SlideShare ist ein Scribd-Unternehmen logo

Information Security Intelligence

G
guest08b1e6

Primer on Information Security Intelligence by a Cybertrust consultant

TechnologieBusiness
1 von 44
Information Security Intelligence Maarten Van Horenbeeck, Security Consultant
Content Information Security Intelligence Basic concepts Changing threat landscape Security Intelligence Intelligence methodology • Direction • Collection • Processing • Dissemination The Intelligence Organization Metrics and effectiveness Automation of intelligence processes Conclusion: what to take home ©2007 Cybertrust. All rights reserved. www.cybertrust.com 2
1. Basic concepts of security and information Robust systems and incident response
Basic concepts of security Robust systems Information Security Professionals strive to build robust systems that are reliable, fail in predictable ways and resist attack. Also known as the Ross Anderson school of thought, being the main undertone in his book ‘Security Engineering’ Time-based security In reality, systems do still fail and we introduce controls to make succesful attacks more difficult, increasing the time between attack and compromise. This time allows for detection and incident response. Coined by Winn Schwartau in his book ‘Time Based Security’ ©2007 Cybertrust. All rights reserved. www.cybertrust.com 4
Basic concept of information Data: Unordered events, facts or figures. Information: Collected facts and data on a subject, ordered data. Knowledge: Awareness or possession of information, facts, truth, principles. Wisdom: Knowledge and experience required to make sensible decisions and judgments. Intelligence: The required input for getting to wisdom in a structured manner, and the process of establishing this input. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 5
2. Changing Threat Landscape From defacement to fraud
Virus and malware evolution Computer viruses used to pose an availability threat to end user data. In 1991, Tequila infected local executable files, and transferred through infected floppies. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 7
Virus and malware evolution Change in methodology: Malicious code is now spread through compromised sites Change in target: This same code now gathers authentication credentials for internet banking sites or on-line games. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 8
Format rendering vulnerabilities Vulnerabilities in network-exposed services have always been popularly exploited. Our response has been to minimize attack surface by disabling services where not necessary. The increased popularity of fuzzers has now exposed a new class of vulnerabilities • Attacking indirectly by exploiting vulnerabilities in file format parsers such as Microsoft Office and Ichitaro word processor • Recently used in targeted attacks against organizations • UK Government institutions (2005) • US Department of State (2006) ©2007 Cybertrust. All rights reserved. www.cybertrust.com 9
Just last week Organizations are being targeted with e-mails from a valid ‘business partner’ with an RTF attachment. • RTF : Rich Text Format, but is able to contain OLE embedded objects, such as executables; • Plenty of anti virus solutions generally scan the RTF file but do not unpack the embedded object; • Issue first identified in 2005, re-identified in 2007. Many risks: • What if you are the ‘business partner’ ? • Is your team aware of these types of attacks and is there a plan on how to respond to them? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 10
Conclusion A much more complex threat environment has drastically increased the scope of ‘residual risk’. Do we fully understand these and other emerging threats or threat facilitators? Did we see them coming or did we ‘respond’? How can our information security program deal with these events more proactively, saving resources? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 11
4. Security Intelligence Understanding and mitigating threats
Security Intelligence As a product, intelligence is information that has the ability to reduce uncertainty in decisionmaking. Intelligence is also the process of gathering, evaluating, correlating and interpreting of information, and disseminating it to decision makers. Everyone in the organization performs the intelligence role, but it is only rarely formalized. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 13
The Intelligence Cycle Direction Collection and Planning Dissemination Processing ©2007 Cybertrust. All rights reserved. www.cybertrust.com 14
Direction Security intelligence is gathered in response to management requirements. Such requirements can originate both with business management as information security management. The intelligence process is generally started by defining: Key Intelligence Topics • Threats towards our information assets; • Threats towards our reputation; Key Intelligence Questions “To what degree are incidents reported that could be instigated by our competitors”; “There has been an increase in the number of succesful security incidents. Are we missing a trend, or not seeing the wider picture?” ©2007 Cybertrust. All rights reserved. www.cybertrust.com 15
Direction: current intelligence Aims to provide up-to-date intelligence to enable day-to-day intelligent decision-making: New vulnerabilities; Exploits being released; Important new talks at security conferences. Aims to answer: Should we patch ? Should we install new software ? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 16
