tv Cybersecurity Intelligence Forum Part 3 CSPAN June 15, 2018 11:38am-12:14pm EDT
operations center and say what's the last athlete yofst threat y. they always say nothing has happened. that's not true. the other piece moving forward being able to refine your security program by conducting more continuous red teams to be able to measure your effectiveness. >> charles? >> i would reiterate with find one of the most effective ways is to conduct a red team exercise against the organization. i find that companies will engage penetration testers but say you can't test during certain hours, can't test certain parts of the environment and if you find a vulnerability you cannot exploit. it gives a false sense of security to the board. great. i think that's our time. i want to thank the panelists today for a great discussion and looking forward to continuing the conversation. thanks. [ applause ]
♪ good morning, everybody. this is a great crowd. thanks again to goldie and your great organization and to fire eye for hosting the conference. our partners. we have a great public-private partnership going on. you know, threat intelligence obviously as you'll learn today, threat intel is getting very, very good. our capabilities has grown enormously. the people i work with, with the defense department and intelligence community we judge the adversaries threats by capability, intent and targeting. those are the three characteristics they look at. i think the important thing is we talk about the diverse organizations. you'll hear from three great
people who are in different environments. but it's something i said for a long time. these cyber threats do not distinguish between federal government, state and local, private-sector. we're all using the same technology today. the technology is awesome. i want gives us great capability. but we're incredibly vulnerable because we depend totally on this technology to be dependable and to give us mission business functionality. as you look at threat intelligence today the important thing from my perspective is not to look at it as one vector in the larger problem. you have to look at this holistically. when you look at risk management you have -- i can see right now. great. all my friends. when you look at risk management there's a piece of risk management called risk assessment and risk assessment has always been about threat vulnerability, impact to mission business and likelihood that can happen. today if you're working on your
critical assets and every company, every government agency has critical asset. you can throw out the likelihood component. it's 100% certainty. you have been attacked or going to be attacked. so the important thing is how do we use threat intelligence? what do we use that threat intelligence for with respect to our risk assessment process our known vulnerabilities. more importantly as someone said earlier the zero day vulnerable its or growing. those are the ones we don't know about until we know about them because the complexity of the i.t. infrastructure is growing and that's a tax service. the real question our panel will try to answer in the next 15 minutes or so, 20 minutes is what is threat intelligence within your organization in particular. how are you using the threat intelligence and how well is it working? then once we go through the first-round, then we'll circle
back and talk about some recommendations. let me start with my good long time friend randy from the u.s. house of representatives. randy, can you talk about your view of threat intelligence, how you're using it and how well it is working? >> sure. the way i see threat intel is that data and we've had several people define it. that data and understanding of the attack vectors, the threat, the ttps, and that information that can be used to one, reduce risk and two, to reduce that dwell time. you know that dwell time metric everybody says that you hear in various speaking engagement, 208 days malware sits on a machine undetected. that's where threat intelligence can help reduce or prevent to some degree that dwell time. now how do we use it? one of the things the way i talked to my threat intel team i put it in the concentric circle.
internal inside the wire as i like to call it is where you do your day-to-day business, soft works, event management. hopefully not incident response but we do incident response. that intel sits at the edge of the wire. first thing they look at in our case is any information that we're getting from our partners within the legislative branch. the next circle would be information that we're getting from our partners like dhs and others within the government space. and then the last circle before we get to true open source intelligence is like organizations. we have a strong partnership with the five parliaments, you know the uk, australia, canada and new zealand and we're starting a threat intelligence sharing program where we're going to share information more and more. so, i see that as i want my threat intel looking over the horse don't, looking at those things to help as was just
mentioned how can we help reduce that attack vector and that attack surface. now they contribute not only to the risk mitigation because anything that we know about a ttp, we can start looking for those kind of activities through those indicators, a compromise and other indicators. i agree as said earlier we need to have context and that's where threat reports come in. that contributes to the hunt team. the hunt team sits on intelligent of the wire as well as internal because they are looking for that low and slow activity that you're not going to get through day-to-day alerts. you want to look at the alerts and connect the dots and see where those things come together so you can take that incident response. we're still growing. i have a team of two on my threat intel. we're putting in a threat intel platform to better automate certain types of activities. we're looking at orchestration.
