Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Operationalizing Security Intelligence for the Mid-Market

Rafal M. Los

Principal, Strategic Security Services

HP Enterprise Security Services

RSA Conference -2014


what is “security intelligence”?


“collective set of activities, and artifacts to make intelligence-driven decisions”


detect, respond, resolve more effectively in the attack lifecycle


When you think of“Security Intelligence”…


“something big enterprises do”


why not you?


this talk is a framework for you


..to get you thinking, motivated


requirements


high quality internal & external data + telemetry


internal processes + workstreams


qualified personnel


intelligent, optimized technology


let’s break that down…


internal information/data –know your enterprise attack surface


for example –• internal business plans

• internal IT technology stack

• known vulnerabilities

• known, accepted risks

• strict change management

• configuration awareness

• unauthorized change detection

• employee activities, habits


external information/data-be situationally aware


for example –• sentiment against your brand/organization

• threat climate of your business vertical

• attacks against similar organizations, vertical

• specific threats against your staff/resources

• geopolitical issues pertaining to your enterprise

• 3rd party reported vulnerabilities

• 3rd party reported exploits

• weaknesses in your external technologies

• reported abused enterprise assets


internal processes + workstreams


convert information into action


for example –• handling of inbound, external data sources

• formats: csv, pdf, dashboards and text

• distilling data for relevance

• collating and categorizing with internal data

• prioritizing alerts based on prescribed formulas

• alerting appropriate internal & external entities

• creating actionable items from trusted data

• triage of event(s)

• incident management and handling

• incident response, dfir


qualified personnel


difficult to “add on” responsibility


SOC analyst Security Intelligence analyst ..no


highly specialized skill set


for example –• ability to quickly parse different log types

• ability to quickly make sense of disparate data

• ability to collate and correlate unstructured data

• ability to write code on-the-fly (script)

• proficient in many different security technologies

• able to perform collaborative tasks effectively

• ability to triage incidents quickly, effectively

• proficiency with forensics tools

• strong decision-making capabilities


intelligent, optimized technology


tech that works together


prefer integrated over disparate


tech that makes analysis more efficient, adds certainty


we may know a little something about this…


quick recap


“Security Intelligence” is..

the capability todetect, respond, and resolve your security incidents though an information-driven approach.


You can do this.You need to do this.


Know more.Defend smarter.

Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014

Technology

Transcript of Operationalizing security intelligence for the mid market - Rafal Los - RSA Conference 2014