BG - A Better Way to Get Intelligent About Threats - Adam Vincent

about how to uh get smarter about threat intelligence so little bit about me um I'm a CEO and and founder of a company with uh this isn't a product pitch and don't hold my title against me um my background as a computer scientist I've been doing very technical things for many years um I've just uh lucked myself into being able to to build a company around my latest idea um my background is I've done a a I've done compliance I've done pen testing uh did a lot of engineering a lot of security Engineering Building uh systems that allow people to Monitor and uh control security Investments um but today I want to talk to you more about what I really

enjoy which is um this merger of data analytics thread intelligence crowd sourcing sharing we've we've lumped all these things into this one big topic um and it's all about data and it's all about making better decisions with data and so that's what my talk is about today so I don't know if you realized but back in 2011 charman um created the world's largest roll of toilet paper at 9 feet around uh not 8 feet 9 in or something right around that um they got the Guinness Book of World Records uh largest toilet paper roll this is how I feel about big data analytics it may be big but just like this roll of toilet paper how usable is Big Data so my talk

today is going to be a mixture of Big Data um with a bunch of other things sprinkled in they're all my pet projects so what is Big Data who in this room thinks they can Define big data and a sentence all right good because I would have asked you all to leave so big data how big is Big um what is useful is big and useful the same things um what problem are you trying to solve with big data um these are all the questions that I generally ask when I go into uh discussions and someone throws out the well your product must do big data analytics or um my problem is a big data

problem um so I'm a computer scientist remember and I I try to to tow the line and and moving uh you know into a world where I say we sell Big Data um so I'm going to talk to you more about that so another thing to to think about is is what becomes useful and so just like the little tiny roll of toilet paper here is useful um I want to frame the conversation today to really focus in on um how to look at data in in a useful way um and useful in in my scenario is going to be about your organizations versus I know that some of you are likely um either part of massive

companies that have lots of resources to go do big data analytics or you're on the vendor side and you say your data um makes your product better and so just like I don't care where toilet paper comes from I don't necessarily care how you make your product better I just want to be a consumer of it and so being able to tow the line of um what Big Data means to you is the purpose of my talk so I don't know if you knew but there is actually a toilet paper encyclopedia on the internet who knew um this is somewhere where you can go to find staggering statistics like how many people are Waters versus rollers and how

many people put the the roll on um One Way versus another these are statistics that I bet you you never even thought about as you were spending nearly probably a decade in your bathroom so let's move past the um the cool factor of now knowing these statistics and being able to go back and tell your families about them and let's think about the world in charman's eyes so charman today sells toilet paper they do it around the world they have massive operations um they're part of Proctor and Gamble which has massive product sets that intersect with toilet paper and they really really care about toilet paper probably as much as you and I do so when they look at toilet paper they

want to know things like how many roles a toilet paper on average their customer is going to use um they're going to want to understand what the best go to market is what um what store in what proximity to your house has the most likely chance of providing you the product that they sell so these are the kinds of situations that require data analytics now whether this is Big Data or mediumsized data I don't really care it's all about providing a useful solution to a known problem which is I want to sell my product I want to bring it to Market I want to get it into the hands of my customers and do it quickly

so Amazon Walmart and any of your businesses likely if you forget about security they're using data to make decisions today so security should be no different so what does it mean to to leverage data to make decisions um so uh Rick Holland who's a Forester analyst U talks about the term threat intelligence so I'm going to use another buzzword that all vendors are talking about today um but I'm going to I'm going to qualify it by saying that um threat intelligence is something that your organization can use to make decisions and and I'm going to leave it there because I I don't think there is a a a one definition um but there are some tenants

that might allow you to to say whether some data or intelligence is good enough for your organization to make decisions on and so the accuracy of the data that you received the the integrated nature to your business the relevancy to your business these are things that as you look at the data you have and you start producing something that you can use to make decisions the term threat intelligence becomes obvious at some point that you've moved Beyond data which is all the parts of the puzzle to something that you can actually use to make a decision and so um data is not the answer it's it's the solution to the problem that matters and so we need to