how can we interject that automation. you can't take the human out of the equation but where you can do so as much as possible to prevent that risk. we want to do the minimal amount of incident responses as i stated earlier. but looking at various threat platforms and threat intel source. one of my previous jobs -- one of my goals was to reduce our dependency on government intel. not remove the use of it because it has valuable insight but because of classification and other types of activities, your distribution of that information isn't as robust and dynamic and looking at other threat intel sources, you know, like the eyesights of the world and being able to pull that information, put knit to the srjs put -- it .
>> thanks very much. let's go to my brand-new friend from the great state of missouri, mike can you give us some insights on how you define threat intelligence, how you're using it and how well is it working in the state of missouri. >> randy nailed it on how to lever threat intel. in missouri, missouri is a bit different. we're a state government. and we have a jurisdiction over 30 plus state agencies. we have around 50,000 state employees. 6 million residents. 600 plus municipalities that we try to keep an eye on. and when i hear threat intel i think it's important to define the difference between threat intel and threat data because i think sometimes they get intertwined in their definitions. to me threat intel is actionable. it's timely. consumable. and we can move on it right away and reduce our risk and/or
hopefully prevent attacks. one such attack occurred back in, i believe it was 2016. there was an fbi notice that went out to certain local elected officials, not state officials but local officials. about a particular ransom ware attack. we witnessed firsthand the difference that threat intel can make. that is actionable and highly target. going back a few years before, as you almay remember, the city of ferguson was under siege. we had civil unrest that occurred for a period of months. and the state of missouri was right in the mix. and the threat intel that we were able to gain through our critical partners from the fbi, dhs, and others, it was -- it's what kept us going. it's what kept us breathing and
operational. so, the threat intel has been vital to the key of our success. it's the life blood of how we do i.r., edr. it's a key component of our security operations center. and without it i'm not sure where we would be today. >> thanks very much. now most of us focus on some of the larger federal agencies built we have the small business administration, some smaller agencies. this is a good use case. we have a lot of small mom and pop companies who are dealing with similar type of resource constraints. let me tourist, bo and talk about the sba, how you view threat intelligence, how you are implementing it and how well it's working. >> thanks, ron. i'll just take a quickstep back and provide a little bit of context that will help me answer
the question. really two approaches in cyber security. there's the, you know, well-known and loved defense in depth model and that's, you know, i like to call it the castle approach. build the walls high. moot around. outer keep, inner keep and crown jewels is behind several layers of defense. so, you know, there's that. it only takes one malicious insider to really circle all of your layers of defense in that model and we've seen examples where that's broken down. so the other model that, that is considered when we build these programs is a threat based model. the key differentiator between defense in depth and tlept based model is intelligence. you have to know who your adversaries are. you have to understand what their motivation are. how they operate.
