The document discusses operationalizing security intelligence for mid-market companies. It defines security intelligence as the collective activities and artifacts that enable intelligence-driven security decisions. It outlines the key requirements for security intelligence as high-quality internal and external data, well-defined internal processes, qualified personnel, and integrated technology solutions. The goal is to help mid-market companies develop the capabilities to more effectively detect, respond to, and resolve security incidents.

1. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
OperationalizingSecurity
IntelligencefortheMid-
Market
Rafal M. Los
Principal, Strategic Security Services
HP Enterprise Security Services
RSAConference-2014

2. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
whatis“securityintelligence”?

3. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“collective set of activities, and
artifacts to make intelligence-
driven decisions”

4. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
detect,respond,resolvemore
effectivelyintheattacklifecycle

5. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Whenyouthinkof
“SecurityIntelligence”…

6. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“somethingbigenterprisesdo”

7. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
whynotyou?

8. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thistalkisaframeworkforyou

9. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
..togetyouthinking,motivated

10. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
requirements

11. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
highqualityinternal&external
data+telemetry

12. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
internalprocesses+workstreams

13. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
qualifiedpersonnel

14. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
intelligent,optimizedtechnology

15. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
let’sbreakthatdown…

16. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
internalinformation/data–
knowyourenterpriseattacksurface

17. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
forexample–
• internal business plans
• internal IT technology stack
• known vulnerabilities
• known, accepted risks
• strict change management
• configuration awareness
• unauthorized change detection
• employee activities, habits

18. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
externalinformation/data-
besituationallyaware

19. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
forexample–
• sentiment against your brand/organization
• threat climate of your business vertical
• attacks against similar organizations, vertical
• specific threats against your staff/resources
• geopolitical issues pertaining to your enterprise
• 3rd party reported vulnerabilities
• 3rd party reported exploits
• weaknesses in your external technologies
• reported abused enterprise assets

20. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
internalprocesses+workstreams

21. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
convertinformationintoaction

22. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
forexample–
• handling of inbound, external data sources
• formats: csv, pdf, dashboards and text
• distilling data for relevance
• collating and categorizing with internal data
• prioritizing alerts based on prescribed formulas
• alerting appropriate internal & external entities
• creating actionable items from trusted data
• triage of event(s)
• incident management and handling
• incident response, dfir

23. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
qualifiedpersonnel

24. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
difficultto“addon”responsibility

25. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SOCanalyst
SecurityIntelligenceanalyst..no

26. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
highlyspecializedskillset

27. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
forexample–
• ability to quickly parse different log types
• ability to quickly make sense of disparate data
• ability to collate and correlate unstructured data
• ability to write code on-the-fly (script)
• proficient in many different security technologies
• able to perform collaborative tasks effectively
• ability to triage incidents quickly, effectively
• proficiency with forensics tools
• strong decision-making capabilities

28. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
intelligent,optimizedtechnology

29. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
techthatworkstogether

30. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
preferintegratedoverdisparate

31. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
techthatmakesanalysismore
efficient,addscertainty

32. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
wemayknowalittlesomethingaboutthis…

33. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
quickrecap

34. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“SecurityIntelligence”is..
the capability to
detect, respond, and resolveyour
security incidents though an
information-driven approach.

35. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Youcandothis.
Youneedtodothis.

36. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Knowmore.
Defendsmarter.