Direction: warning intelligence Warning intelligence prepares the organization for new and emerging threats, and serves as input to the risk management processes already in place. •Warning intelligence monitors trends over a longer period of time and identifies emerging threats; •Aims to prevent being ‘surprised’ • WMF file format vulnerability in 2005; • Targeted attacks in 2005-2007. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 17
Collection targets Intelligence exists both internally as externally If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not your enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle - Sun Tzu Internal sources - Intrusion Detection Systems - Security Event Manager - Individual logs - Personnel ©2007 Cybertrust. All rights reserved. www.cybertrust.com 18
Collection targets External sources - Vendors - Microsoft, Verisign, Symantec each publish security intelligence reports - iDefense, Secunia, IBM, Cisco sell security intelligence information - Sharing of information - FS-ISAC, Water ISAC, IT ISAC, Electricity Sector ISAC - NSP & threat related mailing lists - SANS Internet Storm Center - Law enforcement contacts ©2007 Cybertrust. All rights reserved. www.cybertrust.com 19
Collection sources Closed sources - Some information is not publically available, and someone else’s intellectual property; - Usually not ethical nor lawful to access, but may be shared by the organization while remaining closed to others. Grey sources - Sources that have a significant barrier of entry (cost to access a database) while open to everyone who is interested. Open sources - Information that is generally available to everyone; - May not be on the internet, or may not be in English. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 20
Technical collection ©2007 Cybertrust. All rights reserved. www.cybertrust.com 21
Processing: collation When received, information needs to be ordered based on a characteristic of interest to the process. This may be: • Time of occurence of certain events; • Region of occurence; • Size of business impact. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 22
Processing: evaluation Evaluating information prior to accepting it Is the information: •Accurate; •Complete; •Timely; •Potentially fabricated? We also try to establish with what purpose the information was provided to us. Is there any way it can be verified using existing information (information triangulation)? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 23
Processing: synthesis/analysis The analysis phase consists of two subsets: Synthesis In the synthesis phase, a model is generated of the threat at hand or the intelligence question. This model consists of a systems-centered replica of the question at hand, including all its inputs, outputs, processes and algorithms. Models can be physical and conceptual. Analysis Extracting knowledge from a model by: • changing an input parameter and monitoring the model’s output; • identifying and studying forces that have an impact on any parameter and measuring their impact on the final output. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 24
Processing: synthesis Generic models Timelines, maps, process models. Sample applied models Broken Windows Model Field Anomaly Relaxation Threat assessment models Ballistic Threat Model Some models are better placed to function in warning analysis, others are ideal for current analysis. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 25
Processing: integration Integrate information within existing frameworks •Dominant use of databases; •Web 2.0 technology for specific purposes: • Wiki for collaboration on topics; • Blogs for inter-group communication of ‘prime time’ issues; • Forums for generic Q&A; • Social networking for location of subject matter experts. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 26
Processing: interpretation Information is interpreted by: - Formulating hypotheses; - Testing hypotheses; When the hypotheses is not supported by most, or proved unreasonable by even a single item of trusted information, it is proven false and new hypotheses need to be generated. Unfortunately, cognitive limitations apply: Information that has personal influence is likely to be ranked higher than unpersonal, but perhaps more important data (your ex-department’s assets at risk ?); Most people believe other cultures, other organizations think and act in similar ways as they do. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 27
Processing: interpretation Methodology to reduce impact of bias: Analysis of Competing Hypotheses • Prepare a matrix of hypotheses; • Refine this matrix by deleting evidence with little diagnostic value; • Draw preliminary conclusions of likelihood. Attempt to disprove hypotheses; • Analyze sensitivity of the conclusion to the items of evidence; • Report conclusions. Include relative likelihood of all hypotheses; • Identify milestones for future observation. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 28
Processing: interpretation ©2007 Cybertrust. All rights reserved. www.cybertrust.com 29
Processing: interpretation Decision making support tool by PARC • As with all intelligence analysis, merely a supportive measure • It doesn’t make decisions for you • Formalizes the process and forces the analyst to employ competing hypotheses • Instills trust in recipient of intelligence information • Free of charge at: • http://www2.parc.com/istl/projects/ach/ach.html ©2007 Cybertrust. All rights reserved. www.cybertrust.com 30
