Cyber intelligence in an online world - Home - VOXvox.veritas.com/legacyfs/online/veritasdata/3...
Transcript of Cyber intelligence in an online world - Home - VOXvox.veritas.com/legacyfs/online/veritasdata/3...
SYMANTEC VISION SYMPOSIUM 2014
Cyber intelligence in an online world
James Hanlon CISM, CISSP, CMI
Cyber Strategy & GTM, EMEA
2 Cyber intelligence in an online world
SYMANTEC VISION SYMPOSIUM 2014
Software and data powers the world
3 Cyber intelligence in an online world
SYMANTEC VISION SYMPOSIUM 2014 4
Coffee Shop Office Home
Industrial Devices
Government Data
Web Transactions
From a cyber security perspective there’s more and more to protect in more and more places
Airport …
Corporate Assets
Cyber intelligence in an online world
SYMANTEC VISION SYMPOSIUM 2014 5
And, there’s a critical imbalance between cyber attackers and cyber defenders
ATTACKERS DEFENDERS Can focus on one target
Only need to be right once
Hack can be worth millions of dollars
Focus only on getting in
Attackers can buy and test security products
Must defend everything
Need to be right every time
Blocks are expected & maintain status quo
Must balance defense with business impact
Defenders can’t pre-test targeted malware
Cyber intelligence in an online world
SYMANTEC VISION SYMPOSIUM 2014 6
But, it is impossible to implement an attack without leaving a trace……
Network Server Endpoint
Cyber intelligence in an online world
SYMANTEC VISION SYMPOSIUM 2014 7
How do we counter this threat?
with better cyber intelligence
BIG DATA Cyber intelligence in an online world
SYMANTEC VISION SYMPOSIUM 2014
If only we could use our collective
insight & technologies to watch for activities,
determine patterns, and find anomalies.
8
How can we apply better cyber intelligence?
prepare detect respond recover
enabling us to better…
protect
Cyber intelligence in an online world
SYMANTEC VISION SYMPOSIUM 2014
C L O U D
What if…
9
Apply context
Correlate & prioritize
• We could collect info from every endpoint, network device, and server
• We could watch this data at the enterprise level – looking for patterns and anomalies
• We could apply knowledge and learning from across global communities
Indicators of
breach
Knowledge about URLs, file hashes
Attack patterns &
actors
Correlation across
ecosystems
E N T E R P R I S E
D E V I C E S
Cyber intelligence in an online world
SYMANTEC VISION SYMPOSIUM 2014
We can do those things
10
• Data analysis value comes from ability to apply intelligence from multiple sources
• Data value comes from volume & variety
10
E N T E R P R I S E
C L O U D
D E V I C E S
Cyber intelligence in an online world
SYMANTEC VISION SYMPOSIUM 2014
Unified Intelligence Vision
11
Symantec will provide a unified security threat intelligence platform
that leverages the combined visibility and intelligence of all of our offerings (augmented by 3rd-party data)
To help you better prepare, detect, protect, and respond, better than anyone else.
Cyber intelligence in an online world
Hosted security (E-mail, web)
Unified Security Future state
12
Hub
3rd-party Fi rewall
…
Unified big data platform
3
On-premise submission gateway
2
Analytics apps & 3rd party app ecosystem
5
3rd party clouds
Data Center Securi ty
Threat Gateway
Data Loss Prevention
E mai l Gateway
“Social Platform” for sharing security artefacts/policies
6
Tele
met
ry
IoCs, Incidents
Endpoint Protection
Mobi le Securi ty
Identity Gateway
Col lect telemetry across a ll products
1
Managed Services incident/forensics/analytics
7
Cloud-based incident/forensics/analytics
8
On-premise incident/forensics/analytics console
4
SYMANTEC VISION SYMPOSIUM 2014
Unified Security next steps Leveraging our intelligence
13
Managed Security
Services: ATP
Gateway Security:
Threat Defense
Deepsight &
Managed Adversary Intelligence
Global Community Intelligence
Cyber intelligence in an online world
SYMANTEC VISION SYMPOSIUM 2014
Unified Security: Why Symantec?
14
Symantec has the data footprint
• 100s of millions of contributing sensors
Symantec has the data diversity
• We will collect data across every control point ‒ Desktop, server, cloud, mobile, etc.
• We will collect data across all of our products
‒ Endpoint protection, gateway protection, data loss prevention, identity gateway, mobile management, encryption, compliance, etc.