talk about that but rather than talk all day about how we can analyze big data and and know Trends and be predictive I want to take it back several notches I want to talk about what data analytics looks like within your organization because without understanding what's happening in your organization there's no point in moving beyond that so the first thing that happens when you start wanting to analyze data isn't going out and um buying a Hadoop cluster um deploying it in the cloud um getting crowdsourcing a bunch of data uh bringing in all your feeds uh it should be just taking your incidence that you have today your your security response data for many years

potentially and looking at that and making sense to that and then being able to take that to the next level which then does require you to make additional uh decisions on on enrichments of that data so today state-ofthe-art in most companies is email for communication of data um email for storage of indicators of compromise and the data to which the organization is is running their security operations by maybe they've been Advanced enough to move to a spreadsheet based approach so in what world throughout your businesses is um a spreadsheet good enough to do anything it may be a uh a tool that your financial people use to do Financial modeling but it's definitely should not

be the tool of choice for a security practitioner and I can tell you because I have more problems with email um that I can't even search my email for for email let alone start looking for an incident report that happened six years ago um you know Outlook doesn't do search very well and so um if that's State ofth art we're in big trouble folks so more recently I would say the last 12 months people started looking at how to build their own data analytics capability so that they can make better decisions on the data that they have they can bring in more data from elsewhere and they can use that aggregate to empower their security

operations Empower their incident responders um and this is not a trivial task and so on the requirement side you had things like I want to suck up every piece of data known to man and I I want to make sense of it and so that's a great goal but one computer science scientist to u a whole bunch of technical people it's impossible you have to develop ontology you need to come up with a model to which you can you can associate data This is complicated stuff that people take for granted because vendors talk about data analytics being something you buy so even the most advanced data analytics platforms do not provide data analytics out of the box you need to configure

them and it takes resources time it takes expertise um because you are the people that understand your mission data analytics companies understand how to look at data but they don't understand how to look data in the way that you need them to so when you start thinking about building this um for your own organization I make the analogy that this is kind of like building a nuclear reactor in the in the basement of your house um it's pretty complicated stuff and if your job is to build nuclear reactors then by all means you should build one but if you're an incident responder that now sees benefit in looking at data you're first inkling of um resources shouldn't be to take your

lunch hour and start building a data analytics platform because it's a complicated space um it's even more complicated when you have users um users ruin everything it's really easy to deploy Hadoop and be a really smart guy that knows how to get to the data it's really really hard to be the smart guy that built it that has a whole bunch of customers in your organization that all need to get to data because they don't have the same intellect you do with the same capabilities you do and being able to write the script that knows how to merge and Associate the data make sense of it and bring that to bear in a useful way so it's

hard so the industry historically ever since the the Advent of the need for solving hard problems has come up with solutions to those problems so I'm a I'm a a kind of a simple think and the way that I think about this is that if every solution to data analysis was solved with a big data analytics platform and a whole bunch of work we'd be in big trouble today instead you've seen throughout every part of your business some kind of platform that makes that data analysis easier you have Erp for manufacturing you have people soft for HR you have CRM for sales um these are all plat platforms that didn't need to solve the problem of data analytics um to solve

world hunger but rather data analytics or Knowledge Management to solve their specific Mission their specific set of requirements which were sales HR manufacturing so I Envision that security is no different and we're going to end up in a environment where there's an outof thebox capability that mostly makes sense of cyber threat use cases but then you extend them to support your own requirements so recently I would say six months there's the new new term that's been coined threat intelligence platform um this is something that Gartner and Forester and customers have started talking about it's very very much an emerging space um and so my presentation is going going to talk about why a threat intellig intelligence platform is

needed but also is going to talk about what one might be and and this is still evolving folks so you guys in the room are going to look at this and say well I think it should do this or that and you're likely right because we don't know exactly what it will need to do yet we just know that there's a fundamental need that is looking to be met by a specific set of uh Technologies so what is a threat intelligence platform pretty much universally across the industry um it's the idea of being able to aggregate data whether that data comes from your IR team comes from your thread and tell vendor comes from a community that you

