SlideShare a Scribd company logo

Transforming Expectations for Treat-Intelligence Sharing

E
EMC

Gain insight into a new approach to information-sharing processes for threat intelligence which ensures that data distribution is relevant, actionable, and automated. RSA Security Briefs provide executives and practitioners with essential guidance on today’s most pressing information-security risks and opportunities. Each Brief is created by a select response team of security and technology experts who mobilize across companies to share specialized knowledge on a critical emerging topic. Offering both big-picture insight and practical technology advice, these papers are vital reading for today’s forward-thinking security leaders.

TechnologyBusiness
1 of 8
Download to read offline
TRANSFORMING EXPECTATIONS FOR THREAT-INTELLIGENCE SHARING RSA Perspective KEY POINTS Organizations today rely on information-sharing processes that are so manually intensive, duplicative, and inefficient that they cannot scale to meet critical computer network defense requirements of speed, agility, relevance, and accuracy. This gap ultimately translates into lost opportunities to avoid serious losses, improve security practices, prevent attacks, and predict threats. The global security community should transform the methods, approaches, and expectations for the sharing of threat information by requiring what is shared to be 1) directed and actionable, and 2) aimed at providing a meaningful, and potentially automated corrective response. Sharing information equally with everyone often results in information that’s helpful to no one. Information-sharing processes are productive only if the intelligence disseminated is relevant to members’ businesses and effective in helping them address threats or provide a proactive defense. While actionable intelligence is always appreciated, automated defense in response to intelligence is preferred, especially by small- and medium-sized organizations that may lack the security resources to devise corrective measures on their own. Certain industry consortia and working groups have integrated threat-intelligence gathering and response processes so tightly that the sharing of the underlying threat information actually is rendered unnecessary, because participants can leapfrog directly to corrective measures (e.g., updated block lists in browsers). The security community achieves outsized results when it pools expertise and resources to analyze threats and develop solutions collaboratively. Expanded cooperation between tools/software vendors and Information Sharing and Analysis Centers (ISACs) is a promising direction to explore.  August 2013 Kathleen M. Moriarty Global Lead Security Architect, Corporate Office of the CTO EMC Corporation
RSA Perspective, August 2013 Exchanging security intelligence among other organizations has long been held up as key to achieving “situational awareness”—that is, understanding external threats clearly enough to assess their potential impact on an organization and formulate a response. Today, information sharing has assumed tremendous importance, given the rise of APTs and other targeted security attacks. With our hyper-connected networks, the prevalence of cloud, social media and mobile services, and the mounting complexity of most IT environments, advanced threats can hide in more places, spread faster, and cause more damage than ever before. Information sharing is central to a new security approach called Intelligence-Driven Security. In an Intelligence-Driven Security approach, organizations consume and process data from many diverse sources to assess in real time their exposures and risks, improve decision-making, prioritize security activities, and shorten the time needed to detect and respond to threats. Exchanging reliable threat intelligence with trusted external partners is pivotal to Intelligence-Driven Security. Some organizations already exchange threat intelligence. Some participate in groups formed expressly to share threat information such as ISACs; others participate in passive ways, such as sharing harmful URLs with browser vendors to enhance block lists. Although threat-intelligence sharing yields value, it could and should yield far more. Overall, practices for sharing security information among organizations suffer from several shortcomings: • Shared data is difficult to act upon – Threat intelligence often delivers low value because the information lacks sufficient detail and context, is unverified or is not well- matched to an organization’s business needs (i.e., does not apply to the organization’s vulnerabilities, system configurations, information assets or mission). • High levels of manual processing required – Threat intelligence typically requires intensive processing by recipients (e.g., human sorting, normalization, cutting and pasting data between applications) to uncover what’s useful and make it actionable. • Redundant effort – Each organization receiving threat data must often do its own processing and analysis of information, resulting in massive duplication of effort among recipients of security information. • Scarcity of skilled resources to analyze threats – There are simply too few security experts available, considering the mountains of security data to be analyzed and the thousands of organizations needing their help. • Poor linkages to security controls – Because of the lack of generally accepted standards, many threat-intelligence feeds are not easily integrated with security tools, creating delays in acting upon useful intelligence as controls await manual processing and activation by security experts. • Remediation addresses symptoms but not the cause – Threat response may block URLs, change system configurations or take other corrective steps to prevent harm, but they do not address the root cause of the threat that creates recurrent vulnerabilities, such as understanding the tools, tactics and procedures used by adversaries or directly removing the threat. The result of these deficiencies is that organizations today rely on information-sharing processes that are so manually intensive, duplicative, and inefficient that they cannot scale to meet critical computer network defense requirements of speed, agility, relevance and accuracy. This gap ultimately translates into lost opportunities to improve security practices, avoid serious losses, prevent attacks, and predict threats. page 2
RSA Perspective, August 2013 page 3 THREAT INFORMATION MUST BE ACTIONABLE AND AUTOMATED Addressing many of the current problems in information sharing will require the global security community to strive collectively for two goals: 1. Ensure that the dissemination of threat intelligence is relevant and actionable – This means our sharing efforts should be connected to a fundamental shared objective and identify an immediate and active security response focused on where it can have the greatest risk-mitigating effect. 