The Business Benefits of Threat Intelligence Webinar

1© Cyber Squared Inc. 2014

THE BUSINESS BENEFITS OF THREAT INTELLIGENCE

3-12-2014


WHO AM I?• CEO of Cyber Squared Inc., the company behind

ThreatConnectTM.• Founding member of the company, started in 2011.• Experience in programming, network security, penetration

testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security.


AGENDA• Background• Defining ROI for Threat Intelligence• Making Assumptions Up Front • Modeling Your Expectations• Measuring the Reality• Taking Action


WHAT MAKES GOOD THREAT INTELLIGENCE?

Aggregate Analyze ActLifecycle

• Accurate• Aligned with your

requirements• Integrated

• Predictive• Relevant• Tailored• TimelySource: Rick Holland (Principal Forrester Analyst) Blog Post Titled “Actionable

Intelligence, Meet Terry Tate, Office Linebacker”

Attributes to Measure Threat Intelligence:


BUSINESS NEED

ERP/Manufacturing

2015

1980’s

Every other part of the business has evolved to necessitate a platform to increase productivity and measure effectiveness. It’s your turn!

Enterprise Security

Support/Helpdesk

CRM/Sales

Finance/HR

Marketing


CONNECTED COLLABORATION

SOC

Incident Response

Threat Analysts

IT/Compliance

Malware Analysts

CISO/CIO

Intelligence Sources

Commercial

Open Source

Communities

Sharing

Internal

Actionable Integrations

SIEM

IPS/IDS, Firewalls

Gateways

Endpoint, Response

DLP, NAV


TM FORUM CATALYST PHASE 2• Going beyond: “This Threat Intelligence stuff is a great

idea!”: • AT&T, Bell Canada, Birmingham City University, cVidya, ThreatConnect, Edge

Technologies, EMC/RSA, MITRE, Orange, Security Fabric Alliance, Symantec, Telecom New Zealand, Telstra, and the UK MOD’s Defence Science and Technology Laboratory (DSTL) .

• TM Forum Sharing Threat Intelligence Catalyst Phase 2• Phase 1: Sharing Threat Intelligence Architecture & Whitepaper• Phase 2: Defined Security Personnel Personas• Phase 2: Produced Threat Intelligence ROI Calculator• Phase 2: Demonstration showing successful implementation of Threat Intelligence

sharing in support of a sophisticated Distributed Denial of Service (DDoS) use case.


ROI OF THREAT INTELLIGENCE

CostSecurity Investment

Threat Intelligence

Knowledge Assumptions

Existing Automate Collaborate

+ =


FIND MORE THREATS, FASTER

4x/Day

1x/Day

4x/Day

5x/Day

100x/Day

Threat Discovery and Focused Pursuit Activities

Time Comparison:with and without TI

Spearphish Email Analysis and Conviction

Malware Correlation with past targeting

Analyze, Correlate, Database New Domains, IP Addresses, Registrant Info

Track Malicious Domains, IP addresses, Registrant Info

Analyst IR and Threat Correlation Tasks


SECURITY PROCESSES• Calculator Example: 8 Step Incident Response Process:

• Identify the Intrusion• Step 1: Create and task defensive signatures• Step 2: Maintain awareness of adversary changes to Threat Activity/Infrastructure

• Scope the Intrusion• Step 3: Perform exploit/malware analysis• Step 4: Update signature base• Step 5: Link activity to any known groups of related activity

• Mitigate/Step the Intrusion• Step 6: Take action to cut off intruder access to the network• Step 7: Monitor for changes in Threat Activity

• Strategically React to Threats• Step 8: Generate reports on Threat trends for executives


USER TYPES

SOC

Incident Response

Threat Analysts

IT/Compliance

Malware Analysts

CISO/CIO


THREAT INTELLIGENCE PERSONAS

Name: Joe Role: Security Executive

Motivation/Problem

My company is at risk and we need to be keeping up with threat trends

Other executives I know in my industry are being / have been targeted

Identified Four Main Categories of Users: Threat Intelligence, Security Operations, Business Executives, and IT Leadership/Staff

Name: Peter Role: IT Operations

I need to protect my assets

My company is at risk and we need to be keeping up with threats to my business operations

Name: Jane Role: Threat Analyst

I need to make my threat analysis faster, easier, and more thorough without spending more money and time

Name: Jack Role: Security Operations

My company and/or industry is likely being targeted

I need to protect corporate data but don’t have the resources internally or don’t know where to start


ASSUMPTIONS• Process Assumptions:

• Persona Costs – What is the hourly cost per Persona?• Steps – What are steps of the security process? • Personas Involved – Who are the actors of the process?

• Knowledge Assumptions (Defined Per Process Step):• Existing – How likely is it that you will find knowledge in a finished state when you

need it?• Automation – How much efficiency is gained via automation?• Collaboration – What is the efficiency gained by working with others?

• Cost Assumptions: • Incidents per Year – How many events will you have that require process?• Average Cost of an Intrusion – What is the average cost of an intrusion?


MODELINGHourly Cost per Persona

Existing

AutomationCollaboration

Make Assumptions

Potential Cost of Compromise

Model & Measure

V1.0 contributed to TM Forum for incorporation to

Fx13.5 release


RESULTS (FROM SAMPLE)Measurement Topics Type ValueTime Commitment to understand Threat to business operations Hours 200Lower Costs to obtain a larger understanding of the threat $$ Savings $33,450Obtain insights that would not be otherwise obvious (from existing knowledge) Insights 37%Increase Automation to increase efficiencies Efficiency 45%Increase insights due to collaboration Additional Insights 2%Total Efficiencies from applying CTI Total Efficiency/Insights 84%

Number of Incidents per Year 5Projected Annual Cost without CTI $199,000Projected Annual Cost with CTI $31,750Projected Annual Savings $167,250Savings Percentage 84%


Prioritize

Plan

TAKING ACTION

Defend

Learn

Understand Threats to

your Organization


TAKE AWAY• You don’t have a choice

• Cyber Threat Intelligence starts with understanding “Your Needs”

• Sharing is a new paradigm in cyber security

• This calculator helps you measure something that historically has not been measured

• We would love to help you customize the calculator to quantify your own cyber threat sharing needs and efforts


THANK YOU & QUESTIONS

Download the Threat Intelligence Sharing ROI Calculator from:

http://bit.ly/threatcalc

Adam Vincent, CEO, [email protected] Visit www.ThreatConnect.com for more information.