Threat intelligence needs to be in a language the business understands. SurfWatch Labs can help connect cyber threat intelligence to business operations in order to help manage cyber risk.
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations
1. 1
Connecting the Dots Between Your
Threat Intelligence Tradecraft and
Business Operations
John Pescatore, SANS
Adam Meyer, SurfWatch Labs
2. 2
Obligatory Agenda Slide
• Housekeeping info
• Here’s what we will do
○ 1:05 – 1:15 Overview – John Pescatore
○ 1:15 – 1:45 Threat Intelligence – Adam Meyer
○ 1:45 – 2:00 – Q&A
Thanks to our sponsor:
3. 3
Q & A
•Please use GoToWebinar’s
Questions tool to submit
questions to our panel.
•Send to “Organizers”
and tell us if it’s for
a specific speaker.
4. 4
Making Security Advances
During Turbulent Times
Threats aren’t standing still
Business/technology demands aren’t, either
Prevent more, detect faster, resolve with less disruption
11. 11
Defining Situational Awareness
• Pre-flight: plan safest route
• In flight: Decreasing reaction time so that mission gets
accomplished, pilot returns safely
• Post-flight: do better next time
12. 12
Plenty of Data
• Threat feeds
• Security Controls status/configuration
• Log Monitoring
• Asset Status
○ Network Scanning
○ Passive Discovery
○ Credentialed Access
○ Local agent drill-down
13. 13
From Data to Action
Bus. Intelligence
Big Data
Security
Big Data
Fraud/Transaction
Big Data
Threat
Analytics
Situational
Awareness
Security Controls
Analytics
Action!
14. 14
Focus/Force Multiplication
• Need to focus limited resources on the highest payback areas.
• Turn floods of data into harvests of information.
• False positives are not the problem – wasting time on them is.
• Situational awareness vs. information/event management.
• Action – prevent more, detect faster, resolve more surgically
• Intelligence vs. voyeurism…
17. Gaining Visibility of Cyber Risks is
Critical to the Viability of Your Business
• A majority of attacks compromise
defenses within minutes, but detecting
the breach takes on average 200+ days
• Leaders are struggling to align
security strategies with real-world
business strategies
- 14% of corporations report that the
Board is actively involved in
cybersecurity preparedness
- 52% report minimal involvement
• Supply chain represents significant risk
- 57% of breaches originate from
partners and suppliers (PwC)
17
21. 21
Intelligence is regularly defined as information that can
be acted upon to change outcomes.
1. Move from “unknown unknowns” to “known
unknowns” by discovering the existence of
threats, and then …
2. Shifting “known unknowns” to “known knowns”,
where the threat is well understood and
mitigated.
Defining “Intelligence”
While this is the norm for defenders, it’s not normal for decision makers.
22. Put Cyber Threat Intelligence into
Terms the Business Can Understand
22
Organization
Business Unit
Products and
Services
Tools in Support of the
Product/Service
Infrastructure to
Support the Tools
Data in Support
of the Business
• Be Defendable
• Executive Communications (Non-Technical)
• Is the Business Unit “Well Positioned” Against Threats? Why Not?
• What the Business Cares About
• What is the Threat Surface?
• What Investments are Needed?
• Needs of the User Community
• User Point of Presence
• Public Facing / Adversary Exposure
• IT Pain Points
• Decentralized Oversight (Shadow IT, Disconnected IT Teams)
• Adversary’s Target
• Liability and Regulatory Impact
23. Put Cyber Threat Intelligence into
Terms the Business Can Understand
23
Strategic
• For Senior Leaders
• Used to measure cyber risk and make investments
Operational
Tactical
• Bridges the broad, non-technical, strategic needs
with the narrow, technical inputs
• Focuses on the immediate operating environment
• Where On-the-Network actions take place
• The efforts to Detect and Respond to on the wire events
Decision
Output
Output
24. Internal vs. External Threat Intelligence
24
Internal
• Necessary for tactical defense
- Prevention
- Detection
- Incident Response
- Information Exchange
External
• Necessary for managing overall
organizational risk
- Industry threat activity
- Fraud/Extortion
- Brand & Reputation
- Targeting
25. 25
• Start Simple
– Good business managers run things on a foundation of the evaluated
intelligence – it’s the thing you know.
• Make Risks Learnable
– Learnable risks are the ones we could make less uncertain if we took
the time and resources to learn more about them.
– Random risks are defined as those that had no analysis.
– Separating learnable risks from random ones in business decisions
for causes or drivers can make them less uncertain.
– Tie Learnable risks to any characteristics that makes you “you”.
Measuring
Cyber Threat Intelligence
26. 26
• Enable Good Analysis
– If an intelligent human is conducting an attack, intelligent humans
must be directing the defense.*
– All operations in cyberspace begin with a human being.**
• Ensure You are Defendable
– Against malicious individuals and groups
– In court and against regulatory action
– Your brand, both personal and organizational
* Defendable Architectures Lockheed Martin Achieving Cyber Security by Designing for Intelligence Driven Defense
** Intelligence and National Security Alliance (INSA)
Measuring
Cyber Threat Intelligence
27. The CISO’s Tug of War
27
Source: EMC
Intelligence Operations (Tracking Threats) vs. Network Defense (Stop the Bleeding)
28. How a CISO Can Leverage
Threat Intelligence to Mitigate Risk
• Intelligence provides critical insights on
ACTIVE threats to your business and can be
applied to different areas of the business
- Threat intelligence teams – know threat actors
and their motivations to improve your defenses
- Fraud teams – understand what commodities are
being monetized so you can minimize fraud
- Partners and Suppliers – understand the
“presence” your vendors have to complement
supply chain risk management
- Breach Response – instead of waiting to “get the
call” from law enforcement, get ahead of the curve
28
29. Mitigating Risk with a
Practical Intelligence Operation
• Co-Managed Intel – Complement your
intel and facilitate faster, more effective risk
management decisions
• Focus on Analysis –
It’s less about getting more data and more
about enabling sound analysis
• Link Intel to Business Impact –
Avoid alert fatigue by worrying about threats
specific to your business
• People, Process, Technology –
Good intelligence leverages automation,
expert human analysis and a process for
using the intel
29
31. Additional
SurfWatch Labs Resources
SurfWatch Cyber Advisor:
www.surfwatchlabs.com/cyber-advisor
Dark Web Surveillance:
www.surfwatchlabs.com/dark-web-intelligence
Request a Demonstration:
• Personal Demo: info.surfwatchlabs.com/request-demo
• Demo Webinar: info.surfwatchlabs.com/Webcast/Threat-Intel-
Live-Demo-Series
Connecting Your Intelligence Tradecraft to Business Operations
31