2. Develop a speedy, sustainable, and scalable model to automate reliable threat- information sharing among trusted parties and integrate response processes to minimize or prevent damage. For benchmarks on achieving these goals, we can examine a few of the sharing groups that have begun exchanging threat information in a directed, actionable way—with some even integrating with commercial-off-the-shelf (COTS) security tools for seamless threat remediation. Three notable examples are the groups exchanging email abuse information, anti-phishing information, and vendor threat-intelligence feeds. Example 1: Preventing Email Abuse Large email service providers communicate via standards they developed to address email abuse problems (including spam). These providers address the abuse problem at the source, collaborating in the Messaging, Malware, Mobile Anti-Abuse Working Group (M3AAWG). Email operators determined what information was helpful to exchange in order to stop or mitigate email abuse directly with their peers: the operators of large email services. The operators have the ability to detect abuse and stop any abuse that originates through their services, providing effective defenses to these issues. These protections have broad benefits, reducing the overall threat in an automated way that does not burden users with having to take corrective steps themselves. Example 2: Neutralizing Phishing Attacks One of the most notable and effective uses of information sharing is from the Anti- Phishing Working Group (APWG). The APWG coordinated with members affected by phishing (e.g., the financial industry) at the start of its work. It developed intelligence solutions that were later standardized to collect information into a centralized data warehouse. The APWG provides this clearinghouse of cybercrime data to its members, who then take actions to mitigate or stop threats. These actions include taking down the source of the phishing sites, which involves coordination with APWG vendor members and law enforcement. By targeting the sites that distribute email-based phishing attacks and the malware distribution servers (often included as links within phishing email attacks), APWG provides a focused and effective response that is directed at the source of the problem. Additionally, vendor members use the clearinghouse of cybercrime data to distribute preventive controls such as block lists that can be deployed to every desktop browser. Information is quickly distributed to where it can have the most effect while users remain unaware of the protections and the actual threat intelligence that have been deployed. This approach makes effective controls invisible and is a paragon of automated, dynamic remediation. WHAT ARE SHARING GROUPS? Organizations that collect, process, and distribute threat intelligence as a service to their participants, members, and/or end-users. Examples of sharing groups include: • Industry consortia such as ISACS, APWG, and M3AAWG • Vendors providing threat intellgence research and data feeds and/or commercial products and services integrating such feeds (e.g., security tools, browser providers) • Operators such as Internet Service Providers (ISPs) and communications network providers
RSA Perspective, August 2013 page 4 Example 3: Integrating Security Controls with Intelligence Feeds COTS security software vendors and service providers’ threat-intelligence feeds have typically focused on problem areas such as malware, network threats, web- and application-layer attacks, compromised identities, and other components of fraud. The APWG crosses the boundary into vendor/service provider threat-intelligence feeds, because commercial organizations often use APWG intelligence as one of their many data sources. While the APWG combines many data sets for cybercrime in its clearinghouse, it’s up to the participating COTS vendors, service providers, and threat-intelligence feed providers to provide an active response. They must deploy directed and actionable intelligence within their services and within the architectural frameworks of their products (e.g., integration of “live” intelligence or indicators of compromise into a security analytics platform). This integrated approach is an early paradigm for how the practice of sharing threat information should be approached: IOCs need not be distributed as data in the clear; instead, they should be transformed on behalf of recipients into active response capabilities and mitigating controls. Many follow-on actions, such as blocking, black- holing, and black listing can be automated through tools controlled by security software vendors and service providers. Other remediation steps, such as the take-down of a command and control server or malware distribution site, can be undertaken by service providers for the benefit of all. Plus, the data required to implement corrective measures uses only small portions of the overall data set and can obviate having to disclose the larger underlying set of threat intelligence (e.g., IOCs), thus limiting the possibility of information leakage on threats or threat actors. In order to provide actionable and automated threat-intelligence feeds, a number of COTS vendors and threat-intelligence service providers have sophisticated analytic centers with highly skilled experts utilizing multiple complex data sets. The analytic tools and formats are optimized within each of these environments to meet the changing needs of the business problems being solved by these teams. The analytic tools and data sets evolve continuously, with teams innovating to provide accurate threat-intelligence feeds and added value to customers. In some cases, data sets and formats will overlap; in other cases the business problems are sufficiently distinct. LESSONS LEARNED FROM INFORMATION-SHARING GROUPS The sharing groups described above, in which security vendors, network operators, and industry consortia work together, are prime examples of how information-sharing activities can have a broad impact by generating either corrective action or actionable information that can be deployed as appropriate. From these examples we can derive several instructive insights: • Sharing groups grow strong when members have shared business interests and thus similar business risks and security concerns. That’s why sharing groups typically segment themselves by industry (e.g., financial services, state governments) or a business problem (e.g., reducing spam, preventing fraud, preventing denial of service attacks).
RSA Perspective, August 2013 page 5 • ISPs, network operators, and other service providers who serve as gateways to large numbers of end users have developed effective, operationally focused information- sharing models by formalizing international standard data formats, such as the Incident Object Description Exchange Format (IODEF)1 used by the APWG and the Abuse Reporting Format (ARF)2 used by M3AAWG. Combining and correlating threat information provided by different sharing groups requires normalized data formats. Data standards become especially important for sharing among groups. • Security service providers, industry consortia, and working groups have shown that threat- intelligence gathering and response processes can be coupled so closely for certain threat scenarios and use cases that information sharing is rendered unnecessary, because corrective measures can be taken automatically on behalf of participants and customers (e.g., block lists in browsers). • While actionable intelligence is always appreciated, computer network defense that can be deployed automatically is preferred, especially by small- and medium-sized organizations that may lack the security resources to devise corrective measures on their own. • The capability to deploy defenses without having to reveal underlying threat intelligence delivers security benefits while protecting the acquisition methods, integrity, and confidentiality of information sources. • The security community achieves outsized results when it pools expertise and resources to work on complex security problems, obviating the need to solve problems in parallel and potentially arriving at solutions faster. Perhaps the most important lesson to take away from successful information-sharing groups such as the APWG and M3AAWG is that sharing threat intelligence is not the end game. Information-sharing processes are productive only if the intelligence disseminated is relevant to members’ businesses and helps them address threats or provide a proactive, effective defense. Information that can be quickly distributed to where it can have the greatest effect—preferably while both general users and adversaries remain unaware of the protections deployed—is ideal. The APWG’s automated deployment of