SlideShare a Scribd company logo

Intelligence driven defense webinar

ThreatConnect
ThreatConnect

The document discusses intelligence-driven defense (IDD) and how ThreatConnect supports it. IDD means increasing a team's threat defense surface area by sharing threat intelligence (TI) across security operations and analysts. ThreatConnect provides automated playbooks, a collective analytics layer, and tools to connect intelligence and operations teams. This allows indicators from alerts to be enriched, potential matches to be flagged for analysts based on known adversaries, and feedback loops to update intelligence and close investigation loops.

Technology
1 of 27
Download to read offline
Mitigate Threats Faster with an Intelligence-Driven Defense Dan Cole Director of Product Management
© 2017 ThreatConnect, Inc. All Rights Reserved. Today’s Agenda Get answers: • Intelligence-Driven Defense (IDD) : what does it mean in real terms? • How can teams at all levels of maturity take advantage of IDD? • What does IDD look like operationally in ThreatConnect? 2
Intelligence-Driven Defense (IDD) What does it mean?
© 2017 ThreatConnect, Inc. All Rights Reserved. How to Define Threat Intelligence First, what is threat intelligence? “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” “The details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence’s primary purpose is to inform business decisions regarding the risks and implications associated with threats."
© 2017 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence: Simplified Now on my reading level.. “Knowledge of threats that you can use to defend yourself.” “Actionable Knowledge of Threats” Distilled even more:
© 2017 ThreatConnect, Inc. All Rights Reserved. 6 The Threat Defense Surface Area (TDSA) Bigger Targets need Bigger Shields The likelihood of having things go right in your security organization.
© 2017 ThreatConnect, Inc. All Rights Reserved. Strength/capabilities/focus of your threat intelligence X People and tools to whom that TI is effectively communicated (i.e. “operations”) = Your Threat Defense Surface Area 7 The Threat Defense Surface Area (TDSA) The Geometry of IDD Operations Intelligence A = I * O TI is siloed Bare bones Unclear focus False positives ++MTTD TI is shared Fleshed out Intel Requirements Fewer FPs --MTTD
© 2017 ThreatConnect, Inc. All Rights Reserved. Intelligence-Driven Defense means... Your entire security team (and beyond) is dedicated to increasing your Threat Defense Surface Area by actively communicating and contributing in order to: ● Increase actionable knowledge of threats ● Leverage that knowledge
Intelligence-Driven Defense for All How can teams at all levels of maturity take advantage of IDD?
© 2017 ThreatConnect, Inc. All Rights Reserved. Determining What’s Right For You • Needs differ based on factors like threat landscape, maturity, risk tolerance, size, and budget • What are your threat intelligence requirements? • Are your needs more strategic or tactical? • How big of a target does your TDSA need to cover? 10 Different Teams Have Different Needs More MatureLess Mature Using Threat Intelligence Doing Threat Intelligence Prevention & Detection Assisting IR Inform Security Policy
© 2017 ThreatConnect, Inc. All Rights Reserved. TC Identify 11 The Intel Consumer Who’s it for? • The “Intel Consumer” • Smaller teams just getting started What do they want to do with it? • Consume Intel • Reduce False Positives in their SIEM • Get started on increasing their Threat Defense Surface Area What do they need? • Machine-Readable Threat Intelligence • ThreatConnect Intelligence • Minimal Setup and Support
© 2017 ThreatConnect, Inc. All Rights Reserved. TC Manage 12 The Under-Resourced Intel Rebel Who’s it for? • The Under-Resourced “Intel Rebel” • Small team, needs to do more with less What do they want to do with it? • Same as Intel Consumer • Plus automation and orchestration What do they need? • Get all teams and tools talking • Playbooks
© 2017 ThreatConnect, Inc. All Rights Reserved. TC Analyze 13 The Intel Analyst Who’s it for? • The “Intel Analyst” • Mature teams that want to create new intel What do they want to do with it? • Consume, analyze, create and share intel • Strategic view of intel for advising, policy What do they need? • Powerful data model to support threat modelling • Sharing and reporting
