Determining the Fit and Impact of CTI Indicators on your Monitoring Pipeline (TIQ-Test 2.0) presented at FirstConferenceKualaLumpur 2018

by Alex Pinto,

Summary : Implementing an appropriate data processing pipeline to make good use of your indicators of compromise is a problem that has been successfully addressed over the last few years. However, even with all the push of automation and orchestration, a fundamental question remains: WHAT data should I be ingesting in my detection pipelines? There is no lack of data feeds available, shared or not, paid or not. But how to keep my CTI IR team from spinning their wheels on a pile of CTI mud?This talk will discuss statistical analysis you can do with the CTI indicators you collect and your own network telemetry to define:COVERAGE: Is your current mix of CTI feeds providing a varied view on the current threats that you should actually be concerned with?FIT: How appropriate does the CTI data apply to your own traffic. CTI vendors always talk about vertical specific threats, but is that measurable and verifiable?IMPACT: How much was your true positive detections assisted by matches and link analysis derived from those CTI feeds?Those concepts will be introduced and explained with minimal math background needed, and pseudo-code will be provided to assist organizations to perform those experiments on their own environment. We hope those tools will help attendees to better evaluate the quality of the CTI feeds they ingest from their open sources, paid providers and sharing communities.