SYMANTEC VISION SYMPOSIUM 2014

Cyber intelligence in an online world

James Hanlon CISM, CISSP, CMI

Cyber Strategy & GTM, EMEA

2 Cyber intelligence in an online world

SYMANTEC VISION SYMPOSIUM 2014

Software and data powers the world

3 Cyber intelligence in an online world

SYMANTEC VISION SYMPOSIUM 2014 4

Coffee Shop Office Home

Industrial Devices

Government Data

Web Transactions

From a cyber security perspective there’s more and more to protect in more and more places

Airport …

Corporate Assets

Cyber intelligence in an online world

SYMANTEC VISION SYMPOSIUM 2014 5

And, there’s a critical imbalance between cyber attackers and cyber defenders

ATTACKERS DEFENDERS Can focus on one target

Only need to be right once

Hack can be worth millions of dollars

Focus only on getting in

Attackers can buy and test security products

Must defend everything

Need to be right every time

Blocks are expected & maintain status quo

Must balance defense with business impact

Defenders can’t pre-test targeted malware

Cyber intelligence in an online world

SYMANTEC VISION SYMPOSIUM 2014 6

But, it is impossible to implement an attack without leaving a trace……

Network Server Endpoint

Cyber intelligence in an online world

SYMANTEC VISION SYMPOSIUM 2014 7

How do we counter this threat?

with better cyber intelligence

BIG DATA Cyber intelligence in an online world

SYMANTEC VISION SYMPOSIUM 2014

If only we could use our collective

insight & technologies to watch for activities,

determine patterns, and find anomalies.

8

How can we apply better cyber intelligence?

prepare detect respond recover

enabling us to better…

protect

Cyber intelligence in an online world

SYMANTEC VISION SYMPOSIUM 2014

C L O U D

What if…

9

Apply context

Correlate & prioritize

• We could collect info from every endpoint, network device, and server

• We could watch this data at the enterprise level – looking for patterns and anomalies

• We could apply knowledge and learning from across global communities

Indicators of

breach

Knowledge about URLs, file hashes

Attack patterns &

actors

Correlation across

ecosystems

E N T E R P R I S E

D E V I C E S

Cyber intelligence in an online world

SYMANTEC VISION SYMPOSIUM 2014

We can do those things

10

• Data analysis value comes from ability to apply intelligence from multiple sources

• Data value comes from volume & variety

10

E N T E R P R I S E

C L O U D

D E V I C E S

Cyber intelligence in an online world

SYMANTEC VISION SYMPOSIUM 2014

Unified Intelligence Vision

11

Symantec will provide a unified security threat intelligence platform

that leverages the combined visibility and intelligence of all of our offerings (augmented by 3rd-party data)

To help you better prepare, detect, protect, and respond, better than anyone else.

Cyber intelligence in an online world

Hosted security (E-mail, web)

Unified Security Future state

12

Hub

3rd-party Fi rewall

…

Unified big data platform

3

On-premise submission gateway

2

Analytics apps & 3rd party app ecosystem

5

3rd party clouds

Data Center Securi ty

Threat Gateway

Data Loss Prevention

E mai l Gateway

“Social Platform” for sharing security artefacts/policies

6

Tele

met

ry

IoCs, Incidents

Endpoint Protection

Mobi le Securi ty

Identity Gateway

Col lect telemetry across a ll products

1

Managed Services incident/forensics/analytics

7

Cloud-based incident/forensics/analytics

8

On-premise incident/forensics/analytics console

4

SYMANTEC VISION SYMPOSIUM 2014

Unified Security next steps Leveraging our intelligence

13

Managed Security

Services: ATP

Gateway Security:

Threat Defense

Deepsight &

Managed Adversary Intelligence

Global Community Intelligence

Cyber intelligence in an online world

SYMANTEC VISION SYMPOSIUM 2014

Unified Security: Why Symantec?

14

Symantec has the data footprint

• 100s of millions of contributing sensors

Symantec has the data diversity

• We will collect data across every control point ‒ Desktop, server, cloud, mobile, etc.

• We will collect data across all of our products

‒ Endpoint protection, gateway protection, data loss prevention, identity gateway, mobile management, encryption, compliance, etc.