© 2017 ThreatConnect, Inc. All Rights Reserved. TC Complete 14 The Ultimate Power in Threat Intelligence Who’s it for? • Mature teams • Security leaders who want to build an intelligence-driven security organization from the ground up What do they want to do with it? • Build and Customize the Platform and Apps • Create Complex Automations & Orchestration • Inform Team, Speed Response • Inform Decisions Across the Organization What do they need? • A fully extensible, intelligence-driven platform • Full threat modelling and communication support
© 2017 ThreatConnect, Inc. All Rights Reserved. Putting it all together 15 How does ThreatConnect Help? Operations Intelligence A = I * C Intelligence * Operations = Your Threat Defense Surface Area
Intelligence-Driven Defense in ThreatConnect What does IDD look like operationally in ThreatConnect?
© 2017 ThreatConnect, Inc. All Rights Reserved. Playbooks - Automation & Orchestration Problem • Fragmented technologies and processes in cybersecurity Solution • Create automated playbooks • Configure apps to talk to each other automatically • Share Playbooks across teams • Human-in-the-loop 17 Intelligence-Driven Automation & Orchestration Augment human intuition by freeing it from mundane tasks
© 2017 ThreatConnect, Inc. All Rights Reserved. Collective Analytics Layer Provide global insights on threat data to all ThreatConnect instances 18 EvilDomain.com Public whitelists? How many sources? How many of TC’s 15K other analysts have viewed it? Was it observed recently by others? Are the sources you find relevant and accurate? What about false positives?
© 2017 ThreatConnect, Inc. All Rights Reserved. The Scenario • Security team of a Fortune 500 company is on the lookout for whaling scams • Standard loadout: SOC, IR, CTI • CTI has gathered intel on several possible adversaries • SOC has several monitoring inboxes for collecting email alert data • TC Complete 19
© 2017 ThreatConnect, Inc. All Rights Reserved. An alert! Teeny-tiny TDSA Operations Intelligence Iteration One ● SOC inbox ingests an email ● Playbook extracts the indicators and stores them in ThreatConnect No one is notified. Nothing happens. Maybe someone will check it out later.
© 2017 ThreatConnect, Inc. All Rights Reserved. Analysis and Awareness in Realtime Adding Intel and Telling Someone Operations Intelligence Iteration Two ● Indicators sent to third party for enrichment ● Enrichment data matched against ThreatConnect ● SOC team notified of potential matches
© 2017 ThreatConnect, Inc. All Rights Reserved. Communicating Across Teams and Time Increasing the Area Operations Intelligence Iteration Three ● The CTI team’s intel identified an adversary that used whaling scams ● The CTI team recorded whaling scams in ThreatConnect as a key requirement ● This flag causes the IR team to be notified in Slack
© 2017 ThreatConnect, Inc. All Rights Reserved. Avoiding False Positives Almost there... Operations Intelligence Iteration Four ● Instead of blindly notifying the IR team, the Playbook checks CAL for false positives ● If there are FPs, the IR team is not notified and the SOC team’s email is updated instead ● Adversary record updated for future TI regardless of outcome
© 2017 ThreatConnect, Inc. All Rights Reserved. Closing the Loop Saturation Operations Intelligence Iteration Five ● IR team deep dives on key data in CAL ● Hits a button to block a malicious indicator ● CTI team gets feedback on action taken
© 2017 ThreatConnect, Inc. All Rights Reserved. Intelligence-Driven Defense How does ThreatConnect Help? Operations Intelligence Intelligence ● Enriched data using reverse WHOIS ● Referenced intel on existing adversary ● Use of intel requirements ● Used CAL to mitigate false positives Operations ● Notified all teams of Whaling Scam requirement ● Slacked IR team on alert ● CoA reported back to CTI ● Used CAL to mitigate false positives
© 2017 ThreatConnect, Inc. All Rights Reserved. Questions?
© 2017 ThreatConnect, Inc. All Rights Reserved. Thank You THREATCONNECT.COM