URL block lists in browsers is a classic example of this. SELECTIVE SHARING REDUCES THREAT-INFORMATION SPAM Sharing information equally with everyone often results in information that’s helpful to no one. Threat-information sharing should be directed only to relevant parties and focused on a problem they care about. Differentiate by Business Concerns and Mission Focus Differences in business interests and mission focus among sharing members will divide and dictate what should be shared. That’s why many of the most successful threat- information exchange groups are focused on a specific use case, mission objective or a business problem, such as distributed denial of service (DDoS) attacks, phishing attacks or tracking specific threat actors. Whether threat intelligence is relevant or not is ultimately up to individual organizations to decide. To sort through the volumes of threat intelligence available to them, it’s imperative that organizations automate analysis of security information. Security tools when data standards matter (OR NOT) Information sharing standards provide a common interface or exchange mechanism to automate the transfer of information between two parties. In threat intelligence exchange, data format and protocol standards help ensure that the information packaged by the sender is “unpacked” and interpreted by the receiver as intended. Standards include policy details so information shared is protected and treated with the due care expected by the sender. A sharing group may use different data formats and protocols to communicate with other sharing groups than it uses to share information internally. Or sharing groups may apply the same data standards to very different use cases, by either using certain portions of a standard or by selecting extensions to that standard. Security-related information that is exchanged less frequently or that varies over time can be handled using extensions to existing data formats, which may be standardized or private. Interoperable data formats become important when exhchanging data among different organizations, but interoprability is not necessarily the desired default state. Diversity in data formats allows for flexibility in product implementations. Security vendors usse proprietary methods to communicate with deployed products and then use standards-based interfaces for interoperability between product implementations. Additionally, various de facto formats for data sharing have emerged within sharing groups with narrow fields of focus. To unify these disparate data formats, transformation mappings can be applied. 1 R. Danyliw, J. Meijer, Y. Demchenko; “The Incident Object Description Exchange Format” Internet Engineering Task Force (IETF) RFC 5070; December 2007 2 Y. Shafranovich, J. Levine, M. Kucherawy; “An Extensible Format for Email Feedback Reports” Internet Engineering Task Force (IETF) RFC 5965; August 2010
RSA Perspective, August 2013 page 6 must be context-aware to assess the applicability of threat information to the organization. These assessments, which are often handled today by security personnel, will increasingly rely on the intersection of Big Data security analytics and asset- management platforms. In many large companies, different parts of the organization use different asset-management tools, making it challenging to get a unified, enterprise-wide picture of applicable risks and vulnerabilities. A single view of the organization’s assets and configurations could be derived by integrating asset management platforms with security- and risk-analysis tools such as governance, risk, and compliance (GRC) systems. GRC platforms not only measure risks to assets, but they also monitor how those assets interact so mitigating controls can be adapted accordingly. Additionally, GRC tools can ingest threat intelligence, reprioritize risks and focus the organization or appropriate corrective action based on newly identified threats. Advanced GRC tools will integrate with security analytics tools, automating the evaluation and use of intelligence feeds providing broader situational awareness. Differentiate by Organizational Size Larger enterprises with sophisticated capabilities are typically interested in actionable intelligence that they can analyze and take action on themselves. Some use threat intelligence to help them understand and reduce the scope of threat actors they are facing. Small- and medium-sized organizations, on the other hand, often do not have the resources to participate in threat-information sharing groups or to pore through volumes of security data. Instead, smaller organizations prefer a turnkey approach in which risk remediation is handled for them, either by automated security tools or by service providers who host applications and data and manage security risks as part of service level agreements (SLAs). Regardless of the size of the organization, GRC platforms must provide a business or mission context for the threat intelligence they collect. Risks and options should be assigned potential consequences and presented not as security or IT decisions but as business-level decisions.
RSA Perspective, August 2013 page 7 CONCLUSION Gathering external threat intelligence is essential to assessing an organization’s real risks. As part of an Intelligence-Driven Security program, threat information can help organizations prioritize security activities and shorten the time needed to detect and respond to potential threats. Many organizations participating in threat-intelligence-sharing programs suffer from TMI (too much information), while others struggle to use threat intelligence that’s neither relevant nor actionable to their business/mission objectives. In disseminating threat information, information-sharing groups must keep in mind that intelligence itself is not the goal; remediating risks and neutralizing threats is. To this end, information-sharing programs must do the following: 1. Make the dissemination of threat intelligence directed, relevant, and actionable – This means our sharing efforts should identify an immediate and active security response focused on where it can have the greatest effect. 2. Develop a speedy, sustainable, and scalable model to automate information sharing and threat response. Simultaneously, we must improve information-sharing and analysis processes so that fewer security experts are needed to address problems. One way of achieving this is to pool resources and work on problem resolution collaboratively. A promising avenue to explore is enhanced cooperation between threat analysis centers, such as ISACs, communications service providers and software and security tool vendors. When external threat intelligence is actionable, relevant and triggers a corrective response, organizations can expand situational awareness and improve security not just for themselves but also for their information-sharing partners. The author wishes to acknowledge the following EMC and RSA colleagues for their contributions, edits, and validation of trends and positive direction: David Black, Tim Belcher, Rear Adm. Mike Brown (Ret.), Seth Geftic, Brian Girardi, William Gragido, Chris Harrington, Erik Mogus, Alok Ojha, Paul Stoecker, Eddie Schwartz, John Swift, Steve Todd, and Peter Tran.
EMC2 , EMC, the EMC logo, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other products or services mentioned are trademarks of their respective companies. © Copyright 2013 EMC Corporation. All rights reserved. 223649-H12175-TIS-BRF-0213 ABOUT RSA RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations solve their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, encryption & key management, SIEM, data loss prevention, continuous network monitoring, and fraud protection with industry leading GRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com. www.rsa.com RSA Perspective, August 2013

