Cyber Threats & Information SharingSyed Peer

2AGENDA CYBER THREAT

LANDSCAPEChanging Face of Friend or Foe

CISA : SHARING PROS AND CONS To share or Not to share ?

CONCLUSIONAre we there yet ?

CHALLENGES FOR INDUSTRYWhere do we go today ?

BACKGROUND & HISTORYDefinition, NIST Core Guide, Best Practices, CISA

2015

CYBER THREAT LANDSCAPE

Changing face of Friend and Foe ?

4

AGILITY Highly technical players leverage new vulnerability within hours. Black market for tools and Zero day exploits. Vendors always in catch up mode.

EVOLUTIONRapid code sharing and active community generated variants in multiples. No longer rocket science or requiring large funding hardware or exceptional talent.

SLAService Level Agreements are based on predictable behavior. Need to learn to love the unpredictable and unexpected.

DIVERSITYModern day exploits so varied and diverse that old risk models are inadequate. Simple ISO 27001 compliance provides no guarantees for security.

DIGITAL FRAUD On an epidemic scale with yearly estimated losses in the billions. Well coordinated and often teams / gang based across global geographies.

STATE SPONSORED Highly productive and well funded teams. Links to military and government. Often done by known adversaries or allies. e.g US elections 2016 – Fancy Bear, Cozy Bear.

CYBER THREAT LANDSCAPE

CHALLENGES FOR INDUSTRY

Where do we to go today ?

6

INTERNAL SKILLS DEFICIT Lack of specialized resources for CTI. Unable to leverage expensive tools fully. Under staffed NOC/SOC for 24/7 diligence.

DATA OVERLOADImmense volumes of data available from CTI sources, vendors, public/private sharing platforms and international CERTS. Resources drowning in data without a reprieve.

VENDOR SOLUTIONSDifficult to easily identify correct CTI Vendor solution in a crowded market. Vendors need to be constantly providing latest relevant CTI feeds. Room for patch latency and being behind the curve.

MANAGEMENT SUPPORTHard climb to get top level management support for sharing CTI -- especially to outside agencies and teams.

POLICIES & PROCEDURESDevelop using a risk based approach. Work with business owners to classify data criticality. Bake in BCP and DR plan and drill schedules.

COMMUNICATION CHANNELNeed to build effective information exchange channels between CTI teams and internal business function owners.

CHALENGES FOR INDUSTRY

BACKGROUND & HISTORY

Definition, NIST Core Guide, Best Practices, CISA

2015

8

Cyber threat information is any information that can help an organization identify, assess, monitor, and respond to cyber threats. Examples of cyber threat information include indicators (system artifacts or observables associated with an attack), TTPs, security alerts, threat intelligence reports, and recommended security tool configurations. Most organizations already produce multiple types of cyber threat information that are available to share internally as part of their information technology and security operations efforts..”

DEFINITION

GUIDE TO CYBER THREAT INFORMATION SHARING

“

NIST SP 800-150

9

INVENTORYPerform an inventory to catalog existing information an organization possesses and perhaps still yet to be produced. The inventory should document the circumstances in which the information could be shared

EXCHANGE Exchange of CTI, tools and techniques with sharing partners. When sharing CTI organizations learn from each other; gain a more complete understanding of adversary's tactics, technique and procedures; craft effective strategies to protect systems; and take action, either independently or collectively, to address known threats.

OPEN STANDARDSUse open, standard data formats and transport protocols for efficient and effective exchange of CTI. This fosters interoperability and allows different products, data repositories and tools to rapidly exchange data.CI.

PARTNEREnhance cyber security posture and maturity by augmenting local data collection, analysis and management processes using information from outside sources. Helps organizations develop a deeper understanding about activities on their networks, identify cyber attack campaigns and better detect blended threats that use multiple methods of attacks.

BEST PRACTICES : INFORMATION SHARING (NIST)

ADAPTIVE Define Cyber Security approach adaptive to the lifecycle of an attack bydeveloping defensive measures that detect, limit or prevent reconnaissance and delivery of malicious payloads. Approach should mitigate the execution of exploits that allow an adversary to establish or maintain a persistent network presence.