who they target. and then you need to use that to infuse that information throughout your program to really strengthen the overall posture. and so, for example,example, un depth model, eventuvulnerabilit says high. it is a different approach. if you know there's a specific vulnerability no matter what the category and that vulnerability is being exploited in the wild and you have a system on the internet that is vulnerable to that, you better have a way to get that to the top of the stack. the only way to infuse that analysis into your program is through the use of intelligence and really throwing your threat actors. in the spa we have a program that centers around the 24/7 security operations, small cyber threat intel team made up of intel analysts. not i.t. people, not forensics
people, intel people. that's really the key. intel folks think differently an i.t. folks. that is an important aspect to consider with the intel capability. i have a small team of hunters and forensics. now i am able to say pin testers imitate atpx or cyber criminal x against this high value system. and, you know, that not only proves the resilience of that specific system, it also, working with the 24/7 monitoring, can show you if the sock has that right visibility and triggers in place. you can provide the same information to the threat hunters. so, again, defense in depth very important. but in sufficient by itself. threat-based model changes the aspect of the entire program. and then if you do have goodin
tell on specific ttps that you need your staff to know, you can get into your training and awareness program to really emphasize if you're doing fishing exercises. you can theme those the right way to raise the awareness the right way. again, it changes the dynamics of the entire program. as sba, i have been there eight months so we are just getting this model off the ground. prior to this i was at the center for medicare and medicaid under the leadership of emery shoe lack. it is really effective. and the intel serves as a forced multiplier across the cyber security program. >> thank you very much. i think before we go to our final round of recommendations, i'll start to make my first recommendation. i think, you know, threat intelligence, as i said before, has to be looked at in the context of the totality of risk management. and so we can't just rely on
continuing to build our threat intelligence because, as you've seen today, how we use that threat intelligence is really the most important thing. so it's just like cbm, all of our great tools and everything we employ in your vulnerability hunting model, the number of vulnerabilities is growing exponentially because it is growing because of our appetite for the technology. one of the recommendations i would make is in order to take maximum advantage of our great through tools and techniques and all the things we can bring to the fight, you have to do your part as well to reduce and manage the attack surface. it goes back to this is a physics problem. we tend to grow our networks and our systems because there's an intense desire for more functionality, more capability. but we have to balance that. we know the threats are out there. we have great threat intelligence. but the real question is how can
you reduce and manage? it takes strong leadership, because we have the tendency to go the other one. one more round. give us one more recommendation on threat intelligence as applied to risk management. we'll start with bo >> thanks. so i have a couple. i'll hit them really quick. first, use these surfaces that are out there. we heard dhs earlier describing their shared services. there's others besides that we can tap into it. the price is right on those, so take advantage of those. we leverage the mitre attack framework. that breaks down the attack process into stages. and each stage lists all the known techniques that attackers use during that stage. it's a very comprehensive matrix. you click on a specific technique, it brings up a wiki
page and shows the threat actors known to use that and describes that in detail. you can have your penetration testers simulate the attacks and work with your sock to account for all of these threats. and it sort of gets you into the intel focused approach. the other one, if you have resources like fireeye or other key industry partners, leverage them. they just provided a report to us about the network activity on our network. and they did the report for us and they prior taoeuzed the threats we should be concerned about. so it's helping us to prioritize that way too. and the last one is share. you have heard that too. share, share, share. we have to work through this and get to a point where we are comfortable sharing and get to where an attack on any one of us equals protection for all of us. so sharing is really critical. >> thank you. mike? your recommendations? >> i guess my big recommendation would be partner well.
identify partners who truly care about threat intel. the ones who are doing the research, heavy lifting, identifying what's going on out there. secondly, you have to listen to that threat intel. we mentioned how it shapes the fund mentals how we conduct ourselves within security operations. where do we invest? where do we divest? how does it impact our processes? how does it impact the ability to gain visibility within our networks and end points and our people. i thought it was great that bo mentioned about using threat intel to shape awareness programs. that's absolutely vital. because that's what they go after first. they're going to go after people. we're the soft targets. >> randy, take us home. any big recommendations from you? >> you know, cyber security isn't just about blocking and tackling. it's like bo was saying, that building the castle. that's really your block and
tackle kind of stuff. but what we tend to not do is look for what are high value assets and then apply the appropriate risk reduction methodology against that. threat intel hopes to find the techniques you can use to reduce the risk. and if you're just blindly putting firewall blocks in or these kind of blocks in, you're going to hurt your business. so you use the know where your high value is, know what the threat ttps are, and then you can act accordingly. you can't block everything against all items. that ties into how you do your risk management. that is the key point. can't do it all. threat intel helps contribute to the risk factor. >> thank you guys very much. i appreciate all your remarks today. goldie, we're going to get you back to schedule today. thank you all very much. [ applause ].