Recommended

ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...Ulf Mattsson
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITEnvision Technology Advisors
 
US Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security InitiativesiUS Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security InitiativesiLindsey Landolfi
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
The Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security BreachThe Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security BreachCloudLock
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trendsChristopher Bennett
 
clearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureclearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureLee Dalton
 

Recommended

ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...Ulf Mattsson
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITEnvision Technology Advisors
 
US Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security InitiativesiUS Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security InitiativesiLindsey Landolfi
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
The Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security BreachThe Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security BreachCloudLock
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trendsChristopher Bennett
 
clearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureclearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureLee Dalton
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overviewdr_edw777
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessGary Hayslip CISSP, CISA, CRISC, CCSK
 
POV - Enterprise Security Canvas
POV - Enterprise Security CanvasPOV - Enterprise Security Canvas
POV - Enterprise Security CanvasRobert Greiner
 
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
[EB100510] Evelyn del Monte: Context-Aware and Adaptive SecurityComputerworld Philippines
 
Cybersecurity Program Assessments
Cybersecurity Program AssessmentsCybersecurity Program Assessments
Cybersecurity Program AssessmentsJohn Anderson
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-FundamentalsGary Hayslip CISSP, CISA, CRISC, CCSK
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperDuncan Hart
 
Creating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware PracticesCreating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware PracticesDiane M. Metcalf
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectJermund Ottermo
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attackAndreanne Clarke
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksStrategy&, a member of the PwC network
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiebuc
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityEMC
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
Insaat kursu-sakarya
Insaat kursu-sakaryaInsaat kursu-sakarya
Insaat kursu-sakaryasersld54
 
N 1.v.gogol
N 1.v.gogol N 1.v.gogol
N 1.v.gogol irinaanissimova
 

More Related Content

What's hot

Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overviewdr_edw777
 
POV - Enterprise Security Canvas
POV - Enterprise Security CanvasPOV - Enterprise Security Canvas
POV - Enterprise Security CanvasRobert Greiner
 
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
[EB100510] Evelyn del Monte: Context-Aware and Adaptive SecurityComputerworld Philippines
 
Cybersecurity Program Assessments
Cybersecurity Program AssessmentsCybersecurity Program Assessments
Cybersecurity Program AssessmentsJohn Anderson
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperDuncan Hart
 
Creating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware PracticesCreating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware PracticesDiane M. Metcalf
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectJermund Ottermo
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attackAndreanne Clarke
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiebuc
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityEMC
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 

What's hot (20)

Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
 
POV - Enterprise Security Canvas
POV - Enterprise Security CanvasPOV - Enterprise Security Canvas
POV - Enterprise Security Canvas
 
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
 
Cybersecurity Program Assessments
Cybersecurity Program AssessmentsCybersecurity Program Assessments
Cybersecurity Program Assessments
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_Whitepaper
 
Creating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware PracticesCreating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware Practices
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in Retrospect
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future Attacks
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspekti
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven Security
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 

Viewers also liked

Insaat kursu-sakarya
Insaat kursu-sakaryaInsaat kursu-sakarya
Insaat kursu-sakaryasersld54
 
Tues ind rev problems pollution
Tues ind rev problems pollutionTues ind rev problems pollution
Tues ind rev problems pollutionTravis Klein
 
Monday latin america
Monday latin americaMonday latin america
Monday latin americaTravis Klein
 
Flash Implications in Enterprise Storage Array Designs
Flash Implications in Enterprise Storage Array DesignsFlash Implications in Enterprise Storage Array Designs
Flash Implications in Enterprise Storage Array DesignsEMC
 
Kleptomaniac Press Release by EIN PRESSWIRE
Kleptomaniac Press Release by EIN PRESSWIREKleptomaniac Press Release by EIN PRESSWIRE
Kleptomaniac Press Release by EIN PRESSWIREDr. Frank Chase Jr
 
Piece By Piece Design Portfolio
Piece By Piece Design PortfolioPiece By Piece Design Portfolio
Piece By Piece Design Portfolioleec9857
 
โรคอ้วน!!
โรคอ้วน!!โรคอ้วน!!
โรคอ้วน!!sumethinee
 
Hubungan da’wah dengan ilmu
Hubungan da’wah dengan ilmuHubungan da’wah dengan ilmu
Hubungan da’wah dengan ilmuHMGI
 
Biynees khemjee awah
Biynees khemjee awahBiynees khemjee awah
Biynees khemjee awahpvsa_8990
 
Insaat kursu-kagithane
Insaat kursu-kagithaneInsaat kursu-kagithane
Insaat kursu-kagithanesersld54
 
Linux kursu-ankara
Linux kursu-ankaraLinux kursu-ankara
Linux kursu-ankarasersld67
 
Configuration Compliance For Storage, Network & Server
Configuration Compliance For Storage, Network & Server Configuration Compliance For Storage, Network & Server
Configuration Compliance For Storage, Network & Server EMC
 