participate in it doesn't it doesn't matter a threat intelligence platform would be defined as just something that Aggregates information and on the other end of the spectrum um I'm going to skip over the hard part right the analyzed part it's something that Tak takes that new information and moves it into something that can do something with it so this would be um something that today is done by hand when you hand a snort signature off to your Ops guy or you give someone a Yara Sig or you hand the ciso a report that you created by hand in Word documents and then PDF and then emailed them that is the act side of this spectrum as I mentioned the hard part is

analyze and that the reason that's hard is because you have various people's perspectives that are involved in this some people I think think that threat intelligence is just for those threat intelligence people in the organization well most organizations don't have threat intelligence people they have people that need a better understanding of the space at to which they operate so they can make better decisions and they're not threat intelligence people they're the IR team it's the ciso that needs to spend money on a or B and doesn't know which is higher priority because all of his incidents have been captured over email so he needs to be able to quickly say which incident type is going to be more important to me and

if I invest in that I'm going to reduce my risk so there's various people at the table that all need to analyze this data in different ways and it and it needs to be provided to them in a way that they they don't become a data scientist because who can afford to hire data scientists they have to be able to do their jobs and in the process learn more about the problem that they're trying to solve so let's talk a little bit more about aggregate so thread intelligence platforms um you're going to find when you do when you Google a term that there's a lot of uh different perspectives on uh what a threat intelligence platform is and like I said

there's no right answer at this point it's going to be the marketplace that um that through maturation will come back to you all or or to me and say this is what it actually means um but on the aggregate side it's clear that a threat intelligence platform needs to be able to integrate data and not just integrate the data you have in your network maybe the data coming off your sensors but also the data from the ecosystem of data providers because they know everything and um the the rule of thumb is is that you just don't you can't just buy one or use one because they only know what they know so you need to use them all and the

challenge with that is that you can't just do that without incurring uh a massive issue with data analytics right if you take all the feeds that you're buying today and you shove them into Arc site I think you're going to have more incidents and more incidents in an already um you know can't keep up world is not a good thing and so when we look at fusing more data enriching what we already know with more data we need to do it in a data analytic sort of way so um the most important and the one thing that I that I really want to um Express here is that the best form of data is the data from your peers it's not the

the vendor that um you know sells you the the million dooll feed um it's not a single vendor at all it's it's a it's a way of looking at the problem where you take the best from everyone um so it's it's raised by a village um is the analogy and so um I really would urge you if you're not already to participate with your colleagues um internal organization and externally with communities that are sharing thread intelligence we find that the best way to defend your organization is to look at what's happening to your peers and this is becoming um a much more um palatable idea recently with uh Grassroots efforts coming up and within uh the legal capabilities within the

organization being able to um more easily allow this kind of sharing so communities being able to work together this is what I love about um this space is that crowdsourcing meets data analytics is kind of what we're talking about here but people aren't the answer either you need to be able to automatically enrich your data based on what uh everyone knows about it and so data services are the people that create threat Andel and sell it this is their dirty little secret or it's the really good researchers that um hide their tradecraft and say well I found this through my own uh resources um so data services are the things that um you can leverage to make sense of the data

you're looking at so it's a helping hand in the analytic process C where um you can have an incident you can have a particular piece of malware that piece of malware can be analyzed based on what has ever um been connected to it and so data services is another category of data here that's not thread intelligence it's not something that's finished for you but it's gives you the ability to build up a um a picture of the problem with the ingredients from a variety of sources and then there's the the standby and and there's no Silver Bullet here but there are lots of vendor feeds there's free ones there's paid ones some cost a little some cost a lot you have

your morgage boorg of options here um you know there there are uh no there is no Silver Bullet so they all have strengths they all have weaknesses and on aggregate they all create a single problem for you which is more data and so again start with the data you have then add the data from others make sense of that to make what you have shine brighter and make more sense so there was a Pyon report that came out probably six months ago that talked about uh threat sharing and so I wanted to to focus on this for a minute I think that the sharing side of things is uh potentially going to enable a lot

of um benefit within your operations because it it reduces the cost practically to zero um but there are challenges one is um never believe someone that says that uh we're creating a a working group of threat researchers and we're going to use email as our communication it's just going to create more work for you you have to log in email every day you're going to take those indicators that are shared you're going to have to put them somewhere you're going to have to tell somebody about them it's likely going to be a forward I already get enough email I don't need more threat research um being forward to me from the 56 email lists that you're on um and so U think about

