Creating Data-Driven Threat Intelligence Signals in a "Zero Trust" Environment

please join me in welcoming or from Akamai take it away thank you my name is or cots and I'm a from Akamai as was just mentioned and I'm gonna talk to you today about creating data-driven threat intelligence signals use your trust environment but before doing that I have a question to you where were you on November 27 and before you answer and I see it you are very eager to answer that question keep that in mind I will tell you where I was in November 27 and I give some context to that prior to November moves to the US and I woke up on the morning of the 29th 27 and I took my bag went work got into the office and

it was something like that it was pretty empty there were some employees but it was pretty empty so I went in to one of my colleagues his name is Mick is Scottish dude and I asked him Mick where's everybody and make with his brilliant Scottish accent which I will try to mimic but well I will probably miss that told me that only foreigners come to work today so that was a bit a big news to me because there are two things that I learned from that or two things that highlight some of my thought the first one is the first time ever that I'm being classified as foreigner and the second thought was wait it's a

working day I'm working I'm working with a lot of my colleagues but they are not at work I'm communicating with them it's working there no doubt about it so what really happens behind the scene and in order to answer that question what I was doing was going into some of the data that we have in our command which is data that is associated with zero trust environments and the access to those environment and I queried that data and this is what I was able to see this is the graph to represent what I was able to see and blue means week working day green mean weekend and the orange one meet the Thanksgiving so the

27 was the day before Thanksgiving do you think that while looking into this this graph you know caught my eye the first one is that people are still being connected to enterprise applications over weekend which is a bit surprising but not I don't know about you but I have the tendency to sometimes be connected all the weekends my wife don't approve that always but I'm still doing that from time to time don't tell her and the second thing is that the Thanksgiving amount of users accessing enterprise application is even higher than weekend which is again a bit surprising to the fact that people are still need to be connected over holidays and weekends now the interesting part

and the thing that I want to focus on was the days of the 27 and 26 the 27 was the day that I got to the office and it was amping but people were so still working the 26 was the day prior to that where I was in the offices and all the people were in the office which was a different day so I wanted to compare those two days so I looked into the data that relevant to those two days and did other things I was able to see now when you look on those US maps and and I didn't mention that but the focus was on us users trying to access enterprise applications so on 26 what I was able to

see is that there are five more percent or five percent more of users being connected to enterprise application which is explainable because on I would imagine a lot of people taking a day off on the 27 just before Thanksgiving when looking on the 27 on the other end we can see that there are a percent more access city meaning there are more cities that we can see users access from those cities into enterprise application right which is again represent what I was seeing in the office and when we combine those data points together we have a 50 percent change between those two days in terms of normalized density meaning honest 2027 there's much more density in terms of accessibility to

enterprise application now we talked about accessibility right but what happens when it comes to adversary what happens on those same days in terms of attacks and users being attack so we also got into some of the data that we have related to phishing attacks and these are the number of victims for phishing attacks on the same time frame between you know November 11 to December 8 the same timeframe that we looked into as an axis now few things that you can see on that graph and I can explain the first thing is that threat actors are not resting over weekends and holidays which is again not surprising but that represent the fact that why we are being

connected while we are not in our network the same time frame is being targeted by threat actors and try to compromise us the second trend that I was able to see is the fact that there is a soaring trend in the amount of victims over and during the holiday season and that can also be explained by the fact that that time frame is a very vulnerable time frame in terms of people wanting to have more access to coupons and you know all kind of transit relevant to holiday season and therefore that's the time that threat actors are more much more active and creating much more damage specifically in order to explain that trend we looked into the

targeted brands what are the brands that are mostly being abused over that time frame and what created that trend of the amount of victims what we were able to see is that the e-commerce brands are the one that are mostly being targeted over that time frame which can also be explained by events such as Cyber Monday and Black Friday which are again shopping related events that created the incentives for creating those threats

now here the three takeaways that I have from what I just told you the first one the concept of network parameter is loosely defined we see that people need and want to be connected they want to do that from there devices they want to do that by they're running devices and the fact that we are captured into the concept of parameter it's loosely defined and there are no parameter out there consumer threats are is irrelevant as Enterprise rat right so and I want to explain that because I was questioned that question many times this year when we talk about phishing a lot of people tend to think that it's a consumer kind of attack in my notion and

that is two things first of all well it's true a lot of phishing attacks are targeting consumers data but at the same time the same device is being connected to your enterprise network and that same device is being victimized for phishing attacks there is no question about it that device is compromised and you need to treat that device the same way now more to that when we did some research in Accomack concerning concerning phishing attacks we were able to well we took over 200,000 URLs and we checked what is the actual target of those URLs who are the victims of those URLs and we're able to see that over 34% of those URLs are actually targeting enterprise credential

which means well phishing is not a consumer kind of attack and more to that we need to treat it as well now the last take wave of and that's the trivial thing people are wanting to have the ability to create to connect anywhere at any time from any device right that's a reality we cannot change it that the user needs to be connected I mean to react upon that and a conclusion of that from me was okay so when we talk about perimeter driven intelligence we are talking about threat Intel and we are more focused on detection and mitigation of the threats while we move into the zero dress the zero trust architecture we need to

