OVERVIEW - HITRUST · • Worst Case: A breach • Malware detection and response? • Delayed...

OVERVIEW June 21, 2016

Healthcare Solution for Automated Threat Exchange and Collaboration • Most healthcare

organizations actively participating

hitrustalliance.net/cyber-threat-xchange/

“Limit infiltration of my organization and exfiltration of data in an efficient and effective manner.”

−CISO, Health Plan

“My organization needs the ability to streamline processes and based on the quality of the intel determine where best to place capital and operating expenses in defense of the organization.”

−CISO, Hospital

2

Industry Challenge • Low quality intelligence combined with historical and low

Fidelity Data creates non-actionable alerts

– Intelligence sourced contained many false positives including hosting IP addresses and legitimate domain names

• Time to value – The timeliness of the data was a major concern as they discovered they were several days behind the industry

– Not Consumable because of inherent lack of automation

• Internal Development Cycles

– Rather than focusing on the analysis analysts spent their time fixing scripts and working on content in the SIEM

• Lack of Collaboration – Unable to automate the desired collaboration with other organizations in the industry

– Collaboration is limited to conference calls and back of napkin discussions lacking detection and response capability

• Threat data packaged for human consumption

– PDF reports are being manually collected and triaged by analysts who spend time copy and pasting observable data

hitrustalliance.net/cyber-threat-xchange/ 3

Intelligence Driven Security •   Proactive Detection •   Situational Awareness •   Community Collaboration • Proactive • Robust Set of IOCs • Active and Timely • Relevant to Healthcare


Analysis

Enterprise Distribution

Security Operations Collaboration

Observable Acquisition

4

Legacy Process (1-2 weeks)

Threat IntelCollected

Threat Team

Manual Analysis

Threat Team

Data: Pre-Process/Format

Threat Team

Upload toInternal Site

Threat Team

Retrieval of Threat Intel

OPS Team

Manual Load to SIEM

OPS Team

Analysis and Feedback to Threat Team

OPS Team


Operational Intelligence (1 hour or less)


Enterprise Integration • Integrate to existing Security

Infrastructure • Delivered from the Cloud • Correlation Instructions

– Rules, Reports, Dashboards

• One Click Browser • Rest API • STIX

Enterprise Distribution

7 https://hitrustalliance.net/cyber-threat-xchange/

New HITRUST CTX Features • HITRUST CTX brings many new features

including: – Threat Modeling – Enhanced Community – Indicator Details – Threat Explorer – New Integrations


Threat Modeling Enhanced Actor, Campaign, TTP


Enhanced Community Full social features to enable inter- and intra-organization workflow


Enhanced Details Details and insights about indicators including relationship browsing


Security Maturity Scale

I

Initial Operational Intermediate Advanced

• No SIEM • Limited logging • No dedicated security

staff • MSSP driven • No intelligence function

• Log management solution

• Shared security/IT staff • No intelligence function

• Limited SIEM use cases

• Limited staff – No 24/7 support

• Limited IR • Compliance driven • Limited intelligence

function

• Fully deployed SIEM • Custom monitoring

and alerting • Dedicated

intelligence and operations staff

• Collaboration

CTX Reports -> CTX Threat Bulletins

CTX Reports -> CTX Threat Bulletins Threat Research

CTX Reports -> CTX Threat Bulletins SIEM Integration Operational Components

CTX Threat Bulletins SIEM Integration Operational Components Enhanced IOC Sharing


HITRUST Report • Designed to Automate intelligence analysis • No SIEM, no Threat Intelligence, No problem • Benefits of analysis without the analyst • Integrates directly to CTX • Secure / HIPAA-Ready

– End to end encryption – Password protected

• Live links to adversary information • “How to read the report” video


Download & Install Universal Link

Encrypts data and sends to Harmony

Anomali matches IOCs

Report Generation and

Send to User

TLS/SSL AES 256

Password Protected PDF or HTML

Anomali Reports Architecture


Cyber ISAO 2.0 – High-tech / Low-touch

• Partnership: HITRUST, TrendMicro • Breach Discovery Devices / Advanced Network Sensors • IOC Contextualization • Automated and Anonymized IOC Sharing • Trust Circles of ‘Like’ organizations • Community Alerting • Integrations


Advanced IOC Collection


Immediate Community Benefits • Global attack trending • Cross organization correlation and analysis • Automated Threat Bulletin Creation • Prioritization and Analytics


Data in HITRUST CTX


Preliminary Findings – Actionable IOCs

Intel Types Shared: * url: 184 * domain: 158 * md5: 138 * user-agents: 37 * ip: 17

VirusTotal Evaluation of Pilot MD5s * No detections: 89 * More than 4 detections: 28 * less than 4 detections: 21

VirusTotal Evaluation of Pilot URLs * More than 4 detections: 85 * No detections: 67 * less than 4 detections: 32


Preliminary Findings – Timely Delivery

20

Historical Analysis of Pilot IOC * 527 observations * 122 (23.15%) overlapped with some IOCs in Anomali (opensource, commercial, customer). * Of all overlapping IOCs, 91 (74.59%) were seen by HITRUST first. Hours difference between HITRUST seeing

an IOC and others. Negative values mean HITRUST saw it after the others * Mean observation range: 1.5 Days * Min observation range: -1.7 Days * Max observation range: 25 Days

https://hitrustalliance.net/cyber-threat-xchange/

Return on Investment Cost your organization?

• Worst Case: A breach

• Malware detection and response?

• Delayed access to threat observables from industry breaches?

• Inaccurate Intelligence?

CTX Provides:

• Analyst force multiplication

• Speed of identification and accuracy of information.

• Decrease time to detection of malware and targeted attacks

• Reduce SIEM content and use case building costs

• Indicator consolidation reduced the man-hours spent acquiring and operationalizing indicators

• External context and enrichment in a single pane of glass


“To more rapidly identify and subsequently eradicate active threats in my environment is extremely valuable and offers a much quicker ROI to the acquiring entity…”

−CISO, Major Healthcare

21

Summary Q&A Proactive Detection and Situational Awareness

• Observables directly integrated into existing security infrastructure

Community Collaboration

• CTX customers benefit from receiving threat details that have already been tested and vetted.

• Relevant to healthcare

• Ability to share threat information in an efficient, managed and secure process

• CTX enables real-time controlled collaboration between trusted partners.

• Allows for organizational oversight and facilitation of sharing by CTX

Actionable and Timely

• Automated analytics removes invalid IOCs

Bi-Directional SIEM integration allows for threat validation by CTX


Get Involved – Register Today • https://hitrustalliance.net/ctx-registration/


Appendix


OVERVIEW - HITRUST · • Worst Case: A breach • Malware detection and response? • Delayed...

Documents

Transcript of OVERVIEW - HITRUST · • Worst Case: A breach • Malware detection and response? • Delayed...