Intelligent Analysis About me Kevvie Fowler Lead the TELUS Intelligent Analysis practice – Frequent speaker at major security conferences (Black Hat USA, Sector, Appsec Asia, Microsoft, etc.) – Industry contributions: 2 Security Landscape The industry today is more dangerous than ever before – Today’s threats are evolved and bypass traditional detection measures – Hactivisim is a threat affecting everyone – Targeted attacks are now common in the industry – – Attacks leveraging zero-day vulnerabilities Custom malware Your industry DOES affect your probability of attack 3 Increased complexity Increased stealth (bypass FW, IPS, UTM, WCF) Dynamic Patterns and attack volume vary significantly between industries (healthcare, energy, finance, etc.) “Intelligence” will help improve your defenses against industry attacks Intelligent Analysis | Overview What is “Intelligence”? – Information put into context and in a form that can be acted upon – Intelligence is derived from data Data 4 Information Intelligence Most organizations have the data but can not convert it into “intelligence” Intelligent Analysis | Overview What is Intelligent Analysis? – Advanced event analysis and pre-emptive intelligence that can protect you against present and emerging threats Live-analysis and correlation of device security events – Signature, pattern and anomaly detection 5 Industry analysis of the external threats that are likely to impact your environment (Global, industry, targeted, geographical) Tailored reporting containing metrics and expert advice that enable the effective measurement and tracking of information security Intelligent Analysis | Overview 6 Okay we now know what Intelligent Analysis is so what’s the problem? The problem – How do you monitor external sources (internet, social media, etc.) for relevant information? Data sources Data Sources – The internet Communication • Chat • Email • News • Newsgroup • Webcam • Webcast • Weblog • Social Sites Public Internet Sources Services 8 • Dictionary • Directory • Downloads • Finance • Geospatial • Search • IP Lookup/Who is • Technical Support • Translation • URL Lookup Databases •Commerce •Education •Government •Military •Organizations Web pages • Commerce • Education • Government • Military Estimated size: Roughly 5 million terabytes Expanding by: 100 terabytes per month Data Sources – Social media 9 168m Emails 695k FB Status Updates 510k FB Comments 98k Tweets 79k Wall Posts 6.6k Pictures 1.5k Blog Posts 600 Videos 1 New Article Data Sources – Managing the output 10 Manual analysis aka the “swivel chair” approach isn’t effective You need to enlist the help of some tools to manage the data Tools Tools – Data collection Silobreaker.com Sources: 12 News Blogs Web Content Press Releases Audio/Video Reports/Research Tools – Data collection 13 Silobreaker.com Entity-based Search Tools – Data collection 14 Tools – Data collection 15 Socialmention.com’s 100+ Social Media Sources: Tools – Data collection 16 Tools – Data collection 17 You can leverage feed filters to better target meaningful data Feedrinse Yahoo pipes Analysis process Analysis process | Overview Two-step approach to analysis 1) Transform data to information - Ensure data articles are relevant - Categorize relevant data articles 2. Transform information to actionable intelligence - Rate and prioritize data articles - Research and answer the three W’s - What is it? - Why is it important? - What should you do about it? 19 Analysis process | Overview Step 1 - Transforming data to information – There is a little known tool named NewsPet that can help you transform data to information 20 Analysis process | Overview Configurable RSS feeds Web-based interface Automatic Categorization Ability to recategorize to train the system 21 Michael Fulker Tony Hauber Tyson Williams Analysis process | Overview Review all news that comes in Star important articles Move mislabeled articles to proper categories 22 This enhances the artificial intelligence further Analysis process | Overview 23 Step 2 - Transforming information to intelligence Forward external events to your SIEM…it can help! Analysis process | Overview 24 Analysis process | Overview Calculate the overall risk to a your environment using several vectors – – – – – – 25 Asset Value Relevance to your environment Damage Severity Certainty of Data Source Mitigating Controls Industry Threat Activity Correlate industry activity with event activity within your environment Add context to real-time activity Serve as early-warning for threats in the industry that are likely to impact your organization Meaningful reporting can help you understand the threats targeting your organization and your current level or protection Reporting Reporting Security events 12000 A typical security report Is it effective? 10000 8000 6000 4000 2000 0 High 27 Medium Low Reporting Characterizes the population of external attackers relative to all peers, making a distinction between opportunistic and focused attackers Phase 1 - Attacker Population Total Number of Remote Systems 105000 Total Number Hostile Systems 1800 100000 1600 95000 1400 90000 Focused 1200 85000 Jan Feb Mar Apr May 1000 % of Systems Hostile 800 2.0% Opportunistic 600 1.5% 400 1.0% 200 0.5% 0 0.0% Jan 28 Feb Mar Apr May Jan Feb Mar Apr May Questions ? Thank-you! Questions ? Kevvie Fowler email: [email protected] 29
© Copyright 2024