Dollars and Sense of Sharing Threat Intelligence

Embed Size (px)

Text of Dollars and Sense of Sharing Threat Intelligence

PowerPoint Presentation

The Dollars and Sense Behind Threat Intelligence Sharing 2-11-2014

# Cyber Squared Inc. 2014

1

What I doInvestigates new threats across industries Correlates incidentsProvides ongoing and on-demand support

The ThreatConnect Intelligence Research Team (TCIRT) Enrichments that expose the unseen

Customer: We werehit with this.

TCIRT: Here are more details

Your Organization

Common CommunitySubscriber CommunityIndustry CommunityThreatConnect IRTPeer to Peer Dynamic and On-Demand

# Cyber Squared Inc. 2014

2

Who I supportLaunched July 2013

1,700+ accounts

Dozens of Fortune 100/500 Companies

Many Industries Represented

66% Referral Rate

16%17%16%30%8%4%5%4%

# Cyber Squared Inc. 2014The Whos WhoFirst Step: Recognize the players

326Cyber

# Cyber Squared Inc. 2014

4

bob3160

Unless You Played one of these this may carry little meaning

Source: http://blog.avast.com/2014/01/22/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-2/

Second Step: Recognize the problem

# Cyber Squared Inc. 2014Where my Geeks At?

ProducerConsumerWolverineThird Step: Mind the Gap

Direct & Indirect Delivery ModelsTechnical RiskBusiness Risk

# Cyber Squared Inc. 2014

6

Measuring is maturing

What you do, costs someone / something (Time/Money)What does the org get between the 1st & 15th?What does it cost to produce or consume?What should I work on? X OR Y (WHERE X = (N) and Y = N)Is what I am producing of value & How do I know?How do I improve my process? (Make Faster & Cheaper)

# Cyber Squared Inc. 2014Q3 2013 Metrics

# Cyber Squared Inc. 2014Assumptions & FACTSAssumptions:Give data to getHave analysts will collaborateMy perspective is not always correctFacts:Time Not enoughTalent Not enoughTreasure Not enoughDefinition:What we mean when we say Share

# Cyber Squared Inc. 2014Q3 2013 TCIRT Sharing MetricsIn Q3 of 2013 TCIRT shared:143 Incidents, Threats or EmailsWhen shared +1700 global users were enabledConsistent observables for July & August47% Increase in SeptemberData exported, consumed and processed within organizational systems

# Cyber Squared Inc. 2014Doing more with lessAutomation and Collaboration accounted for 33% reduction in time in SeptemberDuring a time of a 47% increase in workloadOptimization of Organizational Analysis Processes Good news for the resourced constrained

# Cyber Squared Inc. 2014Fuzzy Math (Shares)1 x ThreatIntel Analyst a year / amount produced in a month @ a specific rate of production.

$100,000yr/12mo - $8333mo / 39 Jul Shares = $213 share/mo. @3.24/hr - $65/hr$100,000yr/12mo - $8333mo / 42 Aug Shares = $198 share/mo. @3.29/hr $60/hr$100,000yr/12mo - $8333mo / 62 Sep Shares = $134 share/mo. @2.18/hr $61/hr

Cost to OrganizationAmount of ProductionAve Cost to produce shareFrequencyofproduction

# Cyber Squared Inc. 2014Giving away knowledge = growthWhere did it all go?Two Communities that we ownSubscriber Community Common CommunityOver half of TCIRT research was given awayThese Communities consist of individuals & organizationsGlobal / All IndustriesEstablished lasting relationships & partnerships for future collaborative efforts

# Cyber Squared Inc. 2014Free as in beer1 x ThreatIntel Analyst shares incident data @3.24hrs to create w/ a Community of 1700 researchers. Where only 1% review/research the data for one hour. Only .5% review/research/respond.1% - 17 x Review/Research for one hour.5% - 8.5 x Review/Research/Respond for one hour with additional findingsThe ThreatIntel Analyst / Org leverages another 8.5 hours of additional manpower (@162% increase) of analytics.Analyst obtains additional info/dataOrg obtains at least $552 value of outsourced analysis (8.5 x $65)Community leverages the entire exchange

# Cyber Squared Inc. 2014Communities

# Cyber Squared Inc. 2014Sharing is powerful!

Common System Wide CollaborationEach Industry Represented by their own Trusted CommunityPeer to Peer Sharing between two organizationsEach Organization has their own private data

# Cyber Squared Inc. 2014

16

Community StandupSince AugustDeployable Private Communities Minutes to configureBy IndustryBy ThreatBy GeoMultiple RolesVetting & InvitationsAttrib / non-AttributableCount of Private Communities & Membership

Private IndustryPrivate GeneralPrivate IndustriesRegional ThreatBasedNAAAA

# Cyber Squared Inc. 2014Community interactionLeadership is contagiousNot all communities are created equalVariables:TimeLeadershipFrequencySize of membershipCulture

# Cyber Squared Inc. 2014Givin Value propSIncrease your eyes and ears by NNewcomers to the mission: Where do I get started?Increase your probability for free beer at conferencesUnderstand what are Industry best practices?Who else is dealing w/ cyber pandas? Successes / Failures that I should know about?Distributed talent / distributed AS&W / increasing production times.

# Cyber Squared Inc. 2014Sources of info

# Cyber Squared Inc. 2014Q3 2013 Sources of TCIRT Data

# Cyber Squared Inc. 2014Items to ConsiderQuality vs Quantity debate more is not always betterAccuracy vs Timeliness debate being 100% wrong now vs. 50% correct laterAll Source vs Single Sourcethe wandering perspectiveCustomers & Feedback loopWhat sources yield positive feedback?Costtime & money

# Cyber Squared Inc. 2014Parting thoughts

# Cyber Squared Inc. 2014SummaryUnderstand others, everyone looks at things differentlyPerfect the ability to communicate effectively to both the technical & non-technical audiences Understand the business costs associated w/ doing or not doing aspects of your jobMake assumptions, Measure things, Make decisionsWe are relational creatures that crave success = find success through relationshipIf you are thinking in these terms & measuring you are likely postured for growth & maturity in this space.

# Cyber Squared Inc. 2014Happy hunting!Rich Barger

# Cyber Squared Inc. 2014