© 2015 IBM Corporation
i2 User Group Conference 2016
Cyber Threat IntelligenceStart Seeing The Threats Before They Hit You
Andrew HawthorneUK&I i2 Financial Services Lead
© 2015 IBM Corporation
i2 User Group Conference 2016
Why wait to get punched…
2
© 2015 IBM Corporation
i2 User Group Conference 2016
…When you could see it coming and defend…
3
© 2015 IBM Corporation
i2 User Group Conference 2016
…Or even dodge it entirely!
4
© 2015 IBM Corporation
i2 User Group Conference 2016
Both security and analysis must address the problem
5
80%
90%
99.9%
Level of Effort / Investment
Perc
en
t o
f T
hre
ats
Sto
pp
ed
Implement a Security Framework
Advanced SecurityIntelligence
CyberAnalysis
Non-Linear Relationship Between Effectiveness and Cost
Tier One SOC Analyst
IncidentResponders
CyberAnalysts
Example of Personnel
High Effort
Information Security Cyber Analysis
Tier TwoSOC Analyst
Threat Researchers
TACTICAL OPERATIONAL STRATEGIC
FirewallSIEM i2 Intelligence
Example of Product
© 2015 IBM Corporation
i2 User Group Conference 2016
Cyber Analysis Results
• Integrated data feeds
• Enterprise awareness
• Compliance monitoring
• Threat discovery
• Risk management
• Enable decisions
Elements of Cyber Analysis
6
Leveraging an analytical platform and internal and external information feeds, Cyber Analysts can help form a deep understanding of the threats
targeting your organization
CommunityInfo
ThreatIndicators
GovernmentAlerts
Social MediaHacker Forums
Mostly External Sources
PCAP
SystemLogs
Alerts
SIEM
VulnerabilityScans
SSO/AD
Traditional IT Sources
Human Enabled
IntelVendors
Access Logs
AccountCreation
Badge Logs
Dark Web
Behavioral Data
Non-Traditional Sources
HR Data
Security Intelligence
Threat Intelligence
Persona Data
Threat Intelligence
Analysis
© 2015 IBM Corporation
i2 User Group Conference 2016
Fuse Siloed Data for Comprehensive Insight
7
SIEM,Infrastructure
& Systems
OSINT, Intel Feeds &
Dark Web
Devices & Applications
Customer/KYC
Payments & Transactions
Physical
Staff &Corporate
Data
© 2015 IBM Corporation
i2 User Group Conference 2016
Tactical Cyber Intelligence Operations Example
8
Extending Investigations and Function
On Demand Access to SIEM data, notable
events, and alerts:
� Expand on an Alert analysts can tie together an alert to multiple previous events, opening up the investigation
� Enable Hunting explore the SIEM data in a different way, uncovering patterns of interest and unseen events
� Light Weight Deployment i2 EIA takes advantage of the SIEM data warehouse and seamlessly connects 10 analysts to the system getting up and running in less than 30 days
SIEM
On Demand
“An investigation that would have taken me all day in Splunktook me 10 clicks with i2.”-Brian Olson, VP Security Operations & Architecture
© 2015 IBM Corporation
i2 User Group Conference 2016
Catching the Wave…
9
© 2015 IBM Corporation
i2 User Group Conference 2016
10
Fraud & AMLFIU
Security & Internal Investigations
InsiderThreat
Enterprise & CorpRisk Management
Cyber Threat Intelligence
Incident Response
WatchOfficer
Fusion Centre – Concept of OperationsConsolidated
Information Store: Single Object Model
Fusion Center Key Points:
• LNO’s represent separate teams
• i2 merges disparate data sources
• Tactical operations take place in center
• External teams handle strategic issues
• Place where Enterprise Intel comes together
0 -24 HourCycle
© 2015 IBM Corporation
i2 User Group Conference 2016
Thank you11