Contenu connexe Similaire à Operationalizing Security Intelligence [ InfoSec World 2014 ] (20) Operationalizing Security Intelligence [ InfoSec World 2014 ]1. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
OperationalizingSecurity
Intelligence
Rafal M. Los
Principal, Strategic Security Services
HP Enterprise Security Services
#InfoSecWorld-2014
2. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Tosetyourexpectations:
Thisisasuper-ultracondensed
introductiontoaverycomplex
topic.
3. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
whatis“securityintelligence”?
4. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“collective set ofactivities, and
artifacts to make intelligence-
drivendecisions”
5. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
detect,respond,resolvemore
effectivelyintheattacklifecycle
6. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
didsomeonesay“killchain”?
7. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
reconnaissance
weaponization
delivery
exploitationinstallation
command &
control (c2)
actions on
objectives
TheLockheedMartin“KillChain”
8. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
youradversariesareorganized
9. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
youradversariesareadaptable
10. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
yourdefensesarestatic
11. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
yourdefensesarepredictable
12. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
PREVENTIONISAMYTH
13. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
timeforabetter gameplan
14. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
oldgoal:don’tgetbreached
15. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
newgoal:disrupttheattack
bonuspointsfordisruptingtheattacker
16. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
reality:
yourdefenseswillbebreached
17. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
18. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
sonowwhat?
19. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thistalkisaframeworkforyou
20. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
..changeislongoverdue.
21. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thepuzzlepieces
22. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thetoolbox
23. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thedata
24. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
theoperationalprocesses
25. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
theactions
26. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
let’sbreakthatdown…
27. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thetoolbox
28. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
datastore
aggregation
andanalyticsengine
29. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
data
data intelligence
data
30. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
scalable
flexible
extensible
fast
affordable
31. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
-variousscanningtools
-work-streamsystem
-collaborationtools
32. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thingstolookfor:
• normalized input/output data format(s)
• inter-operability
• extensibility
• scriptable automation
• scalability
• maintainability
• feature richness
• ease-of-use
33. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
pickatool-setthatmatchesyour
companyprofile
34. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thedata
35. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
internal:
knowyourenterpriseattacksurface
36. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
startwiththefundamentals
37. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
mapthenetwork
identifyexistingtechnologies
identifybusinesscriticalassets
38. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
createrepresentativedatamodels
continuouslyupdatethesemodels
39. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“currentstate”[snapshot]
40. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
whatarewevulnerabletorightnow?
whatarewedoingaboutit?
41. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
THISisyourstartingpoint.
42. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
nowaddcontext
43. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Attribute Data
asset_type <asset_type>
asset_criticality <criticality_level>
OS <os_name>
OS-patch-level <major_minor>
purpose <text>
owner <owner_name>
owner-BU <business_unit>
owner-contact-email <email>
owner-contact-phone <phone>
installed-software .
change-info .
vulnerability-info .
… …
software version
software_name <version>
software_name <version>
software_name <version>
… …
change_info data
last-change <date>
last-change-made <text>
last-change-tech <name>
… …
vuln_info data
vulnerability <severity>
… …
10.1.2.100
44. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
thereisnosuchthing*as
“toomuchinformation”
* almost…
45. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“livedata”[continuousfeeds]
46. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
detectchanges
toenvironment
inassets
47. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
determinenewthreats
48. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
49. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
whatchanged?
whatisthepotentialimpact?
50. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
continuousdetectionofchange
• new (previously unseen) node on network
• unauthorized configuration change
• unauthorized change to application, or system
• new/modified user, or access rights
• new vulnerability or missing patch
51. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
requirement:
TVMprogram
(threat&vulnerabilitymanagement)
52. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
requirement:
configurationmanagementDB
(manage,authorizeconfigchanges)
53. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
requirement:
collectivelogging
(logkeyitems,onkeyassets)
54. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
55. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
logaggregateanalyzeidentify
refine
56. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Keyloggingquestionstoanswer:
• what should you be logging?
• what assets should you log from?
• what should you look for?
• how do you define ‘timely’?
• how much should I be storing for analysis?
57. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
external:
besituationallyaware
58. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
forexample–
• sentiment against your brand/organization
• threat climate of your business vertical
• attacks against similar organizations, vertical
• specific threats against your staff/resources
• geopolitical issues pertaining to your enterprise
• 3rd party reported vulnerabilities
• 3rd party reported exploits
• weaknesses in your external technologies
• reported abused enterprise assets
59. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
refining‘data’purposefully
IP address context external info analysis
60. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
definingandoperationalizing
processes
61. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
gatheringinformation
62. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
failyourinformationquickly
63. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
64. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
it’sinteresting…
butisituseful?
65. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
notallinformationisuseful
66. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
toolstoparedowninformation
• simple scripts
• data analysis applications
• relational mapping tools
• ‘big data’ platforms
• structured & unstructured data analyses
67. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
findinginformationiseasy
68. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
throwingawayjunkishard
69. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
refiningcollectedinformation
70. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
convertinformationtoknowledge
71. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
72. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
extremelydifficult
73. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
manualprocess,foranalysts
74. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
aidedbyautomation
75. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
1
2
3
4
5
6
76. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
deliveringintelligence
77. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
informationnecessary
tomakeadecision
78. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
must.be.repeatable.
79. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
must.be.actionable.
80. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
AnalysisisNOTenough.
81. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
needtoanswer:“Sowhat?”
82. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
providethoroughanalysis
backedbyactualfacts,data
83. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
inatimelyfashion
84. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
inauseful,consumableformat
85. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
takingaction
86. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
rulesofengagement
(whatareyouallowedtodo?)
87. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
take‘purposeful’action
88. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
whichprocessisactivated?
incidentresponse
securityoperations
89. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
takingaction
90. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
detect
91. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
beproactive
out-maneuverthethreat
92. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
bereactive
counteractivethreat
93. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
respond
94. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
mitigatethevulnerability
95. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
minimizetheimpactofattack
96. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
shutdownanactiveattack
97. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
activelyshiftdefenses
98. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
identifytheattacker
99. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
resolve
100. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
restoreservices
101. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Closed
Loop
Incident
Process
102. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
adjustsecurityoperations
103. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
shareIOCs
104. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
quickrecap
105. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“SecurityIntelligence”is..
the capability to
detect, respond, and resolveyour
security incidents though an
information-driven approach.
106. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Youcandothis.
Youneedtodothis.
107. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Knowmore.
Defendsmarter.