>> let's give them another round of applause. [ applause ] i'm really excited to introduce our next speaker. she's going to talk about the commercial threat intelligence about commercial threat intelligence and broadening the aperture. she's the v.p. of global intelligence at fireeye. please put your hands together and give a warm welcome to sandra joyce. [ applause ]. >> thank you so much for letting me come and speak to you today. it's thrilling for me as vice president of fireeye in charge of threat intelligence to have
an entire conference dedicated to this entire topic. what i would like to talk to you about today is how commercial intelligence can best serve. because if we think about it, commercial intelligence really has the capability to widen the aperture for government and for other customers. and how can we best do that? at fire eye, what we do to collect intelligence is we look at our machine intelligence that brings in current, active threats against us. we pair that with what our consultants are seeing when they are doing an incident response. then we can actually look at active campaigns through our managed defense offerings. and our eyesight intelligence analysts are in the underground, managing personas. and collecting that evidence. this is rich information we can correlate, bring together, process, analyze and disseminate and give situational awareness and also to be able to give
forecasting so you can proactively hunt in your environment for the threats. but before i get into it, we have lots of lawyers at fireeye. they're very good. and they want me to remind everybody that i may talk about case studies here. but what we really value above everybody else is the confidentiality of our clients. so i might talk about things, but i'm not going into specifics about specific customers. so with that, let's get started. so almost 20 years ago i joined the air force. and i was a goodfellow. i'm sure many people in the audience spent time with goodfellow. >> [ applause ]. >> why are we clap something it was awful, right? i remember when we learned about intelligence, it's all classified. very serious. it still is. but i also remember thinking about this red-headed step child. iment was serious.
ocent was the thing -- saw a rec for ocent in hawaii. i said they're going to be sit anything honolulu reading foreign newspapers all day. what a wonderful job that would be. it is so compartmented that even in the ic you couldn't share it with your fellow ic colleague. things have changed a little bit. it's not perfect, but things have changed in that now with the onset of globalization, the information age, information is so commodotized now. and information that is no longer deep and buried in classified areas is still a great insight and of great value to the geo-political situation going on. one very important inflection point in commercial intelligence was the release of the atp one report where the second chinese peoples bureau, unit -- the unit
that was infiltrating and stealing ip from the united states over a series of years, was finally exposed. not by the government, though. it was exposed by commercial intelligence and played a very important part in geo-political policy. so this inflection is really important because we also have to think about this as a new int, the commercial sensor. what are the rules and responsibilities of an organization when they are part of that common operating picture? the front lines are no longer in traditional battle field front lines. the front lines of nation state activity could very well be imbedded in a company that has a breach on the other side of the world where normal government authorities would not allow the ex filtration of that information. how do we proceed in the new world? how can commercial intelligence serve?