change our focus we need to do what I call at least trust intelligence we need to be focused on the entities that are being connected users and assets and we need to determine the trust level for each of those entities now what does it mean trust level right there are 50 shades of trust don't let's give you a question about it right so if someone is connected to one of our enterprise application at the same time that is browsing through a badly reputable Network right is using some Wi-Fi network that has bad reputation do we trust that user I don't know well what about that user that is using variety of networks such as tor networks or

downloading five from big networks or stuff like that do we trust that user I don't know so there's a lot of question that need to be asked for example about the device what if the device that we are using is not fully patched it's not running the most updated OS version or the browser is not fully patched right all the certificates that are being used are not most up-to-date do we trust that user so at the end of the day it's all a level of trust and Trust at different levels and that actually leads me to the understanding that what we need to do is to define the trust level and apply the relevant security policy based on that

level with the Associated action and an important note about it when we talk about app about action action is something in the context of trust and risk we can say risk in trust is very similar in that sense is that we need to apply actions that will do two things first of all we reduce the level of risk and at the second end at the same time we'll create a situation of which users can still connect to enterprise applications like they need to have accessibility we cannot block them and this is my solution for that and it's a signal based approach that have three steps data signals and actions the first step is data you need to have a variety

of data sources those data sources could be a malicious data sources and can we also benign associated data sources you need to combine them both you need to have a long duration on timeframe to be able to take that data to run algorithms on that data to get signals out of that data now what does it mean signal signal can mean a lot of things right it can be a threat intelligence signals as we know that today antivirus kind of signals malicious known traffic is a signal signal can be also browsing habit as I mentioned before it could be someone in this go the that is browsing to adult content or peer-to-peer downloads which is associated with a lot of malicious

activity doesn't mean it's wrong but it means that there's something associated with that that create more risk what about the device posture as I mentioned versioning of the OS the browser etc connectivity Wi-Fi network airports these are signals that we need to use Geographic is also a signal what if someone changes location what's the meaning of that in terms of trust we'll talk about that a bit more now when we move into actions where I call is trust soft action and as I said before with need to be an action that can enable us to reduce the risk but at the same time should not prevent accessibility to enterprise application if you example for that for such actions could be

multi-factor authentication right if someone is changing his location right and it could be the result of some compromised credential being used in the world we should not block that user that doesn't mean that something wrong happened but that means that there is some risk and there is a trust issue that needs to be dealt and therefore multi-factor authentication can help in those cases we can do limiting access we can limit access in terms of which application should be accessed for example if some of the application are you know very private or contains some private information therefore we should not enable access to those application to users that are associated with trust issues or risk issues we can also use

all kind of challenging and listen and deception kind of techniques to make sure that the user is not compromised sending a challenge to the user who create a situation where we check if the user is genuine and authentic and at the same time we should not create any significant impact to the user accessibility now here is example for that and let's take the geographic data as a source of data that can help us tell this story and it's known the geographic data is not source of data that's usually been used for threat intelligence for the obvious reason as I mentioned before if someone changes location that's something that we could not take AB in our IV station

based on that we cannot block that user just because we saw some anomaly that related to Geographic but in the context of zero trust we can do more than that we have a data we see a pattern abuser how we connect where we connect what's the timeframe of a human connecting let's see that we see anomaly of that so we created signal based on that and we can take that signal and combine it with a lot of other signals that we have and you can choose the signal that you want to use obviously and then we move it into the action and when it comes to action at those cases we can do a multi-factor authentication or limit

some of the user accessibility to some event to some of the enterprise application we can also do some reduction of the amount of data that can be downloaded for example if you have an application that is being used to download file once you identify some risky or user with trust issues you can limit the amount of files or data being download from that application and by that reduce the risk associated without users now let's try to summarize what I was showing you here today so the first thing is where do you imagine I will be on November 27 2020 and the answer for that is no I will be at work there's no doubt about it but here are some serious

takeaway that I would like you to take from here first of all we can see that attackers are not taking vacation right while we are at one point of time are working from home or in outside of the office protectors are not resting and exposing a lot of risk to us to our users and as derived from that to our application and our data and we need to be ready on those occasion as well I'm suggesting moving from a threat Intel point of view into a trust into a point of view where the focus will be around the entities which are the users and the assets that we have in the organization in order to

do that I'm suggesting a three-step solution they take into consideration the data the signals and the action combining together into creating a solution that can help mitigate some of those problems and when we look into the future of network of enterprise network I think that there is no future it's the present as we saw here today people need and want to be connected at anytime from any device from anywhere and we need to be able to solve that kind of issues or risk that are associated with those situation it is not it's not the future your trust is present death how people use application and we need to be able to react on that and to be able to

reduce the risk that is associated with that that's all from me today just before we are going to the Q&A I will introduce the asset because it was not doing that at the beginning I'm a former lost Israel chapter lead in the past year I gone fishing I was doing a lot of research related to fishing and publishes a lot of that research and will be published some research in the following month and I'm a big fan of white whales I hope you enjoyed this talk if you have any question I'm here to answer thank you [Applause]