Key Functionalities of A Modern Cyber Threat Intelligence Program - Jerry Caponera

Key Functionalities
of a Modern Cyber
Threat
Intelligence
Program
ThreatConnect.com
Copyright © 2021 ThreatConnect, Inc.
Speaker
Gerald Caponera
VP Cyber Risk Strategy
ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

2
How do you know what
success looks like?
You have to have some measurements in place

that help you along the path
Is it the quantity of PIR’s created?

The number completed?
A modern CTI program needs to
● Protect the business

● Lead with line of sight
● Explain the value of TI to non-security executives
OKRs—The Simple Idea That
The journey to a modern CTI program involves Drives 10x Growth
alignment of TI efforts with the business

3
Don’t we measure
effectiveness of CTI today? Do You Measure the
Effectiveness of CTI?
37.8% | Unknown
No
58.0% | No
Only 4% of respondents said yes.
If you said yes (you were in the top 4%)

then your company is the Harvard, Princeton,
or MIT of CTI programs
4.2% | Yes
Figure 13. Measuring CTI’s Effectiveness

4
Or if we do we don’t talk
about the “why”
Key Results Objective
Monitor incoming mail

Zero
successful
Block known threats
Phishing
attacks
Block stage one call outs

5
So if we do this we measure
effectiveness we’re good?
WE ARE SO CLOSE YET SO FAR

6
Nope.
now comes the hard part

7
We have to bridge the gap
between risk and threat
Threat team Risk team

8
Alignment begins by understanding objectives
Who Objective Example Key Results
● Revenue grows +10%

Executive Strategic ● Cost in line with budget
● Teams staffed @ 90%

● MTTR goes down by 10%
Leadership Tactical ● MTTD goes down by 5%
● Time spent manually blocking IP’s is 0

● Time spent analyzing hard items is
Operations Operational 75% of total time spent
● Single tool to track PIR and correlate,
aggregate and act on data

9
And linking them together
How can security help with the top

line goal of Revenue growth of +10%?
Executive ● Revenue growth +10%
● If you’re in e-commerce and you get

a RW attack, you’d be down for
100 hours.
● MTTR goes down by 10%
● If your systems make $100,000 per hour
Leadership ○ Reduce likelihood of successful
that’s $10m in lost revenue
ransomware attack by 50%
○ Reduce business interruption by 50%
● If your gross revenue is $90m
and you want to grow 10% you have ● Single tool to log in and manage daily
to hit $99m as a company work w/all context
Operations ○ Automation enables rapid
● A Ransomware attack that causes blocking of new threats
a hit of $10m makes meeting that ○ Threat Hunting increases with
number much, much harder better context from tool

10
So what’s the roadmap
for a CTI program ra m
rog
to align with the business? rn
CTI
P
ode
aM
h to
Pat
FOUNDATIONAL
Threat Executive Value

Threat Intel Business Financial Awareness driven to
Team Process
Data Context Quantification & the
Platform
Alignment business
Threat Risk

11
But the reality is we don’t really focus on
the strategic (aka the business) side
Cyber Threat Intelligence is

viewed as a technical domain
and its participants are drawn
from the security world
(see the chart to the right)
● Outputs are geared towards

technical analysts
● Lack of business context
in dissemination
● Shear volume of threats
makes it hard to keep up
No business involvement
Figure 6. CTI Team Composition
12
And it shows in the measurement of the
“usefulness of CTI”
Least useful to the business

13
Value to the business – putting it all together
Modern CTI programs will Financial

Tech Threat to Threat
Scenario Asset at risk Value to the Action(s)
provide executives a the business Group
Business
prioritized list of actions to
New vulnerability High (10/10) - on UNC1878 / Revenue for $25,000,000 ● Segment network
take that combine identified with all key systems Wizard critical ● Patch
high IOCs in our Spider systems ● Add new blocking
company capability
● Financial risk
● Tied to tactical threat Possible C&C High (10/10) - APT 29 Data (PXI) $15,000,000 ● Block
server in our known exploit ● Investigate
● Actions to take network ● Monitor
Increased level of High (10/10) - on Being Cash $10,000,000 ● Buy new tool
Not all risks and threats will spear phishing all key systems Researched (business ● Update network
attacks email security
be mitigated - some will be compromise) ● Outsource email
accepted. hosting
New Vulnerability Low (1/10) - only in UNC2452 / Revenue for $5,000,000 ● Remediate
identified trial environment Dark Halo critical Software
(Solarwinds) only systems ● Replace vendor
● Accept

14
Value to the business – communicating the
financial risk of inaction
Financial risk
Everyone knows security is overloaded work wise Patch
top CVE
– not everyone understands what that means
Modern CTI programs will start to show

Patching CVE
2018-1234
● What they’re working on (items in green)
● What they don’t have capacity to work but Capacity
should be working on (red)
● What they’d like to work on (yellow)
● What’s not being worked (grey)
So the business can understand if (or how) they

should re-prioritize spending
Deal with
Solarwinds
issue
15
How we’re working to power
modern CTI programs

16
RTR - Revolutionizing the Way our Customers
Protect their Organization
By Turning Intelligence into Action
RQ
STRATEGY
● Financial Impact/Loss Expectancy

due to Attack Type
● App Security Posture
● Prioritized Vulnerabilities
TIP SOAR
OPERATIONS
● Automate proactive/
● Adversaries reactive processes
● Attack Types ● Orchestrate
Vulnerability response
● Tactics/Exploits
● Mitigate Attack Types

17
Integrated risk and threat views
powered by response
ThreatConnect.com
18
Details embedded
to empower decisions
ThreatConnect.com
19
With financial risk prioritization
and reporting
ThreatConnect.com
20
Thank You!
ThreatConnect.com
Copyright © 2021 ThreatConnect, Inc.

Key Functionalities of A Modern Cyber Threat Intelligence Program - Jerry Caponera

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Key Functionalities of A Modern Cyber Threat Intelligence Program - Jerry Caponera

Загружено:

Авторское право:

Доступные форматы

Key Functionalities

ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

You have to have some measurements in place

Is it the quantity of PIR’s created?

A modern CTI program needs to

● Protect the business

ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

If you said yes (you were in the top 4%)

Figure 13. Measuring CTI’s Effectiveness

Key Results Objective

Monitor incoming mail

ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

WE ARE SO CLOSE YET SO FAR

ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

Threat team Risk team

ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

Who Objective Example Key Results

● Revenue grows +10%

● Teams staffed @ 90%

● Time spent manually blocking IP’s is 0

ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

How can security help with the top

● If you’re in e-commerce and you get

ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

Threat Executive Value

ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

Cyber Threat Intelligence is

● Outputs are geared towards

Least useful to the business

Modern CTI programs will Financial

ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

Modern CTI programs will start to show

So the business can understand if (or how) they

ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

● Financial Impact/Loss Expectancy

ThreatConnect.com Copyright © 2021 ThreatConnect, Inc.

Copyright © 2021 ThreatConnect, Inc.

Вам также может понравиться