drive focused action in detection, response, and recovery utilizing bi-directional knowledge sharing. Achievements and Capabilities Operational Components Pre-Requisites Drivers Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Strategic Threat intelligence program is key to decision support, used to drive future strategy and forward risk reduction; focusing on longterm strategic planning. Maturity Model Components Drivers Drivers for adoption of each level of maturity Pre-Requisites Operational and business components each level of maturity is dependent upon Operational Components Components (people, process, technologies) of each maturity level Achievements & Capabilities Capabilities delivered to the organization at each level of maturity KPIs Measurable artifacts from each level of maturity 25 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. COMPONENT PROCESS MODEL 26 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Developing a Process Model Survey existing enterprise threat intelligence programs • Develop and define world class process model • Define functional components at all 5 maturity levels • Which process component present • How does that process component manifest Note: Maturity is not linear, however it is additive 27 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. core processes Intialize acquisition collaboration triage distribution execution enrichment development secondary development Complete process components present in a world class organization. 28 feedback refinement (finishing) strategy governance measurement Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Components Explained 29 Component Explanation Acquisition Intake of threat intelligence (external or internal) Development Internal development of threat intelligence Triage Process of normalization, correlation and initial analysis Collaboration Incorporation of additional teams for analysis (internal or external) Enrichment Incorporation of additional context or data Distribution Dissemination of actionable intelligence Execution Decision and associated action on intelligence Feedback Active feedback loops to improve other components Strategy Threat Intelligence advising on security, risk, business strategy Governance Program management to goals and objectives Measurement Defining and quantifying metrics and KPIs Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Process Cycle Measure 1. 2. 3. 4. 5. 6. 7. Clearly define need Assess existing capabilities Define goals Implement components Mature the capabilities Measure against goals Repeat Assess Capabilities Mature Implement 30 Define Need Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Define Goals Now what? Check out the Threat Intelligence Primer • http://www.accuvant.com/resources/threat-intelligence/ Look for the Threat Intelligence Blueprint • Coming shortly Let’s build it together • Ask me how. 31 Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
© Copyright 2024