Dissemination Perhaps the most important phase of the intelligence process Making decisions should be separated from the intelligence gathering process, however this may not always be possible; In smaller organizations, intelligence gathering may be performed by operational teams, upon which they may make decisions themselves; Presentation of evidence may impact decisions: Representation of numbers; Risk is low, medium, “slam dunk”; Cost of collection often over-appreciates importance. Sample deliverables Threat reports Statistical information ©2007 Cybertrust. All rights reserved. www.cybertrust.com 31
5. The Intelligence Organization Real-life implementation
Intelligence as a CERT function CERT teams often also carry a partial intelligence function Track vendor bulletins and re-issue those that may affect the organization; CERTS have defined matrix team liaisons across the organization; Advantages Usually an existing, skilled team; Awareness of threats can be used in incident response. Makes the CERT realize the value of maintaining a good inventory of security incidents; Greater visibility of the CERT to management. Disadvantages Less appropriate for warning analysis; Intelligence function may suffer during high-incident timeframes. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 33
Intelligence as a research group A specific research team is assigned to perform ongoing intelligence efforts. It usually delivers input to the risk analysis process, or supports it as mediators and subject matter experts. Advantages Dedicated team; Team members can be selected more accurately; Intelligence function remains independent from decision makers. Disadvantages Less visibility and experience with company assets than a CERT. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 34
A quote “Intelligence is best done by a minimum number of men and women of the greatest possible ability” - RV Jones, UK Military Intelligence Expert (1911-1997) ©2007 Cybertrust. All rights reserved. www.cybertrust.com 35
6. Metrics Measuring effectiveness
Measuring intelligence results Security Intelligence is primarily a support function to risk management. It enables Better measurement in support of risk management; Better measurement of risk management efforts; Some measurement of intelligence product. Some examples: Measuring the threat level against the organization: how many of the vulnerability exploitations observed against the network were not actively translated into a worm but had a high complexity of exploitation according to the NVD; How many new threats out of the total that required change management was the team informed of well advance; ©2007 Cybertrust. All rights reserved. www.cybertrust.com 37
7. Automation Automating the intelligence process
Automating intelligence Most software currently available is aimed at: Intelligence/Law Enforcement clients; • Uses industry-developed checklists and data-mining tools; • Allows interaction with various closed databases, but mainly collaboration tools; • Inxight, Interquest, ... Competitive intelligence; • Market research, competitor analysis, internet discussion tracking • Digimind, Factiva, Trellian, Attentio... Information Security threat management (event management) •Automate the collection process by crawling open, grey and closed databases. •They store and make searchable key concepts. •Some apply automate translation. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 39
Automating intelligence In 2004, the RAND Institute published a major study in the automization of intelligence structures. • Introduces ASAP: Atypical Signal and Analysis Processing Schema • Interceptor agents: test data and gather information; • Detection agents: filter the dots for events matching and violating criteria; • Agents to identify relationships and sweep back using these for further information; • Hypotheses agents: create and test; • Prioritize hypotheses and forward to analysts for manual review • Also introduces a framework for short-term implementation: • Use Delphi technique to obtain expert opinion on ‘status quo’ in monitored threats; • Define ‘items of note’ that may impact the expression of these threats; • Design systems to monitor these ‘items of note’; • Establish virtual communities amongst experts to track these items and use modelling for forecasting. • Future tools will most likely be based on similar frameworks ©2007 Cybertrust. All rights reserved. www.cybertrust.com 40
8. Conclusion What to take home today
Intelligence It is • A support tool that enables better risk management; • A formalized way of dealing with ‘current’ and ‘warning’ research questions and forecasting; • Consists of collection that occurs both within the organization (know yourself) and outside the organization (know thy enemy); It is not: • Something you purchase in itself, though it can consist of purchased ‘current’ intelligence with in-house research; • Yet fully standardized: many concepts, ideas and models linger, but many are only published in journals. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 42
Combine strengths Vendors are best placed to: •Provide information (‘intelligence’) on what is happening on the internet and in the business, and who is likely to be targeted; •Provide detail on current incidents and attacks; •Help with the definition of relevant models. Organizations themselves should: •Consider the use of intelligence concepts in their research and risk management processes; •Better understand their own networks, systems and people; •Make use of public information where available to enable better decision making. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 43
5. Any Questions ? maarten.vanhorenbeeck@cybertrust.com Tel. +32 (016)28 73 92 .