Recommended

Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksThreatConnect
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectThreatConnect
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Kevin Finley
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsThreatConnect
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New ScopeThreatConnect
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThreatConnect
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware LabThreatConnect
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 

Recommended

Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksThreatConnect
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectThreatConnect
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Kevin Finley
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsThreatConnect
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New ScopeThreatConnect
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThreatConnect
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware LabThreatConnect
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceThreatConnect
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
Become a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalNull Singapore
 
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)Priyanka Aash
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and OrchestrationGreg Foss
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsCybereason
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...ThreatConnect
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerThe Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerRahul Neel Mani
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsWEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsInterset
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaPuneet Kukreja
 

More Related Content

What's hot

Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceThreatConnect
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
Become a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalNull Singapore
 
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)Priyanka Aash
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and OrchestrationGreg Foss
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsCybereason
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...ThreatConnect
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerThe Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerRahul Neel Mani
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 

What's hot (20)

Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
 
Become a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza Beghal
 
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and Orchestration
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teaming
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerThe Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 

Similar to Intelligence driven defense webinar

WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsWEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsInterset
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaPuneet Kukreja
 
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...NetworkCollaborators
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyStephanie McVitty
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseGeorge Goodall
 
KnowBe4-Presentation-Overview.pdf
KnowBe4-Presentation-Overview.pdfKnowBe4-Presentation-Overview.pdf
KnowBe4-Presentation-Overview.pdfahmad661583
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...IBM Security
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Puneet Kukreja
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Proofpoint
 
Threat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and ResearchThreat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and ResearchFidelis Cybersecurity
 
Modernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingModernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingSqrrl
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 

Similar to Intelligence driven defense webinar (20)

WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsWEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_Kukreja
 
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
 
13734729.ppt
13734729.ppt13734729.ppt
13734729.ppt
 
Select idps
Select idpsSelect idps
Select idps
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
KnowBe4-Presentation-Overview.pdf
KnowBe4-Presentation-Overview.pdfKnowBe4-Presentation-Overview.pdf
KnowBe4-Presentation-Overview.pdf
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned.
 
Threat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and ResearchThreat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and Research
 
Modernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingModernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led Training
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Intelligence driven defense webinar