Презентация
ПрезентацияПрезентация
Презентацияperspektiva63
 

Viewers also liked (20)

Insaat kursu-sakarya
Insaat kursu-sakaryaInsaat kursu-sakarya
Insaat kursu-sakarya
 
N 1.v.gogol
N 1.v.gogol N 1.v.gogol
N 1.v.gogol
 
Tues ind rev problems pollution
Tues ind rev problems pollutionTues ind rev problems pollution
Tues ind rev problems pollution
 
Monday latin america
Monday latin americaMonday latin america
Monday latin america
 
Flash Implications in Enterprise Storage Array Designs
Flash Implications in Enterprise Storage Array DesignsFlash Implications in Enterprise Storage Array Designs
Flash Implications in Enterprise Storage Array Designs
 
Eq price monday
Eq price mondayEq price monday
Eq price monday
 
Kleptomaniac Press Release by EIN PRESSWIRE
Kleptomaniac Press Release by EIN PRESSWIREKleptomaniac Press Release by EIN PRESSWIRE
Kleptomaniac Press Release by EIN PRESSWIRE
 
Portfólio
PortfólioPortfólio
Portfólio
 
Piece By Piece Design Portfolio
Piece By Piece Design PortfolioPiece By Piece Design Portfolio
Piece By Piece Design Portfolio
 
โรคอ้วน!!
โรคอ้วน!!โรคอ้วน!!
โรคอ้วน!!
 
Hubungan da’wah dengan ilmu
Hubungan da’wah dengan ilmuHubungan da’wah dengan ilmu
Hubungan da’wah dengan ilmu
 
Biynees khemjee awah
Biynees khemjee awahBiynees khemjee awah
Biynees khemjee awah
 
Topic 9 final accounts
Topic 9 final accountsTopic 9 final accounts
Topic 9 final accounts
 
Doc2
Doc2Doc2
Doc2
 
Formulario sucursales
Formulario sucursalesFormulario sucursales
Formulario sucursales
 
Siberiar Taiga
Siberiar TaigaSiberiar Taiga
Siberiar Taiga
 
Insaat kursu-kagithane
Insaat kursu-kagithaneInsaat kursu-kagithane
Insaat kursu-kagithane
 
Linux kursu-ankara
Linux kursu-ankaraLinux kursu-ankara
Linux kursu-ankara
 
Configuration Compliance For Storage, Network & Server
Configuration Compliance For Storage, Network & Server Configuration Compliance For Storage, Network & Server
Configuration Compliance For Storage, Network & Server
 
Презентация
ПрезентацияПрезентация
Презентация
 

Similar to Transforming Expectations for Treat-Intelligence Sharing

Information Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfInformation Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfforladies
 
Using Threat Intelligence to Improve Your Company.pdf
Using Threat Intelligence to Improve Your Company.pdfUsing Threat Intelligence to Improve Your Company.pdf
Using Threat Intelligence to Improve Your Company.pdfCyFirma1
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...IJNSA Journal
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptxlochanrajdahal
 
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual SecurityA Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual SecurityHossam Al-Ansary
 
Best Open Threat Management Platform in USA
Best Open Threat Management Platform in USABest Open Threat Management Platform in USA
Best Open Threat Management Platform in USACompanySeceon
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Icit analysis-identity-access-management
Icit analysis-identity-access-managementIcit analysis-identity-access-management
Icit analysis-identity-access-managementMark Gibson
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseEMC
 
Managed Security Services — Cyberroot Risk Advisory
Managed Security Services — Cyberroot Risk AdvisoryManaged Security Services — Cyberroot Risk Advisory
Managed Security Services — Cyberroot Risk AdvisoryCR Group
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 

Similar to Transforming Expectations for Treat-Intelligence Sharing (20)

Information Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfInformation Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdf
 
Using Threat Intelligence to Improve Your Company.pdf
Using Threat Intelligence to Improve Your Company.pdfUsing Threat Intelligence to Improve Your Company.pdf
Using Threat Intelligence to Improve Your Company.pdf
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptx
 
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual SecurityA Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
 
Best Open Threat Management Platform in USA
Best Open Threat Management Platform in USABest Open Threat Management Platform in USA
Best Open Threat Management Platform in USA
 
Mhdscs2019 v049n03 010
Mhdscs2019 v049n03 010Mhdscs2019 v049n03 010
Mhdscs2019 v049n03 010
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Measures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacksMeasures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacks
 
Measure To Avoid Cyber Attacks
Measure To Avoid Cyber AttacksMeasure To Avoid Cyber Attacks
Measure To Avoid Cyber Attacks
 
Icit analysis-identity-access-management
Icit analysis-identity-access-managementIcit analysis-identity-access-management
Icit analysis-identity-access-management
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and Response
 
Managed Security Services — Cyberroot Risk Advisory
Managed Security Services — Cyberroot Risk AdvisoryManaged Security Services — Cyberroot Risk Advisory
Managed Security Services — Cyberroot Risk Advisory
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Network Security
Network SecurityNetwork Security
Network Security
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
 

More from EMC

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDEMC
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote EMC
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOEMC
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremioEMC
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lakeEMC
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereEMC
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History EMC
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewEMC
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeEMC
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic EMC
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityEMC
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeEMC
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015EMC
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesEMC
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsEMC
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookEMC
 

More from EMC (20)

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for Security
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure Age
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere Environments
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBook
 

Recently uploaded

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Transforming Expectations for Treat-Intelligence Sharing