the platform or the mechanism that these sharing circles will use to disseminate information so that you don't add more work to yourself and and another important factor of sharing is that you need to look at the data that comes into your organization the same way you look at all your the rest of your data whether it comes from another feed or it's coming from internal you're going to have a process to which you need to support that data being enriched made relevant and disseminated within your organization some of that will be automated and some of that can be um manual uh but you need to support that that process universally no matter where the data comes

from so I I like the superhero picture here because I I really do think that communities is going to make um things change it's going to be a gamech Cher in the security industry um you know we're we're we're well beyond the ability for each of us to independently defend our organizations from the more sophisticated attacks that we may see and so the only way to defend um is to to band together to ultimately provide a a crowdsourced effect so that we all understand what's happening to each other's organizations and so we can make decisions as a group to get one step ahead of the threat another one of my um I would say uh negative comments

about the security industry right now from a technologist perspective is who who here has heard the term um machine readable threat intelligence or uh you know sticks um so don't tell this St folks this but I'm I'm going to uh put them in their place right now uh and I want you all to take what I teach you and uh and disseminate it so sticks is not done no matter what you hear sticks is probably 50% of what we need as an organization or as a vendor or um as a developer um I wear all those hats I'm the CEO of a company and I write code I can't write code with sticks today unless I'm going

to um create a self-licking ice cream cone so uh sticks is moving in the right direction so in in proximity to being what we need I would call it about 50% maybe 70% depending on uh what your use case is the reality of sticks is that you've created U an XML language to which you can create a standard but the standard hasn't been created yet so we've got some language that we now can speak but um we don't know what we're going to actually say we don't know what we're talking about and so the next phase of sticks Beyond today which is I would call it a marketing term where I support sticks you support

sticks pray we all support sticks but um can I send you my sticks document you send me yours and it means something absolutely not the only way that means anything is if you create a product or a an application that so generically looks at data that it's meaningless so we need to move beyond that to sticks for a specific product set or a specific use case um that's when we're going to have a true standard which allows me as putting my development hat on to build something without having to talk to anyone because developers don't like to talk to people and the only way way to build something today with sticks is if I um sit down with your developer and we

create a vocabulary that we call in Stick terms a profile and then that profile is something we build to but we have to do that and we have to do it as a community before we're going to have the answer I also want to disconnect XML vocabularies and languages from apis um so I don't know um enough about taxi at this point to speak intelligently about it it's just too new but what I do know is a lot about apis and um and and whether taxi is the answer to a interoperable API or not the thing that I I wanted to recommend is it doesn't matter so today Twitter doesn't use a standard for their

API they still have extensive Market um opportunities because they have a very powerful API and a very powerful data set that can be used by all the people that want to incorporate data um so shoving an API down people's throat is not necessarily going to help move data around in a way that um is going to be helpful so this is that's my rant um you know I think that we're moving in the right direction but I wanted everyone to realize that we're not there yet so next I want to talk about analyze so analyze um is that core of how we're going to look at data and how we're going to make sense of it and this is um

the most important part of a thread intelligence platform because without analyze all you have is a bunch of data sitting in a database being consumed by a bunch of sensors on your network which are then going to have events which are going to come back in and create more noise so we need to be able to analyze what we have so that we can look for the right things the right time and make sense of the um massive amount of chaos that's likely happening in many of your organizations and so the first step in a in a thread intelligence platform being able to analyze anything is to stop thinking that um a data analytics platform is the answer so you have to

make a decision to say I'm going to build around a specific set of use cases and I'm going to understand that kind of data so if your goal is to understand um toilet paper analytics or data about toilet paper you know maybe you need a different product set than than for the security guy that wants to understand incidents and forensic uh data and malware these are very specific things that you can build a platform around or a system around that understand those things really really well but don't maybe help you analyze your uh customer service data so the diamond model is the thing I'm going to talk about but this is replaceable across your organization

