All about Threat Central

(1)

All about Threat Central

Ted Ross & Nadav Cohen

(2)

This is a rolling (up to three year) Roadmap and is subject to change without notice.

Forward-looking statements

This document contains forward looking statements regarding future operations, product

development, product capabilities and availability dates. This information is subject to

substantial uncertainties and is subject to change at any time without prior notification.

Statements contained in this document concerning these matters only reflect Hewlett

Packard's predictions and / or expectations as of the date of this document and actual results

and future plans of Hewlett-Packard may differ significantly as a result of, among other

(3)

This is a rolling (up to three year) Roadmap and is subject to change without notice.

HP confidential information

This Roadmap contains HP Confidential Information.

(4)

Agenda

Threat Central journey

Why HP Threat Central?

Offering vision

What is Threat Central?

Use cases

(5)

Threat Central journey

• Building a high fidelity threat intelligence sharing community for our customers!

• Automate and correlate crowd-source threat intelligent feeds

Please join Protect724 ArcSight product announcement forum for Threat Central product launch updates.

Join Threat Central community to advance the cause for cyber threat defense for your company!

Target GA:

Soon!

Building community with

ArcSight customers, ESP

customers, partners,

security researcher,

open source threat

intelligence community

Beta:

Today

• Beta testing with HP

internal customers

• ArcSight customers

beta testing

• Threat intelligence

partners beta testing

Alpha:

2013

• Multiple Iterations of

Alpha testing with

customers

• Announced & demo’d

at Protect2013

Innovation Project:

2013

• Project out of HP

Innovation Initiative

• Interview and

(6)

Crowd-source actionable threat intelligence

Why HP Threat Central?

Industry is still learning how to collaborate effectively

• Companies spend time combatting the same threat

• The adversary collaborates in an effective eco-system

Government alone can’t fix the problem

• Can’t hire resources fast enough

• Limited visibility: Need intelligence/data from industry

Feedback regarding existing sharing models:

• Limited participation – not comfortable sharing

• Data is not actionable – lacks context

• Overly manual – not timely

Threat Central

Threat Central enables

• Automated bi-directional

sharing

• Ability to analyze the data

• Actionable derived results

• Existing community of

advanced security

customers

• Product-agnostic sharing

(7)

Vision

(8)

HP ESP leads to create an open threat intelligence sharing community!

Threat Central community

Threat

intelligence

partners

HP Security

Research

customers

ESP

(9)

(10)

(11)

(12)

Automated action influenced by context

TC Portal

Collect

Normalize

Analyze/correlate

Distribute/ACT

Compare &

Correlate

\

(13)

(14)

Source 1.1.1.1

Invalid login

Brute force login

Use case: Automated actions

(15)

Current approach

Use case: Automated actions

(16)

New approach

Use case: Automated actions

Attacker

IPS

Company A

Source 1.1.1.1

Invalid login

Source 1.1.1.1

Invalid login

Attacker

IPS

Company C

Source 1.1.1.1

Invalid login

Source 1.1.1.1

Invalid login

Threat Central

Attacker

IPS

Company B

Source 1.1.1.1

Invalid login

Source 1.1.1.1

Invalid login

SCORE 1

SCORE 3

SCORE 9

Company D

HP TippingPoint

If score > 5, push IP to IPS

SCORE 1

(17)

Source 1.1.1.X

Current approach

Use case: Proactive block lists –

recon

(18)

With Threat Central

Use case: Proactive block lists – recon

(19)

Threat Central

Use case: Leveraging the community

Company A

New event

Zero

day

Company B

Company C

Malicious IP

address

Malware

variant

BAD IP

MALWARE

ZERO DAY

New event

(20)

(21)

Screenshot tour

In the following example we will see how TC can be used to

• Query about an incident

• Distribute indicator information to communities

• Collaborate with security experts

• Get derived intelligence directly into SIEM

• Mitigate risks

(22)

Create a case

CaptnProton runs into suspicious

behavior with LGCScanner.exe

This is a rolling (up to 3 year) roadmap and is subject to change without notice

(23)

Distribute indicators

CaptnProton submits the case.

Indicators are now extracted and

sent to community members

This is a rolling (up to 3 year) roadmap and is subject to change without notice

(24)

ESM customers benefit from direct integration and targeted intelligence

Distribute indicators (2)

This is a rolling (up to 3 year) roadmap and is subject to change without notice

(25)

Collaborate with

experts

HP Security Researcher enhances

indicators with contextual information

This is a rolling (up to 3 year) roadmap and is subject to change without notice

(26)

Get results

By the end of the process,

CaptnProton’s case is filled out with

relevant and contextual information

This is a rolling (up to 3 year) roadmap and is subject to change without notice

(27)

Easily quarantine bad IPs/domains using ESM and TippingPoint SMS

Mitigate

This is a rolling (up to 3 year) roadmap and is subject to change without notice