  • 1. TRANSFORMING EXPECTATIONS FOR THREAT-INTELLIGENCE SHARING RSA Perspective KEY POINTS Organizations today rely on information-sharing processes that are so manually intensive, duplicative, and inefficient that they cannot scale to meet critical computer network defense requirements of speed, agility, relevance, and accuracy. This gap ultimately translates into lost opportunities to avoid serious losses, improve security practices, prevent attacks, and predict threats. The global security community should transform the methods, approaches, and expectations for the sharing of threat information by requiring what is shared to be 1) directed and actionable, and 2) aimed at providing a meaningful, and potentially automated corrective response. Sharing information equally with everyone often results in information that’s helpful to no one. Information-sharing processes are productive only if the intelligence disseminated is relevant to members’ businesses and effective in helping them address threats or provide a proactive defense. While actionable intelligence is always appreciated, automated defense in response to intelligence is preferred, especially by small- and medium-sized organizations that may lack the security resources to devise corrective measures on their own. Certain industry consortia and working groups have integrated threat-intelligence gathering and response processes so tightly that the sharing of the underlying threat information actually is rendered unnecessary, because participants can leapfrog directly to corrective measures (e.g., updated block lists in browsers). The security community achieves outsized results when it pools expertise and resources to analyze threats and develop solutions collaboratively. Expanded cooperation between tools/software vendors and Information Sharing and Analysis Centers (ISACs) is a promising direction to explore.  August 2013 Kathleen M. Moriarty Global Lead Security Architect, Corporate Office of the CTO EMC Corporation
  • 2. RSA Perspective, August 2013 Exchanging security intelligence among other organizations has long been held up as key to achieving “situational awareness”—that is, understanding external threats clearly enough to assess their potential impact on an organization and formulate a response. Today, information sharing has assumed tremendous importance, given the rise of APTs and other targeted security attacks. With our hyper-connected networks, the prevalence of cloud, social media and mobile services, and the mounting complexity of most IT environments, advanced threats can hide in more places, spread faster, and cause more damage than ever before. Information sharing is central to a new security approach called Intelligence-Driven Security. In an Intelligence-Driven Security approach, organizations consume and process data from many diverse sources to assess in real time their exposures and risks, improve decision-making, prioritize security activities, and shorten the time needed to detect and respond to threats. Exchanging reliable threat intelligence with trusted external partners is pivotal to Intelligence-Driven Security. Some organizations already exchange threat intelligence. Some participate in groups formed expressly to share threat information such as ISACs; others participate in passive ways, such as sharing harmful URLs with browser vendors to enhance block lists. Although threat-intelligence sharing yields value, it could and should yield far more. Overall, practices for sharing security information among organizations suffer from several shortcomings: • Shared data is difficult to act upon – Threat intelligence often delivers low value because the information lacks sufficient detail and context, is unverified or is not well- matched to an organization’s business needs (i.e., does not apply to the organization’s vulnerabilities, system configurations, information assets or mission). • High levels of manual processing required – Threat intelligence typically requires intensive processing by recipients (e.g., human sorting, normalization, cutting and pasting data between applications) to uncover what’s useful and make it actionable. • Redundant effort – Each organization receiving threat data must often do its own processing and analysis of information, resulting in massive duplication of effort among recipients of security information. • Scarcity of skilled resources to analyze threats – There are simply too few security experts available, considering the mountains of security data to be analyzed and the thousands of organizations needing their help. • Poor linkages to security controls – Because of the lack of generally accepted standards, many threat-intelligence feeds are not easily integrated with security tools, creating delays in acting upon useful intelligence as controls await manual processing and activation by security experts. • Remediation addresses symptoms but not the cause – Threat response may block URLs, change system configurations or take other corrective steps to prevent harm, but they do not address the root cause of the threat that creates recurrent vulnerabilities, such as understanding the tools, tactics and procedures used by adversaries or directly removing the threat. The result of these deficiencies is that organizations today rely on information-sharing processes that are so manually intensive, duplicative, and inefficient that they cannot scale to meet critical computer network defense requirements of speed, agility, relevance and accuracy. This gap ultimately translates into lost opportunities to improve security practices, avoid serious losses, prevent attacks, and predict threats. page 2
  • 3. RSA Perspective, August 2013 page 3 THREAT INFORMATION MUST BE ACTIONABLE AND AUTOMATED Addressing many of the current problems in information sharing will require the global security community to strive collectively for two goals: 1. Ensure that the dissemination of threat intelligence is relevant and actionable – This means our sharing efforts should be connected to a fundamental shared objective and identify an immediate and active security response focused on where it can have the greatest risk-mitigating effect. 2. Develop a speedy, sustainable, and scalable model to automate reliable threat- information sharing among trusted parties and integrate response processes to minimize or prevent damage. For benchmarks on achieving these goals, we can examine a few of the sharing groups that have begun exchanging threat information in a directed, actionable way—with some even integrating with commercial-off-the-shelf (COTS) security tools for seamless threat remediation. Three notable examples are the groups exchanging email abuse information, anti-phishing information, and vendor threat-intelligence feeds. Example 1: Preventing Email Abuse Large email service providers communicate via standards they developed to address email abuse problems (including spam). These providers address the abuse problem at the source, collaborating in the Messaging, Malware, Mobile Anti-Abuse Working Group (M3AAWG). Email operators determined what information was helpful to exchange in order to stop or mitigate email abuse directly with their peers: the operators of large email services. The operators have the ability to detect abuse and stop any abuse that originates through their services, providing effective defenses to these issues. These protections have broad benefits, reducing the overall threat in an automated way that does not burden users with having to take corrective steps themselves. Example 2: Neutralizing Phishing Attacks One of the