with whatever um type of data set that you believe is is the the thing that glues everything together the methodology to which you would build a thread intelligence platform on this is where you'd plug that in um multiple sources so I mentioned lots of data coming in Knowledge Management communities these are all the tenant of what makes a good threat intelligence platform because they're the things that allow your organization to glue together the different business processes what matters here though is what those types of business processes are um so they can range from um most organizations have some kind of uh signature management process they're creating Yara they're creating snore they're doing it on a

daily basis most of them are have cre created some kind of um system to which they they exchange that information across their organization if they get a new uh threat Intel report uh from someone or one of their colleagues talks about something they go back in their email and they do a search and they say a that's part of signature number whatever um the reality is that falls apart very quickly when you have more data um so when you start funneling more in inputs into your aggregate phase you need to be able to keep keep up with the processing of those inputs or else you're going to end up just backing up your manufacturing process um visibility

your IR team your IR team needs to be able to report uh what their findings are so that the rest of the organization can see that so that the um the sock can can distribute watch lists out to your sensors um to your IPS your IDs your blocking and say these things need to be blocked right now because there's an incident unfolding say today all of that orchestration Beyond um with people and with products is being done by hand and nowhere else in the business is that uh is that okay and it shouldn't be okay here either so the next four slides walk you through um four different oh sorry this is I I I had moved on to the third

part of my presentation so um the second part is I'm going to walk you through the diamond model again this is just one methodology to which a thread intelligence platform could be built upon it's the one that that our product was built upon but it's not necessarily the only one um I think it's the the best one but I don't I don't think that um there's going to be there's going to be other options as well so uh what is the diamond model um so many of you may have read this or may use it in practice today but the diamond model is a an analytic methodology um to make relationships across data data it allows

you to um look at a data set and um look at the linkages between data across events um across uh adversaries and things that that you may want to analyze further so in um the Salesforce analogy this is in essence how we start from a known where we say you know what opportunities contacts leads these are fundamental entities within the sales concept so we don't need to create something that that supports any concept we can start by looking at this as our skeleton um this today is used by hand or in products um to start that skeleton so um as I mentioned uh you know hundreds of defer analysts use this uh this was foundational in the in the

the creation of sticks so it's not something that um hasn't been validated by the community um and it's it's based on a set and graph Theory concept um that's been in in use for over 10 years so this is a a foundational uh capability that I'm going to walk you through all right so what is the diamond um the diamond is uh coincidentally looks just like a diamond baseball diamond uh it's got two different vertices um the horizontal verticy is all about the capabilities and the infrastructure of an event um so this would be uh the technical access of the diamond and then there's the um the vertical access which is the adversary and the victim and this would be the

geopolitical uh side of the diamond and if you look across um so adversary might include things like the the fishing email address uh that the adversary Ed to Target your organization uh it might include the email address they use for uh infrastructure creation um it could be the the ttps the adversary uh leveraged to launch this particular event um layering on top of that you add things like um the malware they used the exploits they used um any hacker tools that they might have leveraged so we're building a a data set right now and whether you're building it because you got data from your best buddy over at company X or whether you're doing an

incident it's the buildup process that is critical in making this the data that you have makes sense so on the infrastructure side so this would be in essence the infrastructure um the web infrastructure that the uh adversary use to Target the victim um so it would include IPS host names uh potentially who is data about the infrastructure VI victim would be the the lady in the HR department that loves to click on the fishing email um you know if you see over the course of a year that she four incidents have resulted from her uh you probably want to do some remedial training um or maybe just takeway or email something along those lines um you know Network assets

of the victim there's all kinds of information on the victim side that can help you make better decisions um so for example what they're working on at the time is a piece of information that I always ask because ultimately you find really cool pieces of information like they were involved in a a project in the Middle East that maybe had something to do with merger and acquisition where uh China was one of the the organizations that was looking at uh acquiring the company so there's always cool stories in the um in the the concept behind who the victims are and uh on the adversary side uh who the adversaries are and what their strategic interests may be in

those victims um there's also meta features So Meta features are various pieces of um enrichment data that is layered on top of a diamond event um so these might include directionality um the killchain phase is one that we see quite a bit um my one of my co-founders likes to say that killchain and Diamond model are like peanut butter and jelly um they go together very well and and everybody likes them um and there's there's various pieces of information that might be added to an event and it's also important to recognize that that the diam model is not a data structure it's not sticks it doesn't impose an ontology on you for how you store context about incidents or

