the security industry is suffering from fragmentation, what can your organization do about it?
TRANSCRIPT
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Uniting Cybersecurity People, Processes, and Technologies Behind an Intelligence-Driven Defense
FRAGMENTATION
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Besties with Fragmentation
2
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Oversight Committee
3
https://oversight.house.gov/hearing/federal-cybersecurity-detection-response-and-mitigation/
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Security == Emotion
4
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Detection Deficit The Gap isn’t Closing
5
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
A House Divided
6
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Where Incidents Happen
7
9All material confidential and proprietary
INTE
LSO
CIR
Vuln
M
gmt
Risk
M
gmt
Lder
shi
p
Receives intel on new threat
10All material confidential and proprietary
INTE
LSO
CIR
Vuln
M
gmt
Risk
M
gmt
Lder
shi
p
Receives intel on new threat
IOCs trigger alert in SIEM
11All material confidential and proprietary
INTE
LSO
CIR
Vuln
M
gmt
Risk
M
gmt
Lder
shi
p
Receives intel on new threat
RFI+ research yields more
context
Triages event, determines
incident
IOCs trigger alert in SIEM
12All material confidential and proprietary
INTE
LSO
CIR
Vuln
M
gmt
Risk
M
gmt
Lder
shi
p
Receives intel on new threat
RFI+ research yields more
context
IOCs trigger alert in SIEM
Triages event, determines
incident
Expanded indicator set
detects additional
affected assets
Begins response
w/affected system
IOCs, TIPs to IR team to aid informed response
Intel on exploit capability,
vulnerability scan
Notice of risk-relevant event w/basic intel
report
13All material confidential and proprietary
INTE
LSO
CIR
Vuln
M
gmt
Risk
M
gmt
Lder
shi
p
Receives intel on new threat
RFI+ research yields more
contextPivot on new
info
IOCs trigger alert in SIEM
Triages event, determines
incident
Expanded indicator set
detects additional
affected assets
Expanded IOCs, content for monitoring
Begins response
w/affected system
IOCs, TIPs to IR team to aid informed response
Investigation artifacts sent
to intel
Expanded IOCs, context
Intel on exploit capability,
vulnerability scan
Search for other
exploitable assets
Additional exploit target
intel
Notice of risk-relevant event w/basic intel
report
Kicks off risk assessment
Risk communication
to Sr. Mgmt
14All material confidential and proprietary
INTE
LSO
CIR
Vuln
M
gmt
Risk
M
gmt
Lder
shi
p
Receives intel on new threat
RFI+ research yields more
contextPivot on new
infoComplete intel
report
IOCs trigger alert in SIEM
Triages event, determines
incident
Expanded indicator set
detects additional
affected assets
Expanded IOCs, content for monitoring
Retroactive search/sweeps aka “hunting”
Begins response
w/affected system
IOCs, TIPs to IR team to aid informed response
Investigation artifacts sent
to intel
Expanded IOCs, context
Investigation determines
containment, recovery begins
Intel on exploit capability,
vulnerability scan
Search for other
exploitable assets
Additional exploit target
intelDetermines
potential scope
Notice of risk-relevant event w/basic intel
report
Kicks off risk assessment
Decision to involve legal,
3rd parties, etc.
Risk communication
to Sr. Mgmt
15All material confidential and proprietary
INTE
LSO
CIR
Vuln
M
gmt
Risk
M
gmt
Lder
shi
p
Receives intel on new threat
RFI+ research yields more
contextPivot on new
infoComplete intel
report
IOCs trigger alert in SIEM
Triages event, determines
incident
Expanded indicator set
detects additional
affected assets
Expanded IOCs, content for monitoring
Retroactive search/sweeps aka “hunting”
Begins response
w/affected system
IOCs, TIPs to IR team to aid informed response
Investigation artifacts sent
to intel
Expanded IOCs, context
Investigation determines
containment, recovery begins
Intel on exploit capability,
vulnerability scan
Search for other
exploitable assets
Additional exploit target
intelDetermines
potential scope
Address exposed
vulnerabilities
Notice of risk-relevant event w/basic intel
report
Kicks off risk assessment
Decision to involve legal,
3rd parties, etc.
Immediate remedial actions to lower risk
Corrective actions to treat
risk
Risk communication
to Sr. Mgmt
After action review read
out to Sr. Mgmt
Risk communication
& sign-off
Afte
r-act
ion
revi
ew
Incid
ent a
nd
resp
onse
repo
rt
16All material confidential and proprietary
INTE
LSO
CIR
Vuln
M
gmt
Risk
M
gmt
Lder
shi
p
Receives intel on new threat
RFI+ research yields more
contextPivot on new
infoComplete intel
report
IOCs trigger alert in SIEM
Triages event, determines
incident
Expanded indicator set
detects additional
affected assets
Expanded IOCs, content for monitoring
Retroactive search/sweeps aka “hunting”
Begins response
w/affected system
IOCs, TIPs to IR team to aid informed response
Investigation artifacts sent
to intel
Expanded IOCs, context
Investigation determines
containment, recovery begins
Intel on exploit capability,
vulnerability scan
Search for other
exploitable assets
Additional exploit target
intelDetermines
potential scope
Address exposed
vulnerabilities
Notice of risk-relevant event w/basic intel
report
Kicks off risk assessment
Decision to involve legal,
3rd parties, etc.
Immediate remedial actions to lower risk
Corrective actions to treat
risk
Risk communication
to Sr. Mgmt
After action review read
out to Sr. Mgmt
Risk communication
& sign-off
Afte
r-act
ion
revi
ew
Incid
ent a
nd
resp
onse
repo
rt
Fragmented Actions
Fragmented Teams
Fragmented Technologies
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Cohesive Intelligence-Driven Defense
17
● Unite People & Teams
● Align Processes
● Interoperability between technologies
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
THANK YOU
www.ThreatConnect.com
[email protected] @threatconnect