Soltra Launch Site - Information Systems Security Association
Download
Report
Transcript Soltra Launch Site - Information Systems Security Association
Intelligence Driven
Community
Defense
David Eilken
Co-Chair
FS-ISAC Security Automation Working Group
OVERVIEW
Cyber Intelligence – What, Why, Where
A Vision for Community Defense
Cyber Threat Intelligence Standards
Maturing the Ecosystem
How do We Get There
EXTERNAL THREATS GROWING
117,339 incoming attacks every day
The total number of security incidents detected by respondents climbed
to 42.8 million this year, an increase of 48% over 2013.
Findings from The Global State of Information Security Survey 2015 Graphic Source: PwC
EVOLUTION OF CYBER ATTACKS
Cyber Threats on the Private Sector
Fortune
•Cyber criminals and
organized gangs
stealing money, data
ransom schemes and
competitive information
Fun
2001
•Technically
curious
individuals
2010
Force
Fame
1988
•Technically adept
groups leaving their
mark on public
websites
2004
•Nation states and nonnation state groups
launching targeted attacks
for strategic purposes
Academic
“Script Kiddies”
Nature of Threat
Commodity Threats
Advanced Persistent Threats (APT) – Targeting government entities
APT– Targeting private sector
WHO ARE THE ADVERSARIES?
August 2014
•Large number of
groups
•Groups tend to have
basic skills with a
few 'standout'
individuals with
advanced technical
and motivational
skills"
•Up to $ -$$
$ - Under thousands
$$ - Tens to hundreds of thousands
$$$ - Millions
$$$$ - Tens to hundreds of millions
$$$$$ - Billions
•Large number of
groups
•Skills from basic to
advanced
•Present in virtually
every country
•Up to $$$
•Acquiring Secrets for
national security or
economic benefit
•Small but growing
number of countries
with capability
•Larger array of
‘supported’ or
‘tolerated’ groups
•Up to $$$$+
War
•Money
•Money
•And more money
Espionage
•Protest
•Revenge
Criminals
Hacktivists
Attacker Motivation, Capability & Intent
•Motivation is to
destroy, degrade, or
deny capabilities of
an adversary
•Politics by other
means
•Small but growing
number of countries
with capability
•Non-state actors
may utilize ‘war’ like
approaches
•Up to $$$$$ ?
•…but, a lot less
expensive than a
nuclear weapon
THE NEED FOR SPEED
Attackers Act 150x Faster Than Victims Respond
Minutes vs. Weeks/ Months
Attackers are
FAST
Response is
SLOW
Seconds
Minutes
Hours
Days
Weeks
Months
10%
75%
12%
2%
0%
1%
8%
38%
14%
25%
8%
8%
0%
0%
2%
13%
29%
54%
Initial Attack to
Initial Compromise
(Shorter Time Worse)
Initial Compromise
to Data Exfiltration
(Shorter Time Worse)
Initial Compromise
to Discovery
(Longer Time Worse)
EVOLUTION OF CYBER SECURITY DEFENSE
Yesterday’s Security
Present Day Problem
?
?
Future Solution
?
?
?
?
Network Awareness
Intelligence Sharing
Protect the perimeter and patch the
holes to keep out threats share
knowledge internally.
Identify and track threats, incorporate
knowledge and share what you know
manually to trusted others.
Increasing Cyber Risks
Manually Sharing Ineffective
• Malicious actors have become much
more sophisticated & money driven.
• Losses to US companies now in the
tens of millions; WW hundreds of
millions.
• Cyber Risks are now ranked #3 overall
corporate risk on Lloyd’s 2013 Risk
Index.
• Time consuming and ineffective in
raising the costs to the attackers.
• Not all cyber intelligence is
processed; probably less than 2%
overall = high risk.
• No way to enforce cyber intelligence
sharing policy = non-compliance.
Situational Awareness
Automate sharing – develop clearer
picture from all observers’ input and proactively mitigate.
We are Solving the Problem
• Security standards are maturing
• FS-ISAC has become the trusted
model for sharing industry threat
intelligence.
• Soltra Edge Cyber Intelligence
Sharing Platform revolutionizing
sharing and utilization of threat
intelligence.
WHAT IS CYBER INTELLIGENCE
Information about cyber threats
• Bad people, things, or events
• Plans to attack victims
• Tactics used by bad people
• Actions to deal with bad events
• Weaknesses targeted by bad people
WHY CYBER INTELLIGENCE IS IMPORTANT
Tactical Uses
Proactively detect or defend against attacks before they happen
Diagnose infected corporate systems
Strategic Uses
Compile and track bad people or things that don’t like you, your industry, or your
company – report out and potentially sent to authorities
Improve your security posture - The more you understand the things, people, and
organizations that are attacking you, the have the better you can defend yourself
Intelligence Can Help Protect You!
WHERE DOES CYBER INTELLIGENCE COME FROM?
Buy It
Purchase from professional intelligence providers
Collect for Free
From inside your organizational environment
The Internet has many Open Source Intelligence (OSINT) feeds available
From Friends
Information Sharing Communities or ISACs
Business partners, associates, peers, etc.