RESOURCES Ensure resources required for continuing participation in a sharing community are available. Participation might require an organization to commit personnel; deliver training; and provide hardware, software, services and other infrastructure needed to support continuing data collection, storage, analysis and dissemination..

AWARENESSMaintaining continuing awareness of information security, vulnerabilities and threats. Organizations should implement the security controls to protect its sensitive information, enforce sharing rules and ensure that information received from external sources is protected in accordance with data sharing agreements.

INFRASTRUCUTURE Establish infrastructure necessary to maintain cyber security posture and identify the roles and responsibilities for installing, operating and maintaining these capabilities. Organizations should have basic asset, vulnerability and configuration management capabilities in place to ensure to monitor and manage the hardware and software on their networks for timely patching..

BEST PRACTICES : INFORMATION SHARING (NIST) 10

INFORMATION SHARING : PROCESS MAP (NIST) 11

1Establish core Cyber Security

capabilities

2Establish and participate in sharing and coordination

activities

5Use basic threat intelligence to

support decision making

processes

7Develop and

deploy advanced Cyber Security

capabilities

10Use advanced threat Intel to

support decision making processes

3Consume basic

threat Intel from external sources

8Consume

advanced threat Intel from

external sources

11Share advanced threat Intel with external partners

4Create basic threat Intel

6Share basic

threat Intel with external partners

9Create advanced

threat Intel

12

CISA : Cyber Security Information Sharing ActDecember 18, 2015

01 02 03 04 05 06

Establish

Establishes a process for the U.S. government to share cyber threat information with businesses that voluntarily agree to participate in the program

Share

Encourages companies to share malicious code, suspected recon, vulnerabilities, anomalous activity, and identify signatures and techniques that could pose harm to an IT system

ExemptionProvides antitrust exemption for companies that share their threat data with other businesses

Alerts

Allowing government agencies to move more quickly to alert companies when they have been hacked

CTI HubDesignates the Department of Homeland Security (DHS) to act as the cyber threat information-sharing hub between government and business, and set up automated systems

ExecutiveAllows president, (after notifying Congress) to set up a second information sharing center, if needed

13

CISA : SHARING PROS & CONS

To Share or Not to Share ?

14

“He who controls the past controls the future. He who controls the present controls the past. ”

CISA : SHARING PROS AND CONS

VOLUNTARY PROGRAM TO JOIN BI PARTISAN

PROTECTION FROM LIABILITY, DISCLOSURE, ANIT-TRUST COMPLEMTARY TO EXECUTIVE ORDERS AND FRAMEWORK

CITIZENS DATA PRIVACY CONCERNS COMPROMIZED GATE KEEPER ACCESS REPUTATIONAL RISK AND RANSOMEWARE OPPOSED BY TECH - APPLE, TWITTER, GOOGLE, MS

1984 George Orwell

LACK OF FEDERAL AGILITY AND FUNDING INTER DEPARTMENTAL SHARING – IRS, FBI, LOCAL

POLICE EXCUSES COS FROM LIABILITY IN VIOLATING PRIVACY LAWS

PROVIDES SAFEGUARDS FOR PRIVACY AND CIVIL LIBERTIES

15CONCLUSION : CYBER THREAT INFORMATION IMPERATIVES

IT must have the ability to set expectations for service quality, availability and timeliness. High availability and data protection are integral for IT to set these expectations.

Build strategy to stay current with CTI and push to improve infrastructure to support the vision. A stitch in time saves lives.

Aim for ease of acquiring, deploying, and managing IT Cyber Security infrastructure, and deploying IT workloads.

SERVICE DELIVERY

Maintain Availability and Customer Satisfaction as always or better. CTI gathering should never impede the business model.

LONG TERM

Realise long term Cost Saving by spending wisely now. Invest in staff training and building out PEN and NOC skills and staffing.

SIMPLICITY

Use the KISS Rule to ensure that you are not over reaching the expectation

Syed PeerIT Manager

QAFCOQatar

Phone(974) 5571 6658

Emailspeer@qafco.com.qa

THANK YOU

LinkedInhttp://www.linkedin.com/in/syedpeer