2015年5月_星源创投-网络安全威胁情报体系及生态圈

网络安全威胁情报体系及生态圈星源创投网络安全威胁情报的概念3当前的网络安全防护体系已落后攻击技术发展4缩短攻击者的“自由攻击时间”成为应急响应的关键AttackBeginsSystemIntrusionAttackerSurveillanceCover-upCompleteAccessProbeLeapFrogAttacksCompleteTargetAnalysisTIMEAttackSet-upDiscovery/PersistenceMaintainfootholdCover-upStartsAttackForecastPhysicalSecurityContainment&EradicationSystemReactionDamageIdentificationRecoveryDefenderDiscoveryMonitoring&ControlsImpactAnalysisResponseThreatAnalysisAttackIdentifiedIncidentReportingNeedtocollapsefreetimeATTACKERFREETIMETIMESource:NERCHILFReport,June2010()5对网络安全防护体系提出了更高的要求海量安全事件中真正有价值的攻击事件的发现识别传统安全产品难以发现的APT定点攻击解决组织间及组织内部对攻击事件的快速协同提供安全设备和解决方案中跨产品、跨厂家的协同6网络安全威胁情报技术成为新热点SecurityIntelligenceSecurityThreatIntelligenceCyberSecurityThreatIntelligence智能？情报还是信息？IntelligenceAwareIntelligenceDrivenContext-AwareAdaptiveSecurityNextGeneration7战略vs.战术战略战术人的对抗利用人的智能以人为核心的防护体系机器的对抗利用设备的功能以情报为手段的防护体系Intelligence8•根据Gartner预测，威胁信息共享服务市场需求强劲，在全球市场将保持60%以上的年均收入增长率。•预计将从2013年的2.5亿美金，增长到2018年的15亿美金。•其带劢的NG设备升级及设备管理服务市场金额更加巨大。网络安全威胁情报市场预测呈爆发式增长US$250.00US$1,500.00US$0US$200US$400US$600US$800US$1,000US$1,200US$1,400US$1,600市场百万全球威胁情报市场201320189•Consortiums-情报组合形式，类似市场，提供多种源可选–OSINT中情局公开资源情报计划Opensourceintelligence–CheckPointSoftwareTechnologies'ThreatCloudIntelliStoreintegratingfeedsfromCrowdStrike,IID,iSIGHTPartners,NetClean,PhishLabs,SenseCy,ThreatGRID–Cyveillance•ThreatIntelligenceAlliances-（厂家间的）威胁情报联盟形式–CyberThreatAlliance:Fortinet,PaloAlto,McAfeeandSymantec–MicrosoftInterflow:MembersoftheMicrosoftActiveProtectionsProgram(MAPP)–CSISSecurityGroup,Fox-ITandGroup-IB–NorseandHP•CircleofTrustExchangePlatforms-（组织间）互信交换平台形式–ActiveTrustPlatform:IID–ThreatCentral:HP•IntelligenceExchangeServicesPlatforms-威胁交换服务平台形式(多源汇聚)–AlienVault,ThreatConnect,ThreatStreamandVorstack网络安全威胁情报交换服务10•OSINT•ISACs/US-CERT•SANS•CVEs,CWEs,OSVDB(Vulns)•DellSecureWorks•iSightPartners•NorseIPViking/Darklist•Cyveillance•Fox-IT/Group-IB/IID•OpenDNS•MAPP企业外部的安全威胁情报源（含开源及商业）•IBMQRadar•PaloAltoWildfire•FireEye/Mandiant•RSANetWitnessLive/VerisigniDefense•SymantecDeepsight•McAfeeThreatIntelligence•AlienVaultOTX11企业内部的安全情报（提供安全情境分析）•Directoryuserinformation(personale-mail,access,userprivilege,start/enddate)•Proxyinformation(content)•DLP&businessunitrisk(tradesecrets/IPsensitivedocs)•ITCasehistory/tickettracking•Malwaredetection/AValerts•Sensitivebusinessroles•Applicationusage&consumptionevents(in-house)•Databaseusage/accessmonitoring(privileged)•Entitlements/accessoutliers(in-house)•Userbehaviorassociationbasedongeography,frequency,uniqueness,andprivilege12安全威胁情报应用示例之Checkpoint13安全威胁情报应用示例之RSANetWitnessLiveLivegathersthebestadvancedthreatintelligenceandcontentintheglobalsecuritycommunityLiveManagerprovidesconfigurablemanagerwithadashboardAggregates&consolidatesonlythemostpertinentinformationTransparentintegrationwithcustomer’sliveandrecordednetworktraffic14安全威胁情报应用示例之RSANetWitnessLive•RSAFraudactionDomains•RSAFraudactionIP•NWAPTAttachments•NWAPTIP•NWAPTDomains•NWSuspiciousIPIntel•NWCriminalVPNEntryDomains•NWCriminalVPNEntryIP•NWCriminalVPNExitIP•NWCriminalVPNExitDomains•NWCriminalSOCKSnodes•NWCriminalSOCKSUserIP’s•NWInsiderThreatDomains•NWInsiderThreatIP•APTFilenames•PalevoTrackerIP•PalevoTrackerDomains•QakBotC2Domains•CriticalIntelligenceDomains-SCADA•CriticalIntelligenceIP’s-SCADA•DynamicDNSDomains•TORExitNodes•TORNodes•eFaxsites(dataleakage)•iDefenseThreatIndicators•ISECExposureBlacklistDomains15安全威胁情报应用示例之IBMQRadarSIPContextandCorrelationDriveDeepestInsightExtensiveDataSourcesDeepIntelligenceExceptionallyAccurateandActionableInsight+=SuspectedIncidentsEventCorrelationActivityBaselining&AnomalyDetection•Logs•Flows•IPReputation•GeoLocation•UserActivity•DatabaseActivity•ApplicationActivity•NetworkActivityOffenseIdentification•Credibility•Severity•RelevanceDatabaseActivityServers&MainframesUsers&IdentitiesVulnerabilityInfoConfigurationInfoSecurityDevicesNetwork&VirtualActivityApplicationActivity16安全威胁情报应用示例之IBMQRadarSIP•Turnkeylogmanagement•SMEtoEnterprise•UpgradeabletoenterpriseSIEM•Integratedlog,threat,risk&compliancemgmt.•Sophisticatedeventanalytics•Assetprofilingandflowanalytics•Offensemanagementandworkflow•Predictivethreatmodeling&simulation•Scalableconfigurationmonitoringandaudit•AdvancedthreatvisualizationandimpactanalysisSIEMLogManagementRisk&ConfigurationManagementNetworkActivity&AnomalyDetectionNetworkandApplicationVisibility•Networkanalytics•Behavioralanomalydetection•FullyintegratedwithSIEM•Layer7applicationmonitoring•Contentcapturefordeepinsight•PhysicalandvirtualenvironmentsFullyIntegratedSecurityIntelligence17安全威胁情报应用示例之McAfeeThreatIntelligence网络安全威胁情报体系的建设19网络安全威胁情报的平台•预计至2018，50%的一线组织和MSSPs将会使用以MRTI为基础的TIP平台（目前丌到5%）Threatintelligenceplatforms（TIPS）20•STIX-StructuredThreatInformationeXpression•TAXII-TrustedAutomatedeXchangeofIndicatorInformation•CybOX-CyberObservableeXpression•MAEC-MalwareAttributeEnumerationandCharacterization•CAPEC-CommonAttackPatternEnumerationandClassification•OpenIOC-OpensourcedschemafromMandiant•IODEF-IncidentObjectDescrip