context about threat intelligence it's actually built on the concept of providing a framework for relationships so whether you use sticks or whether you use something that you built yourself you can extend the diamond model to support as long as it fits within this common framework support the associations and the relationships across your data set so unknowns and uncertainty are welcome in any model like this you start from wherever you want and you put pieces of information into the buckets where they belong it's the analytic engine underneath the process that helps you articulate the value of what you're looking at and the relatability of what you're doing to other things so this is where um a lot of the power of the

diamond comes from so let me just walk you through a quick uh scenario of of how the diamond might be leveraged so um pivoting is something that uh all analysts love uh to talk about it's basically the idea of of looking at one piece of data and making uh decisions about about the linkages of other pieces of data and being able to walk that process so that you can at the end of the day know something you didn't know because of the process to which you've analyzed the data so let me just walk you through an example of the dime model would look like for that so you start with a piece of malware this comes in off an incident

possibly um you send it off to your malware analysts or maybe you analyze it yourself uh you come up with a commanding control of info. office latest U this looks interesting so now you're still you're in that firefighting mode of I got to stop info. office latest is commanding control uh who you know what does this mean was was the host infected um so you're fighting fires your reactionary well if you look across the diamond you could potentially take that info. office latest and you could resolve the to the IP address you could then start proactively looking for everything else that happened within your organization that might have resolved that same IP address you could

also take the host name you could pull the who is record through the data services that I mentioned um you could then look for relationships between the email address used in the who is record that you know is bad that's linked to this piece of malware and every other host name that that adversary ever um created or uh signed up for so that would allow you then to proactively go back in time um and look for all the other infrastructure that that adversary has has ever created to see if you have any other issues so we've definitely moved from the left to the right of the diamond we stopped fighting the fire and we started looking for things that maybe

we um don't know if they're actually going to be um a problem but we're starting to to broaden our Horizons and become more predictive that if they came at us over here there's a good chance they're going to come at us over here and we shouldn't be ready for that to

happen so now taking this one step further you have um the idea of activity groups um and uh chains of events so one Diamond event signifies a particular event within a specific incident and multiple Diamond events make up a whole incident but potentially one incident is part of another incident and so when you look at diamonds this is where the real power of having a a meta model or some kind of data structure underneath how you look at data analytics you can start to predict things like for example um incident one has a uh relationship at delivery and uh an action and objective and uh that's all we know about maybe today within those two incidents we also know that for

incident one we saw the exploitation phase and it was on a particular host um but on incident two we haven't picked up the exploitation phase yet so there's things you can do to start to fill in the gaps across incidents when you see a relationship to a pre pre incident you can also start to build activity groups which take multiple incidents and start to predict that they are in fact the same adversary or the same tradecraft um Beyond one incident because the the graph going back to the graph Theory concept you start to align events on top of each other and the graphs start looking similar enough to make decisions upon so I already said this I'll say one more

time the the power of looking at data in this layered approach is that you can look at the meta model of how all of the points and the diamond overlay with each other and their relationship to each other so you can start to make sense out of the uh the confusion of the data so finally the the ACT side I just want to walk you through a couple real world examples um so on uh the first one's defense contractor uh this is a three-person team an IT guy and two other it guys U two of which uh are Security Guys in their free time um they use a thread intelligence platform to um to store and manage all of their bro

signatures so they're creating bro they're putting it into um the threat intelligence platform it's them being consumed directly into their bro cluster and uh and hunted for um they also do a lot of community outreach they're they're friends with their partners and they're participating in Sharing circles so that they can share what they saw um to get their their partner ahead of the threat and they're getting in return some value from that when their partner sees something that they don't see and that is all made um integrated back into the threat intelligence platform sensor uh capabilities so that you can take your firewalls your Sims and you can bring that Community data right into them so that there's a an actionable

integration there and then finally um everybody loves visualization these guys don't have enough time to research through Vis visualization uh but they definitely are uh interested in showing the boss the um the the layout of the the attack that happened um who touched what within their organization what the victim's uh capabilities were to defend themselves all of that visualization they use Mal Tigo for so uh second is a government um installation so they they are uh looking at that analytic process of creating their own data uh so first and foremost they're leveraging data services to take and uh grow up a a flower and let the flower seed and fall the ground and more seeds to pop up so this is again what