Get from Authorities
Government – DHS, FBI, etc.
INTELLIGENCE LIFE-CYCLE
What Do We Do With It? (What are we supposed to do with it?)
Security
Operations
Intelligence
Starts Here
#4
Disseminate
#3
Analyze
#1
Collect
#2
Process
Graphic Source: FBI
STEP #1 – IN THE REAL-LIFE CYCLE
Time Waning
Cyber Analysts
Eyes of
Distrust
Company Y
CIRC Analyst
Firm X
SOC Analysts
“My
Wheel
Better”
MACHINES CAN HELP, BUT FIRST…
…Machines Need a Language to Talk about Threats
STIX
– Structured Threat Intelligence eXpression
Structured language used by machines to describe cyber threats
TAXII – Trusted Automated eXchange of Indicator Information
Transport mechanism for cyber threat information represented in STIX
Like TCP/ IP
Like HTML
stix.mitre.org
Like HTML
taxii.mitre.org
INTELLIGENCE DRIVEN COMMUNITY DEFENSE
Machines
Organization
Attacked
Automated
Defense
FS-ISAC
Trusted
Organizations
Protected
ISAC
Extended Trusted
Organizations Protected
STIX CONSTRUCTS
An open standard to categorize cyber threat intelligence information
Atomic
What threat activity are we seeing?
Tactical
What threats should I look for on my
networks and systems and why?
Operational
Where has this threat
been seen?
What can I do
about it?
Who is responsible
for this threat?
Why do they do this?
What weaknesses does
this threat exploit?
Strategic
What do they do?
STIX ARCHITECTURE
The Power of Structured Intelligence
Key to effective strategic cyber intelligence analysis and threat tracking
Ability to pivot, view, analyze, and enrich complex relationships
STIX SAMPLE
Email Message Object
<cybox:Observable id="cybox:observable-6f45ce72-30c8-11e2-8011-000c291a73d5">
<cybox:Stateful_Measure>
<cybox:Object id="cybox:object-6dc7fc5a-30c8-11e2-8011-000c291a73d5">
<cybox:Defined_Object xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Attachments>
<EmailMessageObj:File xsi:type="FileObj:FileObjectType" object_reference="cybox:object-6dcae276-30c8-11e2-8011-000c291a73d5"/>
</EmailMessageObj:Attachments>
<EmailMessageObj:Links>
<EmailMessageObj:Link type="URL" object_reference="cybox:guid-6dcb5fda-30c8-11e2-8011-000c291a73d5“/>
<EmailMessageObj:Link type="URL" object_reference="cybox:guid-6ec9050e-30c8-11e2-8011-000c291a73d5“/>
</EmailMessageObj:Links>
<EmailMessageObj:Header>
<EmailMessageObj:To>
<EmailMessageObj:Recipient category="e-mail">
<AddressObj:Address_Value datatype="String">[email protected]</AddressObj:Address_Value>
</EmailMessageObj:Recipient>
</EmailMessageObj:To>
<EmailMessageObj:From category="e-mail">
<AddressObj:Address_Value datatype="String">[email protected]</AddressObj:Address_Value>
</EmailMessageObj:From>
<EmailMessageObj:Subject datatype="String">Fw:Draft US-China Joint Statement</EmailMessageObj:Subject>
<EmailMessageObj:Date datatype="DateTime">2011-01-05T12:48:50+08:00</EmailMessageObj:Date>
<EmailMessageObj:Message_ID datatype="String">
CAF=+=fCSNqaNnR=wom=Y6xP09r_wfKjsm0hvY3wJYTGEzGyPkw@mail.gmail.com
</EmailMessageObj:Message_ID>
</EmailMessageObj:Header>
<EmailMessageObj:Optional_Header>
<EmailMessageObj:Content-Type datatype="String">
multipart/mixed; boundary=90e6ba10b0e7fbf25104cdd9ad08
</EmailMessageObj:Content-Type>
<EmailMessageObj:MIME-Version datatype="String">1.0</EmailMessageObj:MIME-Version>
<EmailMessageObj:X-Mailer datatype="String">Microsoft CDO for Windows 2000</EmailMessageObj:X-Mailer>
</EmailMessageObj:Optional_Header>
HOW HUMANS VIEW INTELLIGENCE
Hey Mom! Watch Me Pivot!
Indicator
Electronic Address
Observable
Sender: John Smith
Subject: Press Release
Initial Compromise
Spear Phishing Email
Observed TTP
WEBC2
Establish Foothold
MD5:
d8bb32a7465f55c368230bb52d52d885
Indicator
Malware
Behavior
Leet
Associated Actor
Observable
cachedump
Observed TTP
Uses Tool
lslsass
Pamina Republic
Army
Unit 31459
Targets
Uses Tool
Escalate Privilege
Observed TTP
Leverages
Infrastructure
Khaffeine
Bronxistan
Perturbia
Blahniks
...
