FROM ATTACKS TO ACTION - BUILDING A USABLE THREAT MODEL TO DRIVE DEFENSIVE CHOICES

Black Hat USA 2014

Presented by: Tony Sager
Date: Thursday August 07, 2014
Time: 12:20 - 12:45
Location: South Seas IJ

By any historical standard, it would be fair to call today the "Golden Age Of Threat." As defenders, never before in our history have we known so much about bad guys, vulnerabilities, attacks, incidents, tradecraft, exploitation, etc. And it has become its own fast-rising industry of threat feeds, alerts, intelligence reports, standards, and tools.

But the sharing of threat intelligence is not a miracle cure. In fact, threat sharing is just the means to an end - we need a way to translate this information into specific and scalable defensive actions we can each take to prevent or manage these attacks in the first place.

The non-profit Council on CyberSecurity has taken a community approach to this problem, working with numerous companies and individuals who analyze attacks and adversaries for a living, and then we translate that knowledge into defensive actions that are captured in the Critical Security Controls.

We'll describe how this has evolved from informal brainstorming among trusted friends, to a community data call, to mapping from a single authoritative source (the Verizon Data Breach Report in 2013) to the Controls, to inclusion of numerous authoritative threat and incident sources, to building a consistent and efficient community workflow. We also discuss how such an approach naturally synchronizes with various Risk Management Frameworks, including the Executive Order Cybersecurity Framework from NIST.

This approach gives you value from information you don't have time to read, experts you'll never meet, insight you can't develop alone, and most importantly a translation to action that you must take in order to survive.

As long as the bad guys are beating up on us, we might as well learn something from it.

Tony Sager

Tony Sager is the Chief Technologist and a founding member of the Council on CyberSecurity - an independent, international, non-profit organization whose mission is to identify, validate, and sustain best practices in cybersecurity by people, in the application of technology, and in the use of policy. He leads the development of the Critical Security Controls, a world-wide volunteer consensus activity to find and support technical practices that stop the vast majority of attacks seen today. Tony also serves as the Director of the SANS Innovation Center, a subsidiary of The SANS Institute. Tony retired from the National Security Agency in June 2012 after 34 years as an Information Assurance professional; his last job was Chief Operating Officer of the Information Assurance Directorate. Before that he created and led the Vulnerability Analysis and Operations Group (VAO), which was responsible for some of NSA's most important advancements in cyber defense. Earlier at NSA, he ran the System and Network Attack Center (SNAC), and he started his career in the Communications Security (COMSEC) Intern Program, and worked as a cryptographer and a software vulnerability analyst.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats