Infosecurity Europe 2016: Operationalizing Threat Intelligence
•Transferir como PPTX, PDF•
1 gostou•564 visualizações
Splunk presentation from inbooth theatre at Infosecurity Europe 2016 on the tips to accelerate threat detection, investigation and response
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (11)
Semelhante a Infosecurity Europe 2016: Operationalizing Threat Intelligence
Semelhante a Infosecurity Europe 2016: Operationalizing Threat Intelligence (20)
Mais de Splunk
Mais de Splunk (20)
Último
Último (20)
Infosecurity Europe 2016: Operationalizing Threat Intelligence
- 1. Copyright © 2016 Splunk, Inc. Operationalizing Threat Intelligence Learn How to Accelerate Threat Detection, Investigation & Response
- 2. Fill out the Postcard and win a SONOS Play:1 today "currentTrack":{ "artist":"College", "title":"Teenage Color - Anoraak Remix", "album":"Nightdrive With You", "albumArtURI":"/getaa?s=1&u=x- sonos- spotify%3aspotify%253atrack%253a 3DjBDQs8ebkxMBo2V8V3SH%3fsid %3d9%26flags%3d32", "duration":347, "uri":"x-sonos- spotify:spotify%3atrack%3a3DjBDQ s8ebkxMBo2V8V3SH?sid=9&flags=3 2" },
- 3. Are you using Splunk already?
- 4. What are common SecOps problems? Malicious activities go undetected or are difficult to prevent All threats look equally ominous Long cycles to detect and respond 4 Security teams need to quickly identify and remediate issues – from early warning to breach investigation
- 5. Why Threat Intelligence? Difficult to keep up with rapidly evolving threat landscape Know your adversaries so that you can develop strategies to remediate attacks Internal resources – people, tools, process are unable to keep up Use 3rd party knowledge – collective intelligence ? Uncover compromised systems and search for advanced threats Scope and investigate potential threat 5
- 6. What Does Threat Intelligence Consist Of? ”Feeds” – sources of threat intelligence Platform or product with ability to ingest feeds Visualize of threat indicators Ability to correlate across all context 6
- 7. Widening the Net 7 Law Enforcement Feeds Broad Coverage Multiple Threat Intelligence Feeds From Various Sources ISAC Feeds Agency Feed Commercial Service Community Feed Open- Source Feed Other Enrichment Services Each feed provides unique perspective on threat Each feed provides different benefit Multiple feeds provide better “coverage”
- 8. Law Enforcement Feeds TAXII Cybox XML distribute OpenIOC Formatted text Emails RSS CSV Flat file push pull redistribute retrieve Broad Coverage via Multiple Threat Intelligence Feeds From Various Sources STIX REST Proprietary Proprietary Unstructured text transmission type transport / messaging Data formats Use (task)ISAC Feed 1 ISAC Feed 2 Agency Feed 1 Agency Feed 2 Commercial Service 2 Commercial Service 1 Community Feed Open- Source Feed Other Enrichment Services Other Enrichment Services Gather intel on darknets Gather intel per industry Onboard new intel Centralize all intel Monitor and triage alerts Update ticket status / details Auto-search, real time Auto-search, historical Use for analysis / IR Collect / provide forensics Use to hunt / uncover Use to hunt / link events Determine impact on network Determine impact on assets Determine impact on data Share info with partners It does not have to be this complex
- 9. Threat Intel feeds 9 Law Enforcement Feeds ISAC Feed 1 ISAC Feed 2 Agency Feed 1 Agency Feed 2 Commercial Service 2 Commercial Service 1 Community Feed Open- Source Feed Other Enrichment Services Other Enrichment Services Focus on using Threat Intel to investigate and remediate not on how to bring the data in
- 10. Collect, manage Categorize Correlate Search Data Management Threat Activity Correlation Data / Notable Events Data Search Threat Intelligence Framework Framework built-in Splunk Enterprise Security
- 11. Threat Intel Splunk Threat Intelligence Ecosystem Splunk Security Ecosystem as of 2015-11-02 11
- 12. Threat Data Sources • Agencies • Relationships • Vendor Subscriptions • ISACs Customer Success #1 12 Splunk Threat Intelligence Framework • Malicious IP / URLs Blocked • Compromised Credentials Remediated • Impostor and New Domains Identified Result: Actionable Intelligence Summary • 25% of Threat Intelligence data feeds are actionable • 90% of infections are blocked, most malware alerts “eliminated” with no impact to use • Found compromised accounts/activity
- 13. Threat Data Sources • 50+ Pre-packaged free feeds • Own content Customer Success #2 13 Splunk ES Threat Intelligence Framework Automated IoC blocking Summary • Automated detection and block of indicators of compromise • Improved efficiency • Reduced time to remediation Other 3rd party feeds Facebook Threat Exchange
- 14. Splunk helps you to Operationalize Threat Intel Automatically collect, aggregate and de-duplicate threat feeds from a broad set of sources. Integrated support for standards such as STIX/TAXII and OpenIOC Build your own data to create your own Threat Intelligence Out of the box Activity and Artifact dashboards Prioritize, contextualize and analyze threats and remediate faster 14
- 15. MBDA Germany Drives Security Intelligence With Splunk Enterprise Security • Enabling the security operations center (SOC) team to work very efficiently • Since deploying ES, the average time to analyze a CERT message has been reduced from an average of 372 minutes to just 15. • Real-time alerts identify attacks that would previously have gone undetected • Analysis of historical data informs future security measures, resulting in a more resilient security posture overall ““Splunk dramatically reduces security risks at MBDA Germany. The software helps us to work much more efficiently, gain visibility across our entire network, react more quickly to security breaches and use insights from our data analysis to inform our future security strategy.”.” — Head of IT and Project Manager Information Technology, MBDA Germany
- 16. Hands-on: Try the Online Sandobx 7 Day personal environment www.splunk.com 16
- 17. Fill out the Postcard and win a SONOS Play:1 today "currentTrack":{ "artist":"College", "title":"Teenage Color - Anoraak Remix", "album":"Nightdrive With You", "albumArtURI":"/getaa?s=1&u=x- sonos- spotify%3aspotify%253atrack%253a 3DjBDQs8ebkxMBo2V8V3SH%3fsid %3d9%26flags%3d32", "duration":347, "uri":"x-sonos- spotify:spotify%3atrack%3a3DjBDQ s8ebkxMBo2V8V3SH?sid=9&flags=3 2" },
- 18. Copyright © 2016 Splunk, Inc. Thank you
Notas do Editor
- Malicious Activities are Going Undetected Compromised systems, APTs, activity with specific patterns or characteristics Malicious Activities are Difficult to Prevent Limited actionable intelligence to scope and disrupt threats, how to prioritize actions? Response Times are Slow Scoping / closing breach spans SOC tiers, manual steps, difficult to anticipate / mitigate Lost Time and Resources Overhead in managing IoCs, multiple sources and people involved ”Prioritize” Threats Need visibility into a given threat and ability to weigh / assign scores Long Cycles to Improve Security Posture Accurate detection requires verifying, key context / actionable data
- accuracy and coverage, protect better via context / actionable data
- Mention Threat Artifact and Threat Activity Put the graphics in the next page.
- Industry • Manufacturing Splunk Use Cases Security Incident Investigation Threat Intelligence Correlation of CERT Tickets Challenges Lack of visibility across entire infrastructure Undetected security threats in the network Splunk Products • Splunk Enterprise • Splunk Enterprise Security Data Sources Network logs Endpoint logs Server logs Data from switches Data from gateways Authentication logs Case Study http://www.splunk.com/en_us/customers/success-stories/mbda.html