![Page 1: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/1.jpg)
C Y B E R S P A C E R E S E A R C H I N S T I T U T E
Cyberspace Research Institute
Clearing the Hurdles to Realize the Value of
Threat Intelligence
OASIS Borderless Cyber
September 8, 2016
![Page 2: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/2.jpg)
1990 2000 2010
CERT/CC Firewalls
NCCIC
Snort
PDD-63
Virus SIEM
Stuxnet
STIX/TAXII
EO 1391
FIRST
When Are We?
C-CIP
Lofty
Webster CRI
You Are Here
![Page 3: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/3.jpg)
The Internet of Intelligence
Public
Sector
Private
Sector
Integrators Knowledge
Data & Information
![Page 4: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/4.jpg)
What Do We Need?
![Page 5: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/5.jpg)
• Who You Are
• What You Have
• What It Is Doing
• What is Happening Outside
What Is Intelligence?
![Page 6: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/6.jpg)
Consequence Based Decisions
![Page 7: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/7.jpg)
MOVING INTELLIGENCE INTO INFRASTRUCTURE
MSS
Control Bus
Terminal Bus
Enterprise Network
HMI
EWS
CCTV Server Historian OPC Server Domain Controller
Plant Firewall
Corporate Firewall
Control Firewall
Alarm Aggregation
EPA Database ERP RTU
HMI
Monitoring
Plant Bus
Hardwired Instrumentation
Field Bus to Instrumentation
Hardwired Instrumentation
PLC PLC PLC PLC
• Identify inventory of architecture
•Baseline network behavior
•Monitor for behavior modification
•Combine with filtered Intelligence
![Page 8: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/8.jpg)
End-to-End Intelligence
Public Sector
Private Sector Aggregation
Analysis
Enterprise Network
Industrial Operations
Active
Remediation
Edge Protection
ISAO Enterprise
OSINT
Filter
Service
Provider
![Page 9: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/9.jpg)
Partner Submitted
Indicators
DHS Indicator
Feeds
DHS Machine
Sanitized AIS
Indicators
DHS Analyst
Enriched AIS
Indicators
Partner Submitted
Indicators
Federal Government-Led Threat Intel Automated Indicator Sharing (AIS)
US Department of Homeland Security
State/Local Tribal/Territorial
Federal Sector-Specific
Agencies
Information Sharing Analysis
Organizations O O
Private-Sector Partners
ISAOs
S
S
A
DA
TA
EN
RIC
HM
EN
T P
RO
CESS
Automated Processes
Validate +
Filter
Anonymize
Protect Privacy,
Civil Rights and Civil Liberties
Validate Automated
Info Protections Leverage AIS Enrichment
Resources
Analyst Enrichment
DA
TA
EN
RIC
HM
EN
T P
RO
CESS
Automated Processes
Validate +
Filter
Anonymize
Protect Privacy,
Civil Rights and Civil Liberties
Validate Automated
Info Protections Leverage AIS Enrichment
Resources
Analyst Enrichment
Open-Source and Commercial Threat Intelligence
Critical Manufacturing ISAO
Aeronautics ISAO
Intelligence Analytics ISAC
Defense Industrial Base ISAC
Industrial Control System ISAC
Maritime & Port Security ISAO
National Credit Union ISAO
National Cyber First Responders
(Sector-to-Sector)
Sector / Cross-Sector Threat Intelligence
Other ISAO Organizations
Sharing Among Sharers: IACI
![Page 10: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/10.jpg)
Evolving Human Sharing
Human Sharing Portals
• C-CIP
• Global Population
• Interpol, JPCERT, US-CERT…
• Siemens, Cisco, GE…
• Utilities, Manufacturers, Enterprises…
Beer ISAC
• Human Contact is Forever
![Page 11: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/11.jpg)
• Sharing Nodes Proliferate
• Regionally, globally, nationally, demographically
• Insurance Industry plays its role
• Actuarial processes
• Industry Aligns with Visibility
• Vendors, Service Providers, Enterprises, Governments
• Merging Business and Technology
• Situational Awareness is not about Cyber
Looking Forward
![Page 12: Clearing the Hurdles to Realize the Value of Threat ......CERT/CC Firewalls NCCIC Snort PDD-63 Virus SIEM Stuxnet STIX/TAXII EO 1391 FIRST When Are We? C-CIP ... Domain Controller](https://reader033.vdocuments.us/reader033/viewer/2022050300/5f6951d379ab43679b101b8d/html5/thumbnails/12.jpg)
Chris Blask Global Director ICS, Unisys
Chair, ICS-ISAC Chair, IACI
+1 408-656-8732