so there are three main ways that it can serve. one, that it's shareable. one, that it is international and that it is rapid. the great thing about shareable intelligence is that these days we know that a lot of times you're working with partners. there's not a lot of unilateral operations anymore. you're typically with either a partner government or you're working with an ngo. and having unclassified shareable information can allow organizations to have a conversation, a narrative, about a commonplace towards a strategic mission. international meaning that commercial intelligence can be deployed in governments and in institutions around the world. it can be received, processed and looked at. and outside of the resources or the priorities set of the government. it could be in a commercial organization, a financial organization, somewhere else. and it's very quick
comparatively speaking. not a lot of special handling, not a lot of bureaucracy, not a lot of levels of approval. so in these three ways, commercial intelligence can be a very important part of the common operating picture for governments and organizations around the world. so how does fireeye do it? how do we contribute to this important mission? i would like to show you a few different examples how fireeye does commercial intelligence and how we have contributed to this. so the first one is about shareable insights, the shareable piece of commercial intelligence. one very, very important part of having gee yes political conversations is that it has to be multilateral. and people have to be able to talk about something that is -- that may have disparate organizations all over the world looking at it. and what with we observe said recently was a -- we were
looking at documents sent by chinese actors against southeast asian authorities. what they were doing is trying to find out information about the belton road initiative, a strategic imperative for china and something we have seen them putting throughout europe and asia and the important part of this intelligence that we were able to glean from these lure documents was the plans and intentions of the chinese state. and we were able to raise this to a multilateral and multinational conversation that would not have been able to happen if this intelligence was buried in the bureaucracy of a foreign government and never brought to the surface. so in this way shareable insights are a very important part of how commercial intelligence can serve. this is one way that fireeye did it. international. a lot of the adversaries that we track at fireeye have a very
global perspective. and they don't make it easy for us. because they are targeting organizations all arounded world and they're testing, they are poking, they are prodding, and their playground and their test beds are in countries where normal government authorities are not applicable. an important part of this, an example was the triton malware we discovered while doing an incident response overseas at an industrial plant. triton is a dangerous piece of malware because it targets the safety systems of control systems. it sits outside of that ics environment and it is intended to in decrementally spin down, if you see an anomaly in an ics environment, normal safety systems are spindown to prevent loss of life or property. this attacked that function. so it was a very dangerous piece of malware.
and the fact that we were globally disbursed and we could get these overseas before they reach us is an important part of how commercial intelligence can serve by being so international. if you think about it, commercial intelligence can be the honest broker in between governments and collection and the privacy and the confidentiality of customers. we can protect customers, but we can take and glean that adversary intelligence and provide that to the community. that's a very important role that we can be in the middle of governments and security community and pass that information along. the alternative is increased authorities in the government and being a western democracy is not always the best course of action. the other thing that's important that commercial intelligence can provide is rapid insights.
we can put information out very quickly, especially if the stakes are very high. last summer, our products debted spear fishing e-mails that were targeting the the energy sector of the united states. fireeye eyesight were able to link these to north korea. what was very disconcerting about this, we were able to see north korea was spear fishing energy targets for the purpose of disruption. now, it was very left of boom. it was simply a very early stage. so there was no clear and present danger of anything being destructive. but we could put this out immediately to u.s. cert, to the energy isacks and customer set within hours. now, the important thing here is there was no need to think about special handling. there wasn't a big government process of approvals.
we were able to push it out there and communicate this immediately. so that was a very important way that commercial intelligence could be very speedy and rapid. in the normal course of our day-to-day work at fireeye, we uncover more zero days than everyone else combined. if you think of a way that commercial intelligence can serve, this is an important way that we can serve. because we can then provide awareness to not only governments but the entire security community and uncover them. upbtly, what we have been seeing, you can see from 2012 on, it was mostly china, russia. but now we are seeing zero days exploited for multiple countries. and that's going to continue to happen. so what are the rules and responsibilities of the commercial intelligence organization? we cannot and should not replace the government intelligence function. however, we do have a
responsibility, and i'll give you a very good example. the north korean spear fishing example that i just mentioned, we could have taken that to the media immediately and grabbed headlines. it would have been no problem. we could have benefited from it from a marketing perspective. but we decided not to because it wouldn't have been the right thing to do. it would have in flamed a very tense geopolitical situation. and we knew we had to be mindful of the secondary and ter, ear effects of doing things. so we put it out on cert, isacks and customers. we knew that was the right thing to do. with the type of insights we have, that's what we need to be able to do and to communicate very well about it. because at the end of the day, we really do share this mission. we need to know and work together to know as much as we can about the adversary so that
and priority sector talk about cyber security priorities and challenges. information security officers and technical directors from tsa, department of homeland security, commerce department, and the national security talk about what's being done on their agencies. ♪ >> all right. welcome back from break. appreciate you joining us again. and i think what we want to