ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

™

ePlus.WhereTechnologyMeansMore.™

Leveraging Threat Intelligence for Cyber Security in Education

LeeWaskevich

CCIE7764,CISSP

Sr Director- Architecture

August2016 1

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

Security as Organizational Risk

+ Securityisjustanotheroperationalrisksimilarto:

+ Continuityrisk+ Consumerrisk+ Supplychainrisk+ Compliancerisk+ Legalrisk…etc

Untilnowwe’vehadnowaytolinkbusinessriskstoactualthreats

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

Business & Organizational Risk is Why Threat Intelligence is so Important

“Gartner estimates this market will reach almost $1.5 billion

by 2018, from more than $250 million in 2013”

Ruggero Contu, Rob McMillanCompetitive Landscape: Threat Intelligence Services, Worldwide,

2015Published: 14 October 2014

Strategic Planning Assumption:“By 2018, 60% of large

enterprises globally will utilize commercial threat intelligence services to help inform their

security strategies.”Rob McMillan & Khushbu Pratap

Market Guide for Security Threat Intelligence ServicesPublished: 14 October 2014

“Many vendors can provide raw information, but there are only a comparative few that

provide true intelligence capabilities.”

Rob McMillan & Kelly KavanaghTechnology Overview for Security Threat Intelligence Service

ProvidersPublished: 16 October 2013

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary. ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

CommercialThreatIntelligenceischangingSecurityPrograms

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

Defining Threat Intelligence

Threat intelligence is evidence-based knowledge, including context,mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.Gartner 16 May 2013 G00249251

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

IntelligenceisNothingNew

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

Commercial Threat Intelligence Types

• Machine Real Time Intelligence (MRTI) fed through APIs

• Webroot• ThreatGrid• Centripital Networks

• Analytical / Contextual (people driven)• iSight (Now FireEye)• Crowdstrike

~nearly 100 vendors in this space today

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

HowThreatsareRealized“TheBreakDown”

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

ThreatIntelligenceVisualized

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary. ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

SensitiveData:DefiningtheRiskToEducational

Institutions

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

Sensitive Data Identification

• Organizational leadership discussions• Administrators• Business Managers• Board Members

• State Compliance• Data Ownership• Operational Impact

Think big buckets, not detailed data classificationCould be Operational Systems, PII, intellectual

property…

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

Sensitive Data Prioritization

+ Risk to Life and Safety+ Physical Security Systems+ Video, Alarms, Controls all Network based

+ Risk of Personal Information theft+ PII+ Credentials and Health Data

+ Operational Impact+ Online Testing & Learning Systems+ Unavailability of Educational Systems and Resources

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

™

ePlus.WhereTechnologyMeansMore.™

Utilizing Threat Intelligence

13

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

Identifyingyourattacker

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

Implementing an Intelligence Led Security Program

1. Understand your threat reality

2. Create intelligence collection requirements

3. Implement a proactive threat intelligence capability to monitor the relevant threat environment to your business

4. Integrate threat indicators delivered from intelligence provider(s) into your security technology, operations, workflow, and communications.

5. Correlate incident and threat indicators to the associated threat context to inform impact value and prioritization.

6. Train like you fight - Implement a custom training program that emulates the adversaries that pose the greatest risk to your business and train as a team.

Slide content courtesy of iSight Partners

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

Language&Workflow

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

Shrink the Problem and Improve Prioritization

ThreatSources

AttackSurface

CustomerSidePeople,process,andtechnologyhelpsthemdeterminepossiblerisks.

CyberThreatIntelligenceIntelligencehelpsthemdeterminewhicheventsposethegreatestrisktotheiruniqueorganization.

17

VERIFIEDTHREATINDICATORS

PRE-PROCESSEDANALYSIS

RAWOBSERVATIONS

INCIDENTINDICATORS

CORRELATEDEVENTS

ATTACKALERTS

NoisetoSignal(10,000Events/Day**)

**Source: Damballa’s Q1 2014 State of Infections Report

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

BenefitstoThreatIntelligence

• Focused security spending on actual threats to your organization• Versus the current perceived threat model

• Verifying the reactive and improving the predictiveoverall threat response

• Improved risk threat mitigation metrics (is your security program effective?)

ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary. ePlus.WhereTechnologyMeansMore.™©2015ePlus inc. ConfidentialandProprietary.

LeeWaskevichSr Director- ArchitectureCCIE7764,CISSPePlus Technology,inc.130Futura DrivePottstown,PA19464leew@eplus.com