Empfohlen

Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
 
CCA study group
CCA study groupCCA study group
CCA study groupIIBA UK Chapter
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthProtecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthPECB
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 

Empfohlen

Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
 
CCA study group
CCA study groupCCA study group
CCA study groupIIBA UK Chapter
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthProtecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthPECB
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)Rois Solihin
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015Capgemini
 
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilienceChristophe Foulon, CISSP
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)Rois Solihin
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015Capgemini
 
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 

Was ist angesagt? (20)

The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
 
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
 

Ähnlich wie Information Security Intelligence

FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateFidelis Cybersecurity
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...JoAnna Cheshire
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecuritySvetlana Belyaeva
 
Information security for business majors
Information security for business majorsInformation security for business majors
Information security for business majorsPaul Melson
 
The significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information SecurityThe significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information Securitylearntransformation0
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaIBM Danmark
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...North Texas Chapter of the ISSA
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityDell EMC World
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...United Security Providers AG
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentationJoseph Schorr
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Bemorisson
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesVerisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesTechBiz Forense Digital
 

Ähnlich wie Information Security Intelligence (20)

FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
 
Information security for business majors
Information security for business majorsInformation security for business majors
Information security for business majors
 
The significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information SecurityThe significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information Security
 
Data Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples StoryData Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples Story
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentation
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesVerisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence Services
 

Kürzlich hochgeladen

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Kürzlich hochgeladen (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Information Security Intelligence