Observed TTP
Observed TTP
Internal
Reconnaissance
Attack Pattern
ipconfig
net view
net group “domain admins”
Uses Tool
Exfiltration
C2 Servers
IP Range:
172.24.0.0-112.25.255.255
GETMAIL
LET’S NOT FORGET THE TRANSPORT STANDARD
STIX without
…Like a wheel without an axle
STIX with
STIX & TAXII… JUST THE BEGINNING
Cyber Security Measurement and Management Architecture
Standards across the
Security Lifecycle
Source: MITRE
YOU ARE HERE
STIX & TAXII Adoption Curve
Maturity %
Intelligence
Network
Adoption
Intelligence
Server
Trial
Excel
Notepad
Awareness
Time
Ubiquity
MATURING AN ECOSYSTEM
Sharing Communities
ISACs
Government
Individuals
Security Vendors
Service Providers
Vendor Products
Consumers of Security Products and Intelligence
Large
Medium
Small
CHANGING THE ECONOMICS
Cost to Firms
Cost to Adversaries
Risks from Cyber Threats
The current cost to process a single piece
of intelligence is 7 hours. Equal to 2014
=$100m; 2015 = $1b; 2016 = $4b
Adversaries must “re-tool” much more often
and their exploits cause less damage
Frequency and impact of threats decrease
while higher adoption leads to exponential
benefits
Advantage: Attackers
Max
Advantage: Defenders
Cost to Defend
Policy Effectiveness
Current State of
Cyber-Symmetry
(Unsophisticated
Adversaries Can Play)
Cost
Future State of Cyber-Symmetry
(Only Most Advanced Can Play)
Cost to Attack
Min
Cyber Warfare Symmetry
CYBER INTELLIGENCE MATURITY
Enriched
Actionable
Accessible
Communities of industry verticals fight the
same threats, and have the most to share
about their adversaries.
Structured data can be understood by
machines. Machines can detect, share, and
make defensive adjustments at wire-speed.
Far beyond just a select few that have
access to organized data; an entire
community can now be empowered.
Increasing Situational Awareness
=>
Increasing Cost to Adversaries
SITUATIONAL AWARENESS
WISDOM
Pro-Active
Auto-Response
Actionable Intelligence
JUDGMENT
KNOWLEDGE
Some Contextual Knowledge
Deductive Reasoning
Organized Information
ANALYSIS
INFORMATION
Localized Data Correlation
Pattern Recognition
Linked Elements
PROCESSING
DATA
Aggregation and
Normalization
Discrete Elements
Levels of Cyber Intelligence
COMMUNITY – IT TAKES A VILLAGE…
Strategic Intelligence
Operational Intelligence
CONSUMER FREEDOM
HISTORY OF AVALANCHE
Security Automation Working Group
Started in early 2012 prior to STIX 1.0
Small group of security professionals
Steadily grew STIX & TAXII awareness and involvement
Started with an idea to automate sharing of intelligence
Listened to security analysts – Broke down the problem
Prioritized and built in chunks – Didn’t boil the ocean
Relied on open standards as the base and became STIX & TAXII experts
Built an initial Central Intelligence Repository for the SAWG members
Utilized scripts to pull data, then push data (the SAWG community helped a lot)
Realized we needed not just a server and some client side scripts…
WHAT IS SOLTRA
A Company for the Community
Increasing adoption of STIX & TAXII to reduce friction in security operations
Formed with the support of the FS-ISAC community & backing of DTCC scalability
Market Changing - created for the good of the information security consumer
At-Cost Business Model – generates revenue just to keep the lights on
Continue Driving the Technology
Innovate on open standards to automate the sharing of cyber threat intelligence
A Platform for Everyone – can be extended to all sizes of financial services firms,
other sharing communities and industry verticals
Enabling seamless integration across security lifecycle solutions (threat intelligence,
firewalls, intrusion detection, anti-virus, etc.)
10x reduction to collect/ process intelligence & cost to respond
SOLTRA | AN FS-ISAC DTCC COMPANY
SOLTRA EDGE OVERVIEW
Basis for an Cyber Intelligence Sharing Network
Like an Intelligence Server and Router
Big Data STIX Store, Sends & Receives via TAXII w/ Access Control
Key Features
Instant Aggregation of Intelligence from Sources You Choose
On-Premise – you own and control your data and sharing
Collect, Process, and Disseminate (Internal & External) to Standards Based Devices
De-Duplication and Automatic Sightings (+1)
Trust Groups and Traffic Light Protocol Control Data Access
Hides Complex STIX & TAXII with simple user interface
SOLTRA | AN FS-ISAC DTCC COMPANY
David Eilken
VP Product Strategy
Soltra
SOLTRA EDGE
The Center of an Open Framework
Primary Data Store for Structured Intelligence
Connects your STIX and TAXII enabled tools
SOLTRA EDGE
Foundation of a Security Network
Structured Intelligence Server and Router
Can act as a TAXII Gateway to other STIX sources
SOLTRA EDGE
Hides Complexity of STIX & TAXII
Simple and Intuitive Interface
Visualize, Create, and Move Intelligence