Documente Academic
Documente Profesional
Documente Cultură
Threat
Intelligence:
STIX
and
Stones
Will
Break
Your
Foes
Fred
Wilmot
Director,
Global
Security
PracCce
Disclaimer
During
the
course
of
this
presentaCon,
we
may
make
forward
looking
statements
regarding
future
events
or
the
expected
performance
of
the
company.
We
cauCon
you
that
such
statements
reect
our
current
expectaCons
and
esCmates
based
on
factors
currently
known
to
us
and
that
actual
events
or
results
could
dier
materially.
For
important
factors
that
may
cause
actual
results
to
dier
from
those
contained
in
our
forward-looking
statements,
please
review
our
lings
with
the
SEC.
The
forward-looking
statements
made
in
the
this
presentaCon
are
being
made
as
of
the
Cme
and
date
of
its
live
presentaCon.
If
reviewed
aTer
its
live
presentaCon,
this
presentaCon
may
not
contain
current
or
accurate
informaCon.
We
do
not
assume
any
obligaCon
to
update
any
forward
looking
statements
we
may
make.
In
addiCon,
any
informaCon
about
our
roadmap
outlines
our
general
product
direcCon
and
is
subject
to
change
at
any
Cme
without
noCce.
It
is
for
informaConal
purposes
only
and
shall
not,
be
incorporated
into
any
contract
or
other
commitment.
Splunk
undertakes
no
obligaCon
either
to
develop
the
features
or
funcConality
described
or
to
include
any
such
feature
or
funcConality
in
a
future
release.
Strategy
Electric
Mayhem
@fewdisc
Research
Product
Minister
of
JusCce
a.k.a
Superman
Agenda
"
"
"
"
"
"
Youve
all
heard
this
many
Cmes
before
(and
you
probably
live
it)
but:
"
OSINT
Dell
SecureWorks
Verisign
iDefense
Symantec
Deepsight
McAfee
Threat
Intelligence
SANS
CVEs,
CWEs,
OSVDB
(Vulns)
iSight
Partners
ThreatStream
OpenDNS
"
"
"
"
"
"
"
"
"
"
8
"
"
"
"
"
"
"
"
"
Least
Complete
10
11
"
"
"
"
Transport
mechanism
for
cyber
threat
informaCon
represented
as
STIX.
Through
the
use
of
TAXII
services,
organizaCons
can
share
cyber
threat
informaCon
in
a
secure
and
automated
manner.
"
"
An
extensible
XML
schema
that
enables
you
to
describe
the
technical
characterisCcs
that
idenCfy
a
known
threat,
an
aeackers
methodology,
or
other
evidence
of
compromise.
12
MILE
VERIS
13
Predominant
in
vendor
and
researcher
world
lots
of
useful
data
available
on
the
public
internet
15
16
Raw IOC
17
What is SPLICE?
SPLICE
is
a
free
Splunk
App
that
enables
you
to
easily
consume
IOCs
(STIX,
CybOX,
OpenIOC)
and
use
them
to
quickly
evaluate
your
own
environment
for
potenCal
security
issues
SPLICE
easily
installs
like
any
other
Splunk
App
and
just
requires
an
instance
of
MongoDB
on
the
search
head
Splice
is
installed
on
Get
Splice
RIGHT
NOW
by
following
@SplunkSec
at
hPps://twiPer.com/SplunkSec
19
"
"
"
"
"
"
20
Splunk
has
chosen
to
iniCally
reduce
the
IOC
surface
area
to
atomic
indicators
for
usability
and
to
allow
for
more
exibility
in
IOC
analyCcs
"
Splunk
has
also
partnered
with
FS-ISAC
(who
have
also
chosen
the
same
approach)
to
integrate
with
their
Avalanche
product
for
IOC
federaCon
and
collaboraCon
21
"
23
SPLICE
Architecture
1.
2.
3.
Screenshot here
25
Screenshot here
26
Screenshot here
27
Screenshot here
28
Screenshot here
29
Demo Time!
30
SPLICE
Challenges
"
"
"
31
SPLICE
Future
"
Next Steps:
32
33
Summary
"
"
"
"
"
"
QuesCons?
THANK YOU