Symantec has the big data experience

• Spent the last 6 years developing our advanced security big data system

‒ Provides real-time protection to 100s of millions of systems

‒ Holds 3.7 trillion security events, and collects 200,000 new events every second

• We will build on this experience to collect much more data across all of our products moving forward

Cyber intelligence in an online world

SYMANTEC VISION SYMPOSIUM 2014 15

How to get more information… • Attend one or more VISION session on our new advanced

threat solutions from Symantec

• Book a 121 with one of our experts onsite

• Take the “Cyber V” Risk Calculator Assessment

• https://www.symantec-cyberv.com/calculator/event/cstl-cyber-assesment

Cyber intelligence in an online world

Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

16

James Hanlon

james_hanlon@Symantec.com

Cyber intelligence in an online world

Cyber Intelligence-Led Security

Symantec VISION Symposium Marc Lueck, 21/10/2014

Cyber Intelligence-Led Security 19

Who is Pearson? World’s leading Education company

Our Perimeter? What Perimeter?

What does our landscape look like?

• Over 2700 Web Applications

• Over 21000 registered domains

• Over 9000 externally facing hosts

• 48 major networks, many smaller ones

• Bring your own App / Cloud / Device

• Significant consumer of Google services

Our attackers don’t care.

20

In Partnership with Symantec Protecting our estate with

Preventative and detective controls

• SEP – protecting our end users and much of our server estate

• CSP/DCS – protecting our most critical assets

• DLP – Detecting movement of data

• MSS – Monitoring everything we can

Infrastructure intelligence

• Deepsight – One of the cornerstones of our Threat Intelligence service

Cyber Intelligence-Led Security

21

How can enterprise leverage intelligence? Tools can’t solve the problem alone

Hunters and Chasers

• Understand your roles – ensure tasks & teams are appropriate.

• Highly skilled analysis is still required – hire it, buy a service, or both.

Plan your Programme

• Understand and choose your data sources, internal and external.

• Ensure operational metrics and quality can be measured.

• Have a vision for output – what will this service deliver?

• Understand your audience.

Threat Management

Hunters

A nalysis

Research

C hasers

O perations

T racking & Reporting

Threat Intel Service

Tools Output

Research

Intelligence Data

Cyber Intelligence-Led Security

22

Threat Intelligence Makes controls work better

Action

Infrastructure

Intelligence

Adversary Intelligence

Trends and Research

Intelligence

Real-Time IT Intelligence

Cyber Intelligence-Led Security

23

Infrastructure Intelligence Know your estate, not just your controls

Visibility is key

• Access or maintain as much of a view of your estate as possible

• Vulnerability scanners, compliance management, firewall management,

network management and CMDB’s can all be great sources of Threat

Intelligence

• Use these tools to create threat models

Access or maintain as much information as possible about your

estate

Cyber Intelligence-Led Security

24

Trends and Research How do we keep up?

Pearson GTM has built a research monitoring capability using Twitter

Shellshock:

• Released internal advisory 4 hours before US-Cert

• Early visibility had us defining scope 24 hours before IT news picked

story up

• In remediation phase before mainstream media reports released

During Shellshock, GTM kept management and remediation teams up to date on new developments including new exploits, proposed

patches and workarounds, and the change of attack vector into an automated worm.

Within minutes of these developments occurring.

Cyber Intelligence-Led Security

25

Adversarial Intelligence Who is attacking us?

• Learning more about our attackers, their methods and what they talk

about provides very valuable intelligence

• Security Sharing communities

• HoneyNets

• False accounts

Cyber Intelligence-Led Security

Some level of monitoring adversaries will put you in the same league as top agencies, and it can cost very little!

26

Real-Time IT Intelligence Gain great situational awareness

Ensure you consume the output of your controls

• SIEMs are great – but are you doing anything with its output?

• Integrated your TI service with Security Incident Response.

• Advanced threat protection – if you invest in the tool – make sure it’s

operationalised.

Cyber Intelligence-Led Security

27

Communicate Credibly Don’t be a “Chicken Little”

Ensure you communicate appropriately

• Be sober

• Don’t forget likelihood

• Assess the risk of doing nothing

Cyber Intelligence-Led Security

Capitalise on Success!

Never let a crisis go unexploited. Our Heartbleed and Shellshock responses, although not perfect, have been used to build credibility

and communication channels – but only if done credibly!

28

Threat Intelligence Makes Controls Work Better

Actions

Infrastructure

Intelligence

Adversary Intelligence

Trends and Research

Intelligence

Real-Time IT Intelligence

• Invest in Your Team

• Plan Your Programme

• Get Close to Your Sources

• Communicate Credibly

Cyber Intelligence-Led Security

Cyber Intelligence-Led Security 29