your thread Intel vendors are doing today they just don't tell how they're doing it um you should be looking at how to do this across your incidents across your data set so that you can make that relationship you can make your data into something that's more powerful and um and finally these guys also are uh very big Advocates of sharing they're sharing a lot of thread int tell with their Partners um there's multiple case studies that have been done uh where they've managed to find out about an attacker or an attack uh in in advance of it actually happening based on what their Partners were telling them was happening um next one's a Fortune 500

these guys are um oil and natural gas company um growing team from four to 10 people uh using email and spreadsheets to do all their incident response to do all of their data aggregation um they're moving to a thread intelligence platform mostly because um they don't see that that's scalable they need to work in in a single system that is authoritative so if one person gets fired or leaves the company you know what they've done for the last two three years when they were working there and all that data that they touched you've got a paper trail of what they did to it and that's also an an example of killchain uh for those that like

killchain so this customer leverages killchain um to keep track of all their Diamond events as part of a Kill chain phase and then they can overlay Diamond events as an activity group and portray them in a killchain based approach so that they can leverage the data in the way that they need to to make decisions so the last one uh Fortune 100 company I met with them back um about a year and a half ago now a big big biotech firm um they were uh three people when I first talked to them that securing a billion dollar company uh formidable Challenge and they all worked in the same room but they weren't on the same page so they were all uh heavily

overwhelmed with Arc site throwing events and their fire eye and and everything that they had was all uh on overload telling them they needed to do things and they didn't know what to work on first uh with the threat intelligence platform they've been able to hire more people they now have follow the sun capability uh globally and they are able to take the data uh that one analyst works on at the end of their business day and task the another analyst to start working on it at the beginning of theirs so just something as simple as removing email as the way that we communicate has helped this organization to better leverage the data that they're

pulling in from their own incidents so again you know I don't want uh to to not say that data is not powerful and if I had a a cloud with all security data um I wouldn't be happy I'm a technologist um I'd find something to do with it but let's not just create data um to find something to do with it let's actually start by um looking at the problem to which we're trying to solve and I think that um most organizations need to solve their internal data problem uh before they start looking at at Big Data so this is usable for those of you that were in the beginning of the presentation and saw the huge roll of

toilet paper and my analogy to Big Data is about as useful as a um as a huge roll of toilet paper um you know this is what we need today we need to understand uh what we can do what's the stateof the art and being able to get ahead of the next incident and um the state of the art uh and uh the ability leverage data um go hand inand but we need to as a community come together and understand that it's not a silver bullet we need to understand first and foremost what we're trying to accomplish and when we understand that then we know what the form factor of the solution might look like so thank you are there any

questions have probably just have time for one

really you talked about um sharing data with peers yeah uh have you run into any folks who have started to implement data sharing with Upstream Downstream supply chain providers because they're targeting profiles a little bit different so so data sharing right now is moving so quickly that I don't think anyone can even keep Pace but um just a couple inklings of uh so our product threat connect is a is a free um thread Intel sharing platform used around the world um we give away communities so we've got researcher communities we got Industries like the finance Community um we have you know every form and size uh you can think of and universally what I would answer that question as people are

very enamored with threat sharing right now the thing that's still missing though is um the ground Truth uh the the Champions that actually are going to share things so everybody loves the idea of creating a sharing Community but unless you have that uh Champion the leader internally that understands the value of the data they have and understands what is sensitive and they shouldn't share it and understands what should be shared you you don't get the um the type of use usage that you need out of a community so insurance industry very um hot on sharing right now um definitely supply chain within companies uh you where they're starting to contractually obligate their vendors to be part of a sharing community so that

they can bubble up any kind of events back up to them so it's like um you know running your sock where you have inputs coming from your vendors and you're making decisions about your risk based on those vendors exposure not just your own it's that's right so it's it's a really hot idea right now but I but I would not say it's reality that anything is really happening we get a lot of requests for companies to say we want to do that but I haven't seen a whole lot of people that have implemented it thank you thanks everyone the next talk will be at 11: