Ted Gruenloh, Director of Operations, ECONET
The Role of Threat Intelligence and Layered Security for Intrusion Prevention
The term 'Threat Intelligence' is getting a lot of buzz these days, but what does it mean? And, more importantly, how can it help protect your network? In this presentation, we will attempt to answer these questions within the context of a layered security approach that integrates Threat Intelligence with existing security methodologies. We also attempt to demonstrate how Threat Intelligence can improve a network's defenses at the perimeter and allow administrators to gain more visibility on the inside.
Similaire à NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era by Ted Gruenloh (20)
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era by Ted Gruenloh
1. *
The Role of Threat Intelligence
and Layered Security
for Intrusion Prevention in the
Post-Target Breach Era
Ted Gruenloh
Director of Operations
Sentinel IPS
2. Review of the current Network Security landscape
Quick overview of Layered Security
What, exactly, is Threat Intelligence?
Threat Intelligence and Layered Security, together
Publicly shared sources of Threat Intelligence
Conclusion and Q & A
Agenda
3. Current Network Security
Not Your Father’s Threats
Yesterday’s Threat Landscape…
Perimeter was defined, and endpoints were easily managed
Data and assets were static
Malware/Trojans had limited points of entry
4. Current Network Security
Today’s Threat Landscape
Perimeter? What perimeter? And with BYOD, it’s more like herding cats.
Data and Assets are mobile, dynamic, and accessed by almost anyone
Juxtaposition between privacy (SSL) and visibility (decryption, anyone?)
Malware can manifest itself anywhere
5. Layered Security: Fact and Fiction
The Big Boys like to bash each other
Are there any silver bullets?
Let’s have an honest conversation: Everyone has their
strengths
We prefer a different approach. More like …
6. Layered Security: A Quick Inventory
From perimeter to endpoint, paralleling the “Cyber Kill Chain”:
External IPS, Next-Gen Firewalls, Application Firewalls, Vulnerability
Scanning, and Penetration Testing
Dedicated IDS, Web Proxies, SPAM Filters, Sandbox/Sandnet
techniques
Anti-virus, Personal Firewalls, Host-based IPS, patching, software
updates
And one SIEM to log them all
“Prepare to be breached.”
Shift from preventative to detective? Sort
of.
Layered Security: “Defense in Depth”
Recommended by the NSA
;-)
7. What is Threat Intelligence?
“The real-time collection, normalization, and analysis of the
data generated by users, applications and infrastructure
that impacts the IT security and risk posture of an
enterprise.”
“The goal of Security Intelligence is to provide actionable and
comprehensive insight that reduces risk and operational
effort for any size organization.”
- John Burnham, IBM
Ummmm … What?
“The real-time collection, normalization, and analysis of the
data generated by users, applications and infrastructure
that impacts the IT security and risk posture of an
enterprise.”
“The goal of Security Intelligence is to provide actionable and
comprehensive insight that reduces risk and operational
effort for any size organization.”
- John Burnham, IBM
Ummmm … What?
“Threat Intelligence is network data that, when
put to good use, can protect you.”
- Me
8. No, really. What is Threat Intelligence?
This might get a little technical.
WARNING
9. No, really. What is Threat Intelligence?
Malware Exchanges & Sources
Malware Exchange (major NetSec vendors)
VirusTotal.com
VirusShare.com
IDS/IPS Event Feedback Loop
Universities
ISPs and Carriers
IDS/IPS Customer base
Sandnets
IDS/IPS
Rulesets
Other Proprietary
Information
DNS/Domain Lists
and Analytics
IP Reputation Lists
and Analytics
T h i s i s T h r e a t I n t e l l i g e n c e .
Data Engine
(Pcap analysis and data correlation)
Pcaps
10. OK. What does Threat Intelligence look like?
Lists of IPs and/or URLs
Could be as simple as a text file of IP addresses or
domains associated with bad actors and command &
control servers
STIX and TAXII
Comes from DHS, and designed and maintained by
MITRE. Provides a common markup language and
method of exchange for threat intelligence data. Many
companies provide their threat intelligence in STIX.
Proprietary Data
Takes many forms, from simple automated feeds to
complex databases and APIs. Companies trying to
differentiate themselves by providing unique insights, like
geolocation, business sector, threat classification, etc.
11. Explicit rules DPI/Pattern matching AV software, Host-based IPS
0% 10% to 40% 10% to 40%
Threat Intelligence and Layered Security
Security:
Blocked Malware:
~85%
BLOCKED MALWARE
“Actionable” Threat Intelligence
SIEM consolidates data from multiple devices
Might include Intelligence from external sources
Used for analysis and incident response
SIEM
“Active” Threat Intelligence
IP and/or Domain reputation lists
Pushed out to security devices regularly
Collaboration of InfoSec community
Internet
Firewall IDS/IPS Corporate LAN
12. Publicly Shared Threat Intelligence
The What.
Many Network Security vendors make their living selling threat
intelligence. Luckily, many of these vendors also offer at least
some of their intelligence up to the community at large, for free, no
strings attached. You can benefit from this.
The Why.
Why give it away? Online businesses often use the ‘Freemium’
business model to introduce their product to consumers. But more
importantly, many Network Security vendors feel a sense of duty
born out of the Internet’s implicit sense of community.
In other words, it’s the right thing to do.
And now, the Who and the How.
13. Publicly Shared Threat Intelligence
The Who.
A sampling of NetSec organizations that provide free Threat
Intelligence.
senderbase.org
http://shadowserver.org
http://rules.emergingthreats.net Open Threat Exchange CI Army list at http://cinsscore.com
Center for Internet Security http://dshield.org
(SANS Internet Storm Center)
14. Publicly Shared Threat Intelligence
The How.
Here’s how we do it.
CINS System
Active Sentinels
The Internet
and
NetSec
Community
CINS Lists
(“Active” Threat Intelligence)
csf firewalls, curl, python urllib,
etc.
15. And in conclusion…
Layered security doesn’t only make sense as a
network security strategy; its diversity also produces
better threat intelligence. And, active threat
intelligence can dramatically improve a network’s
protection from malware and other attacks.
Conclusion?
Layered Security and Active Threat Intelligence:
Two great tastes that taste great together.
16. Ted Gruenloh
Director of Operations
(972) 991-5005
tedg@econet.com
http://www.networkcloaking.com/free
Questions?
Ted Gruenloh
@tedgruenloh