Intelligent Analysis

Intelligent
Analysis
About me
Kevvie Fowler

Lead the TELUS Intelligent Analysis practice
– Frequent speaker at major security conferences (Black Hat USA,
Sector, Appsec Asia, Microsoft, etc.)
– Industry contributions:
2
Security Landscape
The industry today is more dangerous than ever before
–
Today’s threats are evolved and bypass traditional detection measures



–
Hactivisim is a threat affecting everyone
–
Targeted attacks are now common in the industry


–
–
Attacks leveraging zero-day vulnerabilities
Custom malware
Your industry DOES affect your probability of attack

3
Increased complexity
Increased stealth (bypass FW, IPS, UTM, WCF)
Dynamic
Patterns and attack volume vary significantly between industries (healthcare, energy,
finance, etc.)
“Intelligence” will help improve your defenses against industry attacks
Intelligent Analysis | Overview

What is “Intelligence”?
– Information put into context and in a form that can be acted upon
– Intelligence is derived from data
Data

4
Information
Intelligence
Most organizations have the data but can not convert it into “intelligence”
Intelligent Analysis | Overview

What is Intelligent Analysis?
– Advanced event analysis and pre-emptive intelligence that can
protect you against present and emerging threats

Live-analysis and correlation of device security events
– Signature, pattern and anomaly detection
5

Industry analysis of the external threats that are likely to impact
your environment (Global, industry, targeted, geographical)

Tailored reporting containing metrics and expert advice that
enable the effective measurement and tracking of information
security
Intelligent Analysis | Overview


6
Okay we now know what Intelligent Analysis is so what’s the
problem?
The problem
– How do you monitor external sources (internet, social media,
etc.) for relevant information?
Data sources
Data Sources – The internet
Communication
• Chat
• Email
• News
• Newsgroup
• Webcam
• Webcast
• Weblog
• Social Sites
Public
Internet
Sources
Services
8
• Dictionary
• Directory
• Downloads
• Finance
• Geospatial
• Search
• IP Lookup/Who is
• Technical Support
• Translation
• URL Lookup
Databases
•Commerce
•Education
•Government
•Military
•Organizations
Web pages
• Commerce
• Education
• Government
• Military

Estimated size:


Roughly 5 million terabytes
Expanding by:

100 terabytes per month
Data Sources – Social media









9
168m Emails
695k FB Status
Updates
510k FB
Comments
98k Tweets
79k Wall Posts
6.6k Pictures
1.5k Blog Posts
600 Videos
1 New Article
Data Sources – Managing the output
10

Manual analysis aka the “swivel chair” approach
isn’t effective

You need to enlist the help of some tools to manage
the data
Tools
Tools – Data collection

Silobreaker.com

Sources:






12
News
Blogs
Web Content
Press Releases
Audio/Video
Reports/Research
Tools – Data collection

13
Silobreaker.com Entity-based Search
Tools – Data collection
14
Tools – Data collection

15
Socialmention.com’s 100+ Social Media Sources:
Tools – Data collection
16
Tools – Data collection

17
You can leverage feed filters to better target meaningful data

Feedrinse

Yahoo pipes
Analysis process
Analysis process | Overview

Two-step approach to analysis
1) Transform data to information
- Ensure data articles are relevant
- Categorize relevant data articles
2. Transform information to actionable intelligence
- Rate and prioritize data articles
- Research and answer the three W’s
- What is it?
- Why is it important?
- What should you do about it?
19
Analysis process | Overview

Step 1 - Transforming data to information
– There is a little known tool named NewsPet that can help you transform
data to information
20
Analysis process | Overview
Configurable
RSS feeds
Web-based
interface
Automatic
Categorization
Ability to recategorize to
train the system
21

Michael Fulker

Tony Hauber

Tyson Williams
Analysis process | Overview

Review all news that comes in

Star important articles

Move mislabeled articles to proper categories

22
This enhances the artificial intelligence further
Analysis process | Overview
23

Step 2 - Transforming information to intelligence

Forward external events to your SIEM…it can help!
Analysis process | Overview
24
Analysis process | Overview

Calculate the overall risk to a your environment using
several vectors
–
–
–
–
–
–


25
Asset Value
Relevance to your environment
Damage Severity
Certainty of Data Source
Mitigating Controls
Industry Threat Activity
Correlate industry activity with event activity within your
environment

Add context to real-time activity

Serve as early-warning for threats in the industry that are likely to impact your
organization
Meaningful reporting can help you understand the threats targeting
your organization and your current level or protection
Reporting
Reporting
Security events
12000


A typical security report
Is it effective?
10000
8000
6000
4000
2000
0
High
27
Medium
Low
Reporting

Characterizes the
population of external
attackers relative to
all peers, making a
distinction between
opportunistic and
focused attackers
Phase 1 - Attacker Population
Total Number of Remote Systems
105000
Total Number Hostile Systems
1800
100000
1600
95000
1400
90000
Focused
1200
85000
Jan
Feb
Mar
Apr
May
1000
% of Systems Hostile
800
2.0%
Opportunistic
600
1.5%
400
1.0%
200
0.5%
0
0.0%
Jan
28
Feb
Mar
Apr
May
Jan
Feb
Mar
Apr
May
Questions ?

Thank-you!

Questions ?
Kevvie Fowler
email: kevvie.fowler@telus.com
29