  • 1. Mitigate Threats Faster with an Intelligence-Driven Defense Dan Cole Director of Product Management
  • 2. © 2017 ThreatConnect, Inc. All Rights Reserved. Today’s Agenda Get answers: • Intelligence-Driven Defense (IDD) : what does it mean in real terms? • How can teams at all levels of maturity take advantage of IDD? • What does IDD look like operationally in ThreatConnect? 2
  • 4. © 2017 ThreatConnect, Inc. All Rights Reserved. How to Define Threat Intelligence First, what is threat intelligence? “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” “The details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence’s primary purpose is to inform business decisions regarding the risks and implications associated with threats."
  • 5. © 2017 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence: Simplified Now on my reading level.. “Knowledge of threats that you can use to defend yourself.” “Actionable Knowledge of Threats” Distilled even more:
  • 6. © 2017 ThreatConnect, Inc. All Rights Reserved. 6 The Threat Defense Surface Area (TDSA) Bigger Targets need Bigger Shields The likelihood of having things go right in your security organization.
  • 7. © 2017 ThreatConnect, Inc. All Rights Reserved. Strength/capabilities/focus of your threat intelligence X People and tools to whom that TI is effectively communicated (i.e. “operations”) = Your Threat Defense Surface Area 7 The Threat Defense Surface Area (TDSA) The Geometry of IDD Operations Intelligence A = I * O TI is siloed Bare bones Unclear focus False positives ++MTTD TI is shared Fleshed out Intel Requirements Fewer FPs --MTTD
  • 8. © 2017 ThreatConnect, Inc. All Rights Reserved. Intelligence-Driven Defense means... Your entire security team (and beyond) is dedicated to increasing your Threat Defense Surface Area by actively communicating and contributing in order to: ● Increase actionable knowledge of threats ● Leverage that knowledge
  • 9. Intelligence-Driven Defense for All How can teams at all levels of maturity take advantage of IDD?
  • 10. © 2017 ThreatConnect, Inc. All Rights Reserved. Determining What’s Right For You • Needs differ based on factors like threat landscape, maturity, risk tolerance, size, and budget • What are your threat intelligence requirements? • Are your needs more strategic or tactical? • How big of a target does your TDSA need to cover? 10 Different Teams Have Different Needs More MatureLess Mature Using Threat Intelligence Doing Threat Intelligence Prevention & Detection Assisting IR Inform Security Policy
  • 11. © 2017 ThreatConnect, Inc. All Rights Reserved. TC Identify 11 The Intel Consumer Who’s it for? • The “Intel Consumer” • Smaller teams just getting started What do they want to do with it? • Consume Intel • Reduce False Positives in their SIEM • Get started on increasing their Threat Defense Surface Area What do they need? • Machine-Readable Threat Intelligence • ThreatConnect Intelligence • Minimal Setup and Support
  • 12. © 2017 ThreatConnect, Inc. All Rights Reserved. TC Manage 12 The Under-Resourced Intel Rebel Who’s it for? • The Under-Resourced “Intel Rebel” • Small team, needs to do more with less What do they want to do with it? • Same as Intel Consumer • Plus automation and orchestration What do they need? • Get all teams and tools talking • Playbooks
  • 13. © 2017 ThreatConnect, Inc. All Rights Reserved. TC Analyze 13 The Intel Analyst Who’s it for? • The “Intel Analyst” • Mature teams that want to create new intel What do they want to do with it? • Consume, analyze, create and share intel • Strategic view of intel for advising, policy What do they need? • Powerful data model to support threat modelling • Sharing and reporting
  • 14. © 2017 ThreatConnect, Inc. All Rights Reserved. TC Complete 14 The Ultimate Power in Threat Intelligence Who’s it for? • Mature teams • Security leaders who want to build an intelligence-driven security organization from the ground up What do they want to do with it? • Build and Customize the Platform and Apps • Create Complex Automations & Orchestration • Inform Team, Speed Response • Inform Decisions Across the Organization What do they need? • A fully extensible, intelligence-driven platform • Full threat modelling and communication support
  • 15. © 2017 ThreatConnect, Inc. All Rights Reserved. Putting it all together 15 How does ThreatConnect Help? Operations Intelligence A = I * C Intelligence * Operations = Your Threat Defense Surface Area
  • 16. Intelligence-Driven Defense in ThreatConnect What does IDD look like operationally in ThreatConnect?
  • 17. © 2017 ThreatConnect, Inc. All Rights Reserved. Playbooks - Automation & Orchestration Problem • Fragmented technologies and processes in cybersecurity Solution • Create automated playbooks • Configure apps to talk to each other automatically • Share Playbooks across teams • Human-in-the-loop 17 Intelligence-Driven Automation & Orchestration Augment human intuition by freeing it from mundane tasks
  • 18. © 2017 ThreatConnect, Inc. All Rights Reserved. Collective Analytics Layer Provide global insights on threat data to all ThreatConnect instances 18 EvilDomain.com Public whitelists? How many sources? How many of TC’s 15K other analysts have viewed it? Was it observed recently by others? Are the sources you find relevant and accurate? What about false positives?
  • 19. © 2017 ThreatConnect, Inc. All Rights Reserved. The Scenario • Security team of a Fortune 500 company is on the lookout for whaling scams • Standard loadout: SOC, IR, CTI • CTI has gathered intel on several possible adversaries • SOC has several monitoring inboxes for collecting email alert data • TC Complete 19
  • 20. © 2017 ThreatConnect, Inc. All Rights Reserved. An alert! Teeny-tiny TDSA Operations Intelligence Iteration One ● SOC inbox ingests an email ● Playbook extracts the indicators and stores them in ThreatConnect No one is notified. Nothing happens. Maybe someone will check it out later.
  • 21. © 2017 ThreatConnect, Inc. All Rights Reserved. Analysis and Awareness in Realtime Adding Intel and Telling Someone Operations Intelligence Iteration Two ● Indicators sent to third party for enrichment ● Enrichment data matched against ThreatConnect ● SOC team notified of potential matches
  • 22. © 2017 ThreatConnect, Inc. All Rights Reserved. Communicating Across Teams and Time Increasing the Area Operations Intelligence Iteration Three ● The CTI team’s intel identified an adversary that used whaling scams ● The CTI team recorded whaling scams in ThreatConnect as a key requirement ● This flag causes the IR team to be notified in Slack
  • 23. © 2017 ThreatConnect, Inc. All Rights Reserved. Avoiding False Positives Almost there... Operations Intelligence Iteration Four ● Instead of blindly notifying the IR team, the Playbook checks CAL for false positives ● If there are FPs, the IR team is not notified and the SOC team’s email is updated instead ● Adversary record updated for future TI regardless of outcome
  • 24. © 2017 ThreatConnect, Inc. All Rights Reserved. Closing the Loop Saturation Operations Intelligence Iteration Five ● IR team deep dives on key data in CAL ● Hits a button to block a malicious indicator ● CTI team gets feedback on action taken
  • 25. © 2017 ThreatConnect, Inc. All Rights Reserved. Intelligence-Driven Defense How does ThreatConnect Help? Operations Intelligence Intelligence ● Enriched data using reverse WHOIS ● Referenced intel on existing adversary ● Use of intel requirements ● Used CAL to mitigate false positives Operations ● Notified all teams of Whaling Scam requirement ● Slacked IR team on alert ● CoA reported back to CTI ● Used CAL to mitigate false positives
  • 26. © 2017 ThreatConnect, Inc. All Rights Reserved. Questions?
  • 27. © 2017 ThreatConnect, Inc. All Rights Reserved. Thank You THREATCONNECT.COM