most notable and effective uses of information sharing is from the Anti- Phishing Working Group (APWG). The APWG coordinated with members affected by phishing (e.g., the financial industry) at the start of its work. It developed intelligence solutions that were later standardized to collect information into a centralized data warehouse. The APWG provides this clearinghouse of cybercrime data to its members, who then take actions to mitigate or stop threats. These actions include taking down the source of the phishing sites, which involves coordination with APWG vendor members and law enforcement. By targeting the sites that distribute email-based phishing attacks and the malware distribution servers (often included as links within phishing email attacks), APWG provides a focused and effective response that is directed at the source of the problem. Additionally, vendor members use the clearinghouse of cybercrime data to distribute preventive controls such as block lists that can be deployed to every desktop browser. Information is quickly distributed to where it can have the most effect while users remain unaware of the protections and the actual threat intelligence that have been deployed. This approach makes effective controls invisible and is a paragon of automated, dynamic remediation. WHAT ARE SHARING GROUPS? Organizations that collect, process, and distribute threat intelligence as a service to their participants, members, and/or end-users. Examples of sharing groups include: • Industry consortia such as ISACS, APWG, and M3AAWG • Vendors providing threat intellgence research and data feeds and/or commercial products and services integrating such feeds (e.g., security tools, browser providers) • Operators such as Internet Service Providers (ISPs) and communications network providers
  • 4. RSA Perspective, August 2013 page 4 Example 3: Integrating Security Controls with Intelligence Feeds COTS security software vendors and service providers’ threat-intelligence feeds have typically focused on problem areas such as malware, network threats, web- and application-layer attacks, compromised identities, and other components of fraud. The APWG crosses the boundary into vendor/service provider threat-intelligence feeds, because commercial organizations often use APWG intelligence as one of their many data sources. While the APWG combines many data sets for cybercrime in its clearinghouse, it’s up to the participating COTS vendors, service providers, and threat-intelligence feed providers to provide an active response. They must deploy directed and actionable intelligence within their services and within the architectural frameworks of their products (e.g., integration of “live” intelligence or indicators of compromise into a security analytics platform). This integrated approach is an early paradigm for how the practice of sharing threat information should be approached: IOCs need not be distributed as data in the clear; instead, they should be transformed on behalf of recipients into active response capabilities and mitigating controls. Many follow-on actions, such as blocking, black- holing, and black listing can be automated through tools controlled by security software vendors and service providers. Other remediation steps, such as the take-down of a command and control server or malware distribution site, can be undertaken by service providers for the benefit of all. Plus, the data required to implement corrective measures uses only small portions of the overall data set and can obviate having to disclose the larger underlying set of threat intelligence (e.g., IOCs), thus limiting the possibility of information leakage on threats or threat actors. In order to provide actionable and automated threat-intelligence feeds, a number of COTS vendors and threat-intelligence service providers have sophisticated analytic centers with highly skilled experts utilizing multiple complex data sets. The analytic tools and formats are optimized within each of these environments to meet the changing needs of the business problems being solved by these teams. The analytic tools and data sets evolve continuously, with teams innovating to provide accurate threat-intelligence feeds and added value to customers. In some cases, data sets and formats will overlap; in other cases the business problems are sufficiently distinct. LESSONS LEARNED FROM INFORMATION-SHARING GROUPS The sharing groups described above, in which security vendors, network operators, and industry consortia work together, are prime examples of how information-sharing activities can have a broad impact by generating either corrective action or actionable information that can be deployed as appropriate. From these examples we can derive several instructive insights: • Sharing groups grow strong when members have shared business interests and thus similar business risks and security concerns. That’s why sharing groups typically segment themselves by industry (e.g., financial services, state governments) or a business problem (e.g., reducing spam, preventing fraud, preventing denial of service attacks).
  • 5. RSA Perspective, August 2013 page 5 • ISPs, network operators, and other service providers who serve as gateways to large numbers of end users have developed effective, operationally focused information- sharing models by formalizing international standard data formats, such as the Incident Object Description Exchange Format (IODEF)1 used by the APWG and the Abuse Reporting Format (ARF)2 used by M3AAWG. Combining and correlating threat information provided by different sharing groups requires normalized data formats. Data standards become especially important for sharing among groups. • Security service providers, industry consortia, and working groups have shown that threat- intelligence gathering and response processes can be coupled so closely for certain threat scenarios and use cases that information sharing is rendered unnecessary, because corrective measures can be taken automatically on behalf of participants and customers (e.g., block lists in browsers). • While actionable intelligence is always appreciated, computer network defense that can be deployed automatically is preferred, especially by small- and medium-sized organizations that may lack the security resources to devise corrective measures on their own. • The capability to deploy defenses without having to reveal underlying threat intelligence delivers security benefits while protecting the acquisition methods, integrity, and confidentiality of information sources. • The security community achieves outsized results when it pools expertise and resources to work on complex security problems, obviating the need to solve problems in parallel and potentially arriving at solutions faster. Perhaps the most important lesson to take away from successful information-sharing groups such as the APWG and M3AAWG is that sharing threat intelligence is not the end game. Information-sharing processes are productive only if the intelligence disseminated is relevant to members’ businesses and helps them address threats or provide a proactive, effective defense. Information that can be quickly distributed to where it can have the greatest effect—preferably while both general users and adversaries remain unaware of the protections deployed—is ideal. The APWG’s automated deployment of URL block lists in browsers is a classic example of this. SELECTIVE SHARING REDUCES THREAT-INFORMATION SPAM Sharing information equally with everyone often results in information that’s helpful to no one. Threat-information sharing should be directed only to relevant