Threat Intelligence Program Model

Threat Intelligence
Program Model
v3.5
March 26th, 2015
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
The problem
Threat
Intelligence
The solution
(also a problem)
An
opportunity
Static enterprise security programs aren’t evolving
to meet modern threats to the business.
A highly specialized and fractured solution market
is creating more problems than it’s solving.
Complementing your enterprise security program
with threat intelligence in a pragmatic, measurable
approach.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
PROGRAM
FOUNDATIONS
3
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Defining Threat Intelligence
Working definition:
“An ecosystem of contextually relevant and evidence-based knowledge –
integrated into platforms and tools – to quickly and accurately address
dangers to individuals, organizations, or assets in a standardized,
consumable format”
4
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Making the Business Case
3 Common threat intelligence program drivers
1.
Improve efficiency of current resources
•
2.
Increase speed & efficiency of detection
•
3.
answer the “are we spending, operationalizing smartly?” question
with better intelligence, malicious activity can be detected sooner, and more effectively
Increase efficiency of response
•
having in-depth knowledge of an adversary or piece of malware means IR teams can be more
effective at remediation/forensics
Bonus: Reduce overall attack exposure/opportunity
•
5
intelligence can help drive IT and business decisions – future planning is more effective
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
The Foundation for the Program
Foundational operational proficiencies
(things you should already do fairly well)
1. Data classification and governance
2. ITIL fundamentals
• Change, configuration and asset management
3. Vulnerability management
6
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Operational Goals
Threat Intelligence empowers security operations
1. Prevent known threats more effectively
•
How?  Timely, accurate, shared threat data
2. Detect malicious activity more quickly
• How?  Reduce noise in the telemetry
3. Respond more effectively
• How?  Deliver timely actionable threat information
4. Recover more completely
• How?  Incorporate business context into threat knowledge
7
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
ANALYZING THE
SOLUTION
MARKETPLACE
8
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Analyzing the Solution Marketplace
Intelligence
Sources
PEOPLE
Threat
Intelligence
Solution
+
PROCESS
Mitigating
Technologies
Fusion and
Analytics
Platforms
9
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Intelligence Sources Components
Higher-level strategic intelligence focused on specific threat
actors or campaigns, meant to drive long-term action.
strategic
reports
strategic value
Directly actionable intelligence highlighting a
specific threat actor or ongoing campaign.
tactical
reports
Composite indicators focusing on comprehensive
profiling aiding (mainly) automated systems.
signatures
Atomic indicators focusing on fidelity,
severity, timeliness feeding automated
prevention, detection response platforms
static
indicators
data volume
10
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Another View of Intelligence Content
Static Indicators
Half-life: short
Volume: very high
Focus: blocking,
infrastructure level
Primary
consumption:
machine
11
Signatures
Half-life:
moderate
Volume: high
Focus: detection,
analysis, blocking
Primary
consumption:
machine, human
Tactical Reports
Half-life:
moderate
Volume: low
Focus: response
Primary
consumption:
human
Strategic Reports
Half-life:
extensive
Volume: low
Focus: strategic
Primary
consumption:
human
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Fusion and Analytics Platforms
Analytics
Platform
Response
Procedures
Raw Internal
Telemetry
Raw
Intelligence
Triage
Inbound
Raw
Intelligence
Data
Enrichment
Procedures
Fusion Platform
12
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Raw External
Data
Mitigating Technologies
01Prevention
13
– Platforms focused on eliminating
known threats
02Detection
– Platforms focused on decreasing time to
discovery and minimizing impact of a
potential incident
03Response
– Platforms focused on full or partially
automated attack and incident response
capabilities
04Recovery
– Platforms focused on post-incident
investigation and restoration of services,
processes and systems
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
MATURITY MODEL
14
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
5 goals of a maturity model
2. Define an
achievable
roadmap
1. Help organizations
focus on their
security goals
15
4. Define a complete
operational, actionable
framework
3. Focus on maturing
capabilities delivered
through resources
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
5. Provide a
framework for
measurable
results
Program Maturity Model
Aware
Enterprise acquires
threat data mainly to
understand general
threats, define strategy,
program architecture
and develop a business
case.
16
Reactive
Enterprise deploys
product-centric
response functions in
existing technologies
leveraging intelligence
w/o extensive human
intervention to
decrease threats.
Adaptive
Purposeful
Enterprise leverages
intelligence vetted
with human-driven
processes to improve
security operations;
focus on
repeatability,
scalability, efficiency.
Refined Threat
intelligence is
leveraged to drive
focused action in
detection, response,
and recovery utilizing
bi-directional
knowledge sharing.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Strategic
Threat intelligence
program is key to
decision support,
used to drive future
strategy and forward
risk reduction;
focusing on longterm strategic
planning.
Program Maturity Model
Maturity
Aware
Enterprise acquires
threat data mainly to
understand general
threats, define strategy,
program architecture
and develop a business
case.
17
Reactive
Enterprise deploys
product-centric
response functions in
existing technologies
leveraging intelligence
w/o extensive human
intervention to
decrease threats.
Adaptive
Purposeful
Enterprise leverages
intelligence vetted
with human-driven
processes to improve
security operations;
focus on
repeatability,
scalability, efficiency.