  • 1. Information Security Intelligence Maarten Van Horenbeeck, Security Consultant
  • 2. Content Information Security Intelligence Basic concepts Changing threat landscape Security Intelligence Intelligence methodology • Direction • Collection • Processing • Dissemination The Intelligence Organization Metrics and effectiveness Automation of intelligence processes Conclusion: what to take home ©2007 Cybertrust. All rights reserved. www.cybertrust.com 2
  • 3. 1. Basic concepts of security and information Robust systems and incident response
  • 4. Basic concepts of security Robust systems Information Security Professionals strive to build robust systems that are reliable, fail in predictable ways and resist attack. Also known as the Ross Anderson school of thought, being the main undertone in his book ‘Security Engineering’ Time-based security In reality, systems do still fail and we introduce controls to make succesful attacks more difficult, increasing the time between attack and compromise. This time allows for detection and incident response. Coined by Winn Schwartau in his book ‘Time Based Security’ ©2007 Cybertrust. All rights reserved. www.cybertrust.com 4
  • 5. Basic concept of information Data: Unordered events, facts or figures. Information: Collected facts and data on a subject, ordered data. Knowledge: Awareness or possession of information, facts, truth, principles. Wisdom: Knowledge and experience required to make sensible decisions and judgments. Intelligence: The required input for getting to wisdom in a structured manner, and the process of establishing this input. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 5
  • 6. 2. Changing Threat Landscape From defacement to fraud
  • 7. Virus and malware evolution Computer viruses used to pose an availability threat to end user data. In 1991, Tequila infected local executable files, and transferred through infected floppies. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 7
  • 8. Virus and malware evolution Change in methodology: Malicious code is now spread through compromised sites Change in target: This same code now gathers authentication credentials for internet banking sites or on-line games. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 8
  • 9. Format rendering vulnerabilities Vulnerabilities in network-exposed services have always been popularly exploited. Our response has been to minimize attack surface by disabling services where not necessary. The increased popularity of fuzzers has now exposed a new class of vulnerabilities • Attacking indirectly by exploiting vulnerabilities in file format parsers such as Microsoft Office and Ichitaro word processor • Recently used in targeted attacks against organizations • UK Government institutions (2005) • US Department of State (2006) ©2007 Cybertrust. All rights reserved. www.cybertrust.com 9
  • 10. Just last week Organizations are being targeted with e-mails from a valid ‘business partner’ with an RTF attachment. • RTF : Rich Text Format, but is able to contain OLE embedded objects, such as executables; • Plenty of anti virus solutions generally scan the RTF file but do not unpack the embedded object; • Issue first identified in 2005, re-identified in 2007. Many risks: • What if you are the ‘business partner’ ? • Is your team aware of these types of attacks and is there a plan on how to respond to them? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 10
  • 11. Conclusion A much more complex threat environment has drastically increased the scope of ‘residual risk’. Do we fully understand these and other emerging threats or threat facilitators? Did we see them coming or did we ‘respond’? How can our information security program deal with these events more proactively, saving resources? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 11
  • 12. 4. Security Intelligence Understanding and mitigating threats
  • 13. Security Intelligence As a product, intelligence is information that has the ability to reduce uncertainty in decisionmaking. Intelligence is also the process of gathering, evaluating, correlating and interpreting of information, and disseminating it to decision makers. Everyone in the organization performs the intelligence role, but it is only rarely formalized. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 13
  • 14. The Intelligence Cycle Direction Collection and Planning Dissemination Processing ©2007 Cybertrust. All rights reserved. www.cybertrust.com 14
  • 15. Direction Security intelligence is gathered in response to management requirements. Such requirements can originate both with business management as information security management. The intelligence process is generally started by defining: Key Intelligence Topics • Threats towards our information assets; • Threats towards our reputation; Key Intelligence Questions “To what degree are incidents reported that could be instigated by our competitors”; “There has been an increase in the number of succesful security incidents. Are we missing a trend, or not seeing the wider picture?” ©2007 Cybertrust. All rights reserved. www.cybertrust.com 15
  • 16. Direction: current intelligence Aims to provide up-to-date intelligence to enable day-to-day intelligent decision-making: New vulnerabilities; Exploits being released; Important new talks at security conferences. Aims to answer: Should we patch ? Should we install new software ? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 16
