i2 User Group Conference 2016

Cyber Threat Intelligence

Start Seeing The Threats Before They Hit You
Andrew Hawthorne
UK&I i2 Financial Services Lead

© 2015 IBM Corporation

 i2 User Group Conference 2016

Why wait to get punched…

© 2015 IBM Corporation

2
 i2 User Group Conference 2016

…When you could see it coming and defend…

© 2015 IBM Corporation

3
 i2 User Group Conference 2016

…Or even dodge it entirely!

© 2015 IBM Corporation

4
 i2 User Group Conference 2016

Both security and analysis must address the problem

Non-Linear Relationship Between Effectiveness and Cost
99.9%
Percent of Threats Stopped

90%
High Effort

80% SIEM i2 Intelligence

Firewall
Example of
Product

Information Security Cyber Analysis

Tier One Tier Two Incident Threat Cyber

SOC Analyst SOC Analyst Responders Researchers Analysts
Example of
Personnel
Implement a Security Advanced Security Cyber
Framework Intelligence Analysis

Level of Effort / Investment

5 TACTICAL OPERATIONAL STRATEGIC © 2015 IBM Corporation

 i2 User Group Conference 2016

Elements of Cyber Analysis

Mostly External Sources
Security Threat
Traditional IT Sources Intelligence Intelligence Hacker Forums Social Media
Intel Government
PCAP SIEM Persona Vendors Alerts
Data
Threat Community
Alerts SSO/AD Indicators Info
System Vulnerability
Logs Scans Threat
Intelligence
Analysis Human Enabled
Non-Traditional Sources

Behavioral Account
Cyber Analysis Results
Data Creation • Integrated data feeds
HR Data Badge Logs • Enterprise awareness
Leveraging an analytical platform
• Compliance monitoring and internal and external information
Dark Web Access Logs
• Threat discovery feeds, Cyber Analysts can help form
• Risk management a deep understanding of the threats
• Enable decisions targeting your organization
© 2015 IBM Corporation
6
 i2 User Group Conference 2016

Fuse Siloed Data for Comprehensive Insight

Physical

Payments & Staff &

Transactions Corporate
Data
Customer/
KYC

SIEM, Devices &

Infrastructure Applications
& Systems
OSINT,
Intel Feeds &
Dark Web

© 2015 IBM Corporation

7
 i2 User Group Conference 2016

Tactical Cyber Intelligence Operations Example

SIEM
Extending Investigations and Function
On Demand On Demand Access to SIEM data, notable
events, and alerts:
Expand on an Alert analysts can tie
together an alert to multiple previous
events, opening up the investigation

Enable Hunting explore the SIEM data

in a different way, uncovering patterns
of interest and unseen events

Light Weight Deployment i2 EIA takes

“An investigation that would have taken me all day in Splunk
took me 10 clicks with i2.”
-Brian Olson, VP Security Operations & Architecture
8
advantage of the SIEM data warehouse
and seamlessly connects 10 analysts to
the system getting up and running in
less than 30 days
© 2015 IBM Corporation
 i2 User Group Conference 2016

Catching the Wave…

© 2015 IBM Corporation

9
 i2 User Group Conference 2016

Fusion Centre – Concept of Operations

Consolidated
Information Store:
0 -24 Hour Single Object Model
Cycle
Insider
Threat

Security & Internal

Investigations

Fraud & AML

FIU
Incident
Response

Cyber Threat
Fusion Center Key Points: Intelligence

• LNO’s represent separate teams

• i2 merges disparate data sources
• Tactical operations take place in center Enterprise & Corp
Watch Risk Management
• External teams handle strategic issues Officer
• Place where Enterprise Intel comes together

© 2015 IBM Corporation

10
 i2 User Group Conference 2016

Thank you
© 2015 IBM Corporation
11