parties and focused on a problem they care about. Differentiate by Business Concerns and Mission Focus Differences in business interests and mission focus among sharing members will divide and dictate what should be shared. That’s why many of the most successful threat- information exchange groups are focused on a specific use case, mission objective or a business problem, such as distributed denial of service (DDoS) attacks, phishing attacks or tracking specific threat actors. Whether threat intelligence is relevant or not is ultimately up to individual organizations to decide. To sort through the volumes of threat intelligence available to them, it’s imperative that organizations automate analysis of security information. Security tools when data standards matter (OR NOT) Information sharing standards provide a common interface or exchange mechanism to automate the transfer of information between two parties. In threat intelligence exchange, data format and protocol standards help ensure that the information packaged by the sender is “unpacked” and interpreted by the receiver as intended. Standards include policy details so information shared is protected and treated with the due care expected by the sender. A sharing group may use different data formats and protocols to communicate with other sharing groups than it uses to share information internally. Or sharing groups may apply the same data standards to very different use cases, by either using certain portions of a standard or by selecting extensions to that standard. Security-related information that is exchanged less frequently or that varies over time can be handled using extensions to existing data formats, which may be standardized or private. Interoperable data formats become important when exhchanging data among different organizations, but interoprability is not necessarily the desired default state. Diversity in data formats allows for flexibility in product implementations. Security vendors usse proprietary methods to communicate with deployed products and then use standards-based interfaces for interoperability between product implementations. Additionally, various de facto formats for data sharing have emerged within sharing groups with narrow fields of focus. To unify these disparate data formats, transformation mappings can be applied. 1 R. Danyliw, J. Meijer, Y. Demchenko; “The Incident Object Description Exchange Format” Internet Engineering Task Force (IETF) RFC 5070; December 2007 2 Y. Shafranovich, J. Levine, M. Kucherawy; “An Extensible Format for Email Feedback Reports” Internet Engineering Task Force (IETF) RFC 5965; August 2010
  • 6. RSA Perspective, August 2013 page 6 must be context-aware to assess the applicability of threat information to the organization. These assessments, which are often handled today by security personnel, will increasingly rely on the intersection of Big Data security analytics and asset- management platforms. In many large companies, different parts of the organization use different asset-management tools, making it challenging to get a unified, enterprise-wide picture of applicable risks and vulnerabilities. A single view of the organization’s assets and configurations could be derived by integrating asset management platforms with security- and risk-analysis tools such as governance, risk, and compliance (GRC) systems. GRC platforms not only measure risks to assets, but they also monitor how those assets interact so mitigating controls can be adapted accordingly. Additionally, GRC tools can ingest threat intelligence, reprioritize risks and focus the organization or appropriate corrective action based on newly identified threats. Advanced GRC tools will integrate with security analytics tools, automating the evaluation and use of intelligence feeds providing broader situational awareness. Differentiate by Organizational Size Larger enterprises with sophisticated capabilities are typically interested in actionable intelligence that they can analyze and take action on themselves. Some use threat intelligence to help them understand and reduce the scope of threat actors they are facing. Small- and medium-sized organizations, on the other hand, often do not have the resources to participate in threat-information sharing groups or to pore through volumes of security data. Instead, smaller organizations prefer a turnkey approach in which risk remediation is handled for them, either by automated security tools or by service providers who host applications and data and manage security risks as part of service level agreements (SLAs). Regardless of the size of the organization, GRC platforms must provide a business or mission context for the threat intelligence they collect. Risks and options should be assigned potential consequences and presented not as security or IT decisions but as business-level decisions.
  • 7. RSA Perspective, August 2013 page 7 CONCLUSION Gathering external threat intelligence is essential to assessing an organization’s real risks. As part of an Intelligence-Driven Security program, threat information can help organizations prioritize security activities and shorten the time needed to detect and respond to potential threats. Many organizations participating in threat-intelligence-sharing programs suffer from TMI (too much information), while others struggle to use threat intelligence that’s neither relevant nor actionable to their business/mission objectives. In disseminating threat information, information-sharing groups must keep in mind that intelligence itself is not the goal; remediating risks and neutralizing threats is. To this end, information-sharing programs must do the following: 1. Make the dissemination of threat intelligence directed, relevant, and actionable – This means our sharing efforts should identify an immediate and active security response focused on where it can have the greatest effect. 2. Develop a speedy, sustainable, and scalable model to automate information sharing and threat response. Simultaneously, we must improve information-sharing and analysis processes so that fewer security experts are needed to address problems. One way of achieving this is to pool resources and work on problem resolution collaboratively. A promising avenue to explore is enhanced cooperation between threat analysis centers, such as ISACs, communications service providers and software and security tool vendors. When external threat intelligence is actionable, relevant and triggers a corrective response, organizations can expand situational awareness and improve security not just for themselves but also for their information-sharing partners. The author wishes to acknowledge the following EMC and RSA colleagues for their contributions, edits, and validation of trends and positive direction: David Black, Tim Belcher, Rear Adm. Mike Brown (Ret.), Seth Geftic, Brian Girardi, William Gragido, Chris Harrington, Erik Mogus, Alok Ojha, Paul Stoecker, Eddie Schwartz, John Swift, Steve Todd, and Peter Tran.
  • 8. EMC2 , EMC, the EMC logo, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other products or services mentioned are trademarks of their respective companies. © Copyright 2013 EMC Corporation. All rights reserved. 223649-H12175-TIS-BRF-0213 ABOUT RSA RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations solve their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, encryption & key management, SIEM, data loss prevention, continuous network monitoring, and fraud protection with industry leading GRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com. www.rsa.com RSA Perspective, August 2013