  • 17. Direction: warning intelligence Warning intelligence prepares the organization for new and emerging threats, and serves as input to the risk management processes already in place. •Warning intelligence monitors trends over a longer period of time and identifies emerging threats; •Aims to prevent being ‘surprised’ • WMF file format vulnerability in 2005; • Targeted attacks in 2005-2007. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 17
  • 18. Collection targets Intelligence exists both internally as externally If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not your enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle - Sun Tzu Internal sources - Intrusion Detection Systems - Security Event Manager - Individual logs - Personnel ©2007 Cybertrust. All rights reserved. www.cybertrust.com 18
  • 19. Collection targets External sources - Vendors - Microsoft, Verisign, Symantec each publish security intelligence reports - iDefense, Secunia, IBM, Cisco sell security intelligence information - Sharing of information - FS-ISAC, Water ISAC, IT ISAC, Electricity Sector ISAC - NSP & threat related mailing lists - SANS Internet Storm Center - Law enforcement contacts ©2007 Cybertrust. All rights reserved. www.cybertrust.com 19
  • 20. Collection sources Closed sources - Some information is not publically available, and someone else’s intellectual property; - Usually not ethical nor lawful to access, but may be shared by the organization while remaining closed to others. Grey sources - Sources that have a significant barrier of entry (cost to access a database) while open to everyone who is interested. Open sources - Information that is generally available to everyone; - May not be on the internet, or may not be in English. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 20
  • 21. Technical collection ©2007 Cybertrust. All rights reserved. www.cybertrust.com 21
  • 22. Processing: collation When received, information needs to be ordered based on a characteristic of interest to the process. This may be: • Time of occurence of certain events; • Region of occurence; • Size of business impact. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 22
  • 23. Processing: evaluation Evaluating information prior to accepting it Is the information: •Accurate; •Complete; •Timely; •Potentially fabricated? We also try to establish with what purpose the information was provided to us. Is there any way it can be verified using existing information (information triangulation)? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 23
  • 24. Processing: synthesis/analysis The analysis phase consists of two subsets: Synthesis In the synthesis phase, a model is generated of the threat at hand or the intelligence question. This model consists of a systems-centered replica of the question at hand, including all its inputs, outputs, processes and algorithms. Models can be physical and conceptual. Analysis Extracting knowledge from a model by: • changing an input parameter and monitoring the model’s output; • identifying and studying forces that have an impact on any parameter and measuring their impact on the final output. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 24
  • 25. Processing: synthesis Generic models Timelines, maps, process models. Sample applied models Broken Windows Model Field Anomaly Relaxation Threat assessment models Ballistic Threat Model Some models are better placed to function in warning analysis, others are ideal for current analysis. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 25
  • 26. Processing: integration Integrate information within existing frameworks •Dominant use of databases; •Web 2.0 technology for specific purposes: • Wiki for collaboration on topics; • Blogs for inter-group communication of ‘prime time’ issues; • Forums for generic Q&A; • Social networking for location of subject matter experts. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 26
  • 27. Processing: interpretation Information is interpreted by: - Formulating hypotheses; - Testing hypotheses; When the hypotheses is not supported by most, or proved unreasonable by even a single item of trusted information, it is proven false and new hypotheses need to be generated. Unfortunately, cognitive limitations apply: Information that has personal influence is likely to be ranked higher than unpersonal, but perhaps more important data (your ex-department’s assets at risk ?); Most people believe other cultures, other organizations think and act in similar ways as they do. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 27
  • 28. Processing: interpretation Methodology to reduce impact of bias: Analysis of Competing Hypotheses • Prepare a matrix of hypotheses; • Refine this matrix by deleting evidence with little diagnostic value; • Draw preliminary conclusions of likelihood. Attempt to disprove hypotheses; • Analyze sensitivity of the conclusion to the items of evidence; • Report conclusions. Include relative likelihood of all hypotheses; • Identify milestones for future observation. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 28
  • 29. Processing: interpretation ©2007 Cybertrust. All rights reserved. www.cybertrust.com 29
  • 30. Processing: interpretation Decision making support tool by PARC • As with all intelligence analysis, merely a supportive measure • It doesn’t make decisions for you • Formalizes the process and forces the analyst to employ competing hypotheses • Instills trust in recipient of intelligence information • Free of charge at: • http://www2.parc.com/istl/projects/ach/ach.html ©2007 Cybertrust. All rights reserved. www.cybertrust.com 30