Refined Threat
intelligence is
leveraged to drive
focused action in
detection, response,
and recovery utilizing
bi-directional
knowledge sharing.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Strategic
Threat intelligence
program is key to
decision support,
used to drive future
strategy and forward
risk reduction;
focusing on longterm strategic
planning.
Program Maturity Model
Aware
Enterprise acquires
threat data mainly to
understand general
threats, define strategy,
program architecture
and develop a business
case.
18
Reactive
Adaptive
Purposeful
Maturity in business alignment
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Strategic
Threat intelligence
program is key to
decision support,
used to drive future
strategy and forward
risk reduction;
focusing on longterm strategic
planning.
Program Maturity Model
Maturity in technical capabilities
Aware
Reactive
Enterprise deploys
product-centric
response functions in
existing technologies
leveraging intelligence
w/o extensive human
intervention to
decrease threats.
19
Adaptive
Purposeful
Enterprise leverages
intelligence vetted
with human-driven
processes to improve
security operations;
focus on
repeatability,
scalability, efficiency.
Refined Threat
intelligence is
leveraged to drive
focused action in
detection, response,
and recovery utilizing
bi-directional
knowledge sharing.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Strategic
ADDRESSING THREATS
20
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Distinguishing Threat Types
Keys to differentiating threat types:
•
•
21
Targeting –whether the victim is one of opportunity, or specifically
tasked (individually, by industry, or in another manner)
Persistence –whether the intent is a long-term embedded or
short-term infiltration; generally speaking to a level of stealth and
extent of infiltration
Category
Targeting
Persistence
Example
Generic
no
no
ransomware
Targeted
yes
no
credential thief
Persistent
yes
yes
embedded RAT
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Program Maturity Model
Threat Addressed: Persistent
Aware
Enterprise acquires
threat data mainly to
understand general
threats, define strategy,
program architecture
and develop a business
case.
Reactive
Adaptive
Threat Addressed: Targeted
Enterprise deploys
Enterprise leverages
product-centric
intelligence vetted
response functions in
with human-driven
existing technologies
processes to improve
Threat
Addressed:
Generic
leveraging
intelligence
security operations;
w/o extensive human
focus on
intervention to
repeatability,
decrease threats.
scalability, efficiency.
22
Purposeful
Refined Threat
intelligence is
leveraged to drive
focused action in
detection, response,
and recovery utilizing
bi-directional
knowledge sharing.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Strategic
Threat intelligence
program key to
decision support,
used to drive future
strategy and forward
risk reduction;
focusing on longterm strategic
planning.
MODEL COMPONENTS
23
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Program Maturity Model
Aware
Enterprise acquires
threat data mainly to
understand general
threats, define strategy,
program architecture
and develop a business
case.
24
Reactive
Adaptive
KPIs
Purposeful
Enterprise deploys
product-centric
response functions in
existing technologies
leveraging intelligence
w/o extensive human
intervention to
decrease threats.
Enterprise leverages
intelligence vetted
with human-driven
processes to improve
security operations;
focus on
repeatability,
scalability, efficiency.
Refined Threat
intelligence is
leveraged to drive
focused action in
detection, response,
and recovery utilizing
bi-directional
knowledge sharing.
Achievements and Capabilities
Operational Components
Pre-Requisites
Drivers
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Strategic
Threat intelligence
program is key to
decision support,
used to drive future
strategy and forward
risk reduction;
focusing on longterm strategic
planning.
Maturity Model Components
Drivers
Drivers for adoption of each level of maturity
Pre-Requisites
Operational and business components each level of maturity is
dependent upon
Operational Components
Components (people, process, technologies) of each maturity
level
Achievements &
Capabilities
Capabilities delivered to the organization at each level of
maturity
KPIs
Measurable artifacts from each level of maturity
25
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
COMPONENT PROCESS
MODEL
26
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Developing a Process Model
Survey existing enterprise threat intelligence programs
• Develop and define world class process model
• Define functional components at all 5 maturity levels
• Which process component present
• How does that process component manifest
Note: Maturity is not linear, however it is additive
27
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
core processes
Intialize
acquisition
collaboration
triage
distribution
execution
enrichment
development
secondary development
Complete
process
components
present in a
world class
organization.
28
feedback
refinement
(finishing)
strategy
governance
measurement
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Components Explained
29
Component
Explanation
Acquisition
Intake of threat intelligence (external or internal)
Development
Internal development of threat intelligence
Triage
Process of normalization, correlation and initial analysis
Collaboration
Incorporation of additional teams for analysis (internal or external)
Enrichment
Incorporation of additional context or data
Distribution
Dissemination of actionable intelligence
Execution
Decision and associated action on intelligence
Feedback
Active feedback loops to improve other components
Strategy
Threat Intelligence advising on security, risk, business strategy
Governance
Program management to goals and objectives
Measurement
Defining and quantifying metrics and KPIs
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Process Cycle
Measure
1.
2.
3.
4.
5.
6.
7.
Clearly define need
Assess existing capabilities
Define goals
Implement components
Mature the capabilities
Measure against goals
Repeat
Assess
Capabilities
Mature
Implement
30
Define
Need
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Define
Goals
Now what?
Check out the Threat Intelligence Primer
• http://www.accuvant.com/resources/threat-intelligence/
Look for the Threat Intelligence Blueprint
• Coming shortly
Let’s build it together
• Ask me how.
31
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.