Integrated ActiveCyber Defense

Reducing Your Risk of Compromise Through Integrated & Automated Active Cyber Defense

2

“We think it [the future of Cybersecurity] lies in leveraging automation and integration to be able to detect and 

mitigate Cybersecurity risk in real time.”

3

Our Moderators Today

Pat ArvidsonDirector for Defending DoD

Networks and Mission AssuranceOSD, Office of the Principal

Cyber Advisor

(Moderator)

Pat ArvidsonDirector for Defending DoD

Networks and Mission AssuranceOSD, Office of the Principal

Cyber Advisor

(Moderator)

Russell GlennDirector, Cybersecurity

ACD IntegrationKEYW Corp.

(Moderator)

Russell GlennDirector, Cybersecurity

ACD IntegrationKEYW Corp.

(Moderator)

4

Our Panelists TodayTravis Rosiek

Federal CTO FireEye

(Panelist)

Travis Rosiek

Federal CTO FireEye

(Panelist)

Chris Fedde

PresidentHexis Cyber Solutions

(Panelist)

Chris Fedde

PresidentHexis Cyber Solutions

(Panelist)

Ryan Gillis

Vice President, Cybersecurity Strategy and Global Policy

Palo Alto Networks

(Panelist)

Ryan Gillis

Vice President, Cybersecurity Strategy and Global Policy

Palo Alto Networks

(Panelist)

John Stoner

Federal Security StrategistSplunk

(Panelist)

John Stoner

Federal Security StrategistSplunk

(Panelist)

State of Cyber Defense

5

State of Cyber Defense

6

Cyber Network Defenders Overwhelmed– Burdened under “fog of alerts”– Unable to focus on APT/Nation State attacks

Cyber Network Defenders Need– Tools/processes that automatically handle basic threats (80%)– Enables operators to hunt advanced threats with enriched threat intel– Leveraging policy driven automation is not a new idea

Ex: Automated System Lock out, Anti-virus

SHORTSTOP Architecture

7

L3L3 Mission ThreadsMission Threads

L4L4 AnalyticsAnalytics

L2L2 IntegrationIntegration

L1L1 NGFWNGFW Heuristic/SandboxHeuristic/Sandbox ERDERD ComplianceCompliance

Incident Response Story

8

Current Incident Response– Threat Incident Occurs– Incident response team responds– Incident analysis occurs from logs and existing data– Threat is identified and damage assessment and Cleanup

occurs

So what if we created Automated Incident Response?– What would it look like….

Integrated Approach + Logical Architecture

9

The SHORTSTOP layered approach to cyber security leverages the traditional military strategy of the decision cycle – Observe, Orient, Decide, and Act (OODA) – applying it to all major threat vectors.

Sensor Threat Feeds

Observe

Orient

Decide

Act

Observe

Orient

Decide

Act

Next Generation

FirewallHeuristic / Sandbox

EndpointRemediation

DeviceCompliance

Sensor Analytics

Integration, Data Enrichment / Splunk

Mission Threads, Mission Effects

Sensor Analytics

Sensor Analytics

Sensor Analytics

SHORTSTOP System Analytics

SHORTSTOP Reference Architecture

10

SHORTSTOP is provided as a turn-key system, or reference design, to deploy best-in-class cyber defense:– Central management/threat aggregation layer for threat correlation– Course Of Action development based on enterprise environment and

threat posture– Commercial security technologies to address all major threat vectors– Detection and Heuristics at the perimeter, internal/external networks,

and the endpoint.– Continuous, automated, policy-driven response to confirmed threats

SHORTSTOP Reference Architecture

11

Architecture Components Perimeter

– Inbound network IOC detection. On demand threat blocking. Network

– Internal network IOC detection, primarily sandboxing or threat replay technology, detecting advanced IOC.

Endpoint– Detect malicious activity and outbound threats emanating from host.

Verify network threats existence on the endpoint.– Apply policy driven countermeasures to remove the threat.

Command/Control/Orchestration/Integration– Correlate sensors and IOCs from Endpoint and Network. Provide

common visibility of threat. Automate response to the threat at the endpoint and network layer.`

Initial Deployment

SHORTSTOP Benefits to Enterprise Security

12

Reduce incident response times through policy driven automation: Confirm host infections, increase detection effectiveness and reduce false positives. Automate response actions with HawkEye G’s policy based response capabilities to

more rapidly and efficiently contain and remove threats at machine speeds. Coordinate threat identification and tool integration with Splunk as the integration layer to

automatically respond to threats

Cyber Situational Awareness: Improve visibility through a unified solution architecture that combines detection at all

layers of the enterprise into common visual representation with Splunk and HawkEye G

Increase Blue/Hunt capabilities: Provide additional analytic and hunting capabilities by leveraging Splunk to collect,

synthesize, and enrich all threat indicators from HawkEye G, Palo Alto Networks, and FireEye.

SHORTSTOP Benefits to Operations

13

Operators: Increase capability of existing work force by leveraging automated technology Improve efficiency of incident response (Decrease onsite hunting, automate common threat

response, correlate threats to prioritize alerts)

Tools: Integrate with existing tools and investments Ease of integration of new tools and capabilities Coordination of sensor data improves threat identification, incident response, and hunting Custom development for analytics and COAs still enabled

Processes: Simplify operational processes for operators Lower barrier for entry for trained forces