  • 31. Dissemination Perhaps the most important phase of the intelligence process Making decisions should be separated from the intelligence gathering process, however this may not always be possible; In smaller organizations, intelligence gathering may be performed by operational teams, upon which they may make decisions themselves; Presentation of evidence may impact decisions: Representation of numbers; Risk is low, medium, “slam dunk”; Cost of collection often over-appreciates importance. Sample deliverables Threat reports Statistical information ©2007 Cybertrust. All rights reserved. www.cybertrust.com 31
  • 32. 5. The Intelligence Organization Real-life implementation
  • 33. Intelligence as a CERT function CERT teams often also carry a partial intelligence function Track vendor bulletins and re-issue those that may affect the organization; CERTS have defined matrix team liaisons across the organization; Advantages Usually an existing, skilled team; Awareness of threats can be used in incident response. Makes the CERT realize the value of maintaining a good inventory of security incidents; Greater visibility of the CERT to management. Disadvantages Less appropriate for warning analysis; Intelligence function may suffer during high-incident timeframes. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 33
  • 34. Intelligence as a research group A specific research team is assigned to perform ongoing intelligence efforts. It usually delivers input to the risk analysis process, or supports it as mediators and subject matter experts. Advantages Dedicated team; Team members can be selected more accurately; Intelligence function remains independent from decision makers. Disadvantages Less visibility and experience with company assets than a CERT. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 34
  • 35. A quote “Intelligence is best done by a minimum number of men and women of the greatest possible ability” - RV Jones, UK Military Intelligence Expert (1911-1997) ©2007 Cybertrust. All rights reserved. www.cybertrust.com 35
  • 36. 6. Metrics Measuring effectiveness
  • 37. Measuring intelligence results Security Intelligence is primarily a support function to risk management. It enables Better measurement in support of risk management; Better measurement of risk management efforts; Some measurement of intelligence product. Some examples: Measuring the threat level against the organization: how many of the vulnerability exploitations observed against the network were not actively translated into a worm but had a high complexity of exploitation according to the NVD; How many new threats out of the total that required change management was the team informed of well advance; ©2007 Cybertrust. All rights reserved. www.cybertrust.com 37
  • 38. 7. Automation Automating the intelligence process
  • 39. Automating intelligence Most software currently available is aimed at: Intelligence/Law Enforcement clients; • Uses industry-developed checklists and data-mining tools; • Allows interaction with various closed databases, but mainly collaboration tools; • Inxight, Interquest, ... Competitive intelligence; • Market research, competitor analysis, internet discussion tracking • Digimind, Factiva, Trellian, Attentio... Information Security threat management (event management) •Automate the collection process by crawling open, grey and closed databases. •They store and make searchable key concepts. •Some apply automate translation. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 39
  • 40. Automating intelligence In 2004, the RAND Institute published a major study in the automization of intelligence structures. • Introduces ASAP: Atypical Signal and Analysis Processing Schema • Interceptor agents: test data and gather information; • Detection agents: filter the dots for events matching and violating criteria; • Agents to identify relationships and sweep back using these for further information; • Hypotheses agents: create and test; • Prioritize hypotheses and forward to analysts for manual review • Also introduces a framework for short-term implementation: • Use Delphi technique to obtain expert opinion on ‘status quo’ in monitored threats; • Define ‘items of note’ that may impact the expression of these threats; • Design systems to monitor these ‘items of note’; • Establish virtual communities amongst experts to track these items and use modelling for forecasting. • Future tools will most likely be based on similar frameworks ©2007 Cybertrust. All rights reserved. www.cybertrust.com 40
  • 41. 8. Conclusion What to take home today
  • 42. Intelligence It is • A support tool that enables better risk management; • A formalized way of dealing with ‘current’ and ‘warning’ research questions and forecasting; • Consists of collection that occurs both within the organization (know yourself) and outside the organization (know thy enemy); It is not: • Something you purchase in itself, though it can consist of purchased ‘current’ intelligence with in-house research; • Yet fully standardized: many concepts, ideas and models linger, but many are only published in journals. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 42
  • 43. Combine strengths Vendors are best placed to: •Provide information (‘intelligence’) on what is happening on the internet and in the business, and who is likely to be targeted; •Provide detail on current incidents and attacks; •Help with the definition of relevant models. Organizations themselves should: •Consider the use of intelligence concepts in their research and risk management processes; •Better understand their own networks, systems and people; •Make use of public information where available to enable better decision making. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 43
  • 44. 5. Any Questions ? maarten.vanhorenbeeck@cybertrust.com Tel. +32 (016)28 73 92 .