Symantec has the big data experience
• Spent the last 6 years developing our advanced security big data system
‒ Provides real-time protection to 100s of millions of systems
‒ Holds 3.7 trillion security events, and collects 200,000 new events every second
• We will build on this experience to collect much more data across all of our products moving forward
Cyber intelligence in an online world
SYMANTEC VISION SYMPOSIUM 2014 15
How to get more information… • Attend one or more VISION session on our new advanced
threat solutions from Symantec
• Book a 121 with one of our experts onsite
• Take the “Cyber V” Risk Calculator Assessment
• https://www.symantec-cyberv.com/calculator/event/cstl-cyber-assesment
Cyber intelligence in an online world
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
16
James Hanlon
Cyber intelligence in an online world
Cyber Intelligence-Led Security
Symantec VISION Symposium Marc Lueck, 21/10/2014
Cyber Intelligence-Led Security 19
Who is Pearson? World’s leading Education company
Our Perimeter? What Perimeter?
What does our landscape look like?
• Over 2700 Web Applications
• Over 21000 registered domains
• Over 9000 externally facing hosts
• 48 major networks, many smaller ones
• Bring your own App / Cloud / Device
• Significant consumer of Google services
Our attackers don’t care.
20
In Partnership with Symantec Protecting our estate with
Preventative and detective controls
• SEP – protecting our end users and much of our server estate
• CSP/DCS – protecting our most critical assets
• DLP – Detecting movement of data
• MSS – Monitoring everything we can
Infrastructure intelligence
• Deepsight – One of the cornerstones of our Threat Intelligence service
Cyber Intelligence-Led Security
21
How can enterprise leverage intelligence? Tools can’t solve the problem alone
Hunters and Chasers
• Understand your roles – ensure tasks & teams are appropriate.
• Highly skilled analysis is still required – hire it, buy a service, or both.
Plan your Programme
• Understand and choose your data sources, internal and external.
• Ensure operational metrics and quality can be measured.
• Have a vision for output – what will this service deliver?
• Understand your audience.
Threat Management
Hunters
A nalysis
Research
C hasers
O perations
T racking & Reporting
Threat Intel Service
Tools Output
Research
Intelligence Data
Cyber Intelligence-Led Security
22
Threat Intelligence Makes controls work better
Action
Infrastructure
Intelligence
Adversary Intelligence
Trends and Research
Intelligence
Real-Time IT Intelligence
Cyber Intelligence-Led Security
23
Infrastructure Intelligence Know your estate, not just your controls
Visibility is key
• Access or maintain as much of a view of your estate as possible
• Vulnerability scanners, compliance management, firewall management,
network management and CMDB’s can all be great sources of Threat
Intelligence
• Use these tools to create threat models
Access or maintain as much information as possible about your
estate
Cyber Intelligence-Led Security
24
Trends and Research How do we keep up?
Pearson GTM has built a research monitoring capability using Twitter
Shellshock:
• Released internal advisory 4 hours before US-Cert
• Early visibility had us defining scope 24 hours before IT news picked
story up
• In remediation phase before mainstream media reports released
During Shellshock, GTM kept management and remediation teams up to date on new developments including new exploits, proposed
patches and workarounds, and the change of attack vector into an automated worm.
Within minutes of these developments occurring.
Cyber Intelligence-Led Security
25
Adversarial Intelligence Who is attacking us?
• Learning more about our attackers, their methods and what they talk
about provides very valuable intelligence
• Security Sharing communities
• HoneyNets
• False accounts
Cyber Intelligence-Led Security
Some level of monitoring adversaries will put you in the same league as top agencies, and it can cost very little!
26
Real-Time IT Intelligence Gain great situational awareness
Ensure you consume the output of your controls
• SIEMs are great – but are you doing anything with its output?
• Integrated your TI service with Security Incident Response.
• Advanced threat protection – if you invest in the tool – make sure it’s
operationalised.
Cyber Intelligence-Led Security
27
Communicate Credibly Don’t be a “Chicken Little”
Ensure you communicate appropriately
• Be sober
• Don’t forget likelihood
• Assess the risk of doing nothing
Cyber Intelligence-Led Security
Capitalise on Success!
Never let a crisis go unexploited. Our Heartbleed and Shellshock responses, although not perfect, have been used to build credibility
and communication channels – but only if done credibly!
28
Threat Intelligence Makes Controls Work Better
Actions
Infrastructure
Intelligence
Adversary Intelligence
Trends and Research
Intelligence
Real-Time IT Intelligence
• Invest in Your Team
• Plan Your Programme
• Get Close to Your Sources
• Communicate Credibly
Cyber Intelligence-Led Security
Cyber Intelligence-Led Security 29