WEBVTT NOTE This file was exported by MacCaption version 7.0.06 to comply with the WebVTT specification dated March 27, 2017. 00:00:06.215 --> 00:00:08.592 align:center line:-1 position:50% size:43% Anyone who's worked in a SOC [Security Operations Center] 00:00:08.592 --> 00:00:12.137 align:center line:-1 position:50% size:43% is going to be familiar with the concept of alert fatigue. 00:00:12.137 --> 00:00:17.434 align:center line:-1 position:50% size:35% You've got dozens, often, of different security tools-- 00:00:17.434 --> 00:00:21.647 align:center line:-1 position:50% size:48% Endpoint and firewall and WAF [web application firewall] and all of this other stuff-- 00:00:21.647 --> 00:00:27.527 align:center line:-1 position:50% size:49% and they're nonstop generating logs, generating alerts. 00:00:27.527 --> 00:00:33.450 align:center line:-1 position:50% size:55% The vast majority of those you don't have to worry about very much, 00:00:33.450 --> 00:00:38.038 align:center line:-1 position:50% size:49% although you don't know which ones are sort of real and which ones aren't. 00:00:38.038 --> 00:00:41.375 align:center line:-1 position:50% size:49% Anytime something's on the internet, 00:00:41.375 --> 00:00:46.630 align:center line:-1 position:50% size:51% typically I see maybe a ping a second or a connection attempt every second 00:00:46.630 --> 00:00:47.714 align:center line:-1 position:50% size:26% against the system. 00:00:47.714 --> 00:00:48.882 align:center line:-1 position:50% size:21% It's just probes. 00:00:48.882 --> 00:00:52.177 align:center line:-1 position:50% size:42% You're just the next IP in line, someone's looking for a way in, 00:00:52.177 --> 00:00:53.929 align:center line:-1 position:50% size:44% looking for a susceptible system. 00:00:53.929 --> 00:00:57.599 align:center line:-1 position:50% size:36% Plus there's a lot of other background stuff going on. 00:00:57.599 --> 00:01:03.563 align:center line:-1 position:50% size:66% One of the hardest things for security teams to do is to filter out the noise, 00:01:03.563 --> 00:01:08.568 align:center line:-1 position:50% size:43% to figure out, "Ok, I can safely ignore this amount of stuff 00:01:08.568 --> 00:01:11.989 align:center line:-1 position:50% size:60% and then let me focus on these other things." 00:01:11.989 --> 00:01:16.994 align:center line:-1 position:50% size:61% What a threat intelligence gateway does is it takes threat intelligence, hence the name, 00:01:16.994 --> 00:01:22.457 align:center line:-1 position:50% size:38% and applies it to an internet gateway location 00:01:22.457 --> 00:01:30.424 align:center line:-1 position:50% size:63% to automatically remove things that are flagged as threats or illegitimate. 00:01:30.424 --> 00:01:34.261 align:center line:-1 position:50% size:48% They typically need to do it in a way that's very fast and very automated. 00:01:34.261 --> 00:01:37.014 align:center line:-1 position:50% size:38% You're not trying to duplicate the role of a firewall. 00:01:37.014 --> 00:01:40.225 align:center line:-1 position:50% size:35% You are trying to make that firewall more efficient 00:01:40.225 --> 00:01:45.063 align:center line:-1 position:50% size:43% and reduce the number of alerts that that firewall is generating. 00:01:45.063 --> 00:01:48.650 align:center line:-1 position:50% size:57% For example, a threat intelligence gateway like ThreatARMOR, 00:01:48.650 --> 00:01:51.028 align:center line:-1 position:50% size:53% which is a product that Keysight makes, 00:01:51.028 --> 00:01:55.824 align:center line:-1 position:50% size:53% may have a database of tens of millions of known bad IPs. 00:01:55.824 --> 00:01:59.036 align:center line:-1 position:50% size:51% Known bad means we know right now, it's a botnet controller 00:01:59.036 --> 00:02:03.832 align:center line:-1 position:50% size:52% or this is a phishing site, or this is a site that we've seen probing the internet 00:02:03.832 --> 00:02:06.585 align:center line:-1 position:50% size:35% for vulnerable IoT devices 00:02:06.585 --> 00:02:09.713 align:center line:-1 position:50% size:42% to see if it can manipulate them and plant malicious firmware 00:02:09.713 --> 00:02:12.924 align:center line:-1 position:50% size:52% or corrupt them into launching an attack or something else. 00:02:12.924 --> 00:02:19.848 align:center line:-1 position:50% size:60% By automatically filtering out the connections from those sites that we know are bad, 00:02:19.848 --> 00:02:22.684 align:center line:-1 position:50% size:59% or from let's say countries where you simply don't do business 00:02:22.684 --> 00:02:26.355 align:center line:-1 position:50% size:61% so there's no reason to have them connecting into your network, 00:02:26.355 --> 00:02:33.487 align:center line:-1 position:50% size:57% you can often eliminate up to 80% of the illegitimate or malicious connections 00:02:33.487 --> 00:02:35.906 align:center line:-1 position:50% size:46% that would generate security alerts 00:02:35.906 --> 00:02:38.909 align:center line:-1 position:50% size:40% and potentially pass breaches into your network. 00:02:38.909 --> 00:02:43.330 align:center line:-1 position:50% size:48% That lets your security team look at a much smaller set of events 00:02:43.330 --> 00:02:45.582 align:center line:-1 position:50% size:46% so that they can be more effective. 00:02:45.582 --> 00:02:49.461 align:center line:-1 position:50% size:43% If you think of security as finding a needle in the haystack, 00:02:49.461 --> 00:02:54.633 align:center line:-1 position:50% size:55% this is about making the haystack smaller so that it's easier to find. 00:02:54.633 --> 00:03:00.347 align:center line:-1 position:50% size:58% A good threat intelligence gateway should be basically continuously up to date. 00:03:00.347 --> 00:03:03.975 align:center line:-1 position:50% size:45% In an ideal world, your threat intelligence defenses, 00:03:03.975 --> 00:03:07.437 align:center line:-1 position:50% size:64% as manifest in say a threat intelligence gateway, 00:03:07.437 --> 00:03:09.564 align:center line:-1 position:50% size:41% would change every time the threat landscape changes. 00:03:09.564 --> 00:03:13.610 align:center line:-1 position:50% size:64% Keysight's ThreatARMOR product, for example, updates itself every five minutes. 00:03:13.610 --> 00:03:15.779 align:center line:-1 position:50% size:39% That's pretty good resolution. 00:03:15.779 --> 00:03:18.240 align:center line:-1 position:50% size:43% So when there is some new threat, some new attack, 00:03:18.240 --> 00:03:20.951 align:center line:-1 position:50% size:39% some new botnet controller, something like that out there, 00:03:20.951 --> 00:03:29.835 align:center line:-1 position:50% size:59% very, very quickly, your device auto-updated to stop attacks that correspond to that site. 00:03:29.835 --> 00:03:33.380 align:center line:-1 position:50% size:57% That's very important, that's the whole goal of advanced threat intelligence 00:03:33.380 --> 00:03:36.049 align:center line:-1 position:50% size:44% is staying ahead of the bad guys, 00:03:36.049 --> 00:03:41.054 align:center line:-1 position:50% size:56% understanding what they're going to do before they have a chance to do it to you. 00:03:41.054 --> 00:03:44.015 align:center line:-1 position:50% size:59% Certainly a good threat intelligence gateway 00:03:44.015 --> 00:03:47.185 align:center line:-1 position:50% size:58% is going to help you stay ahead of the curve in that way. 00:03:47.185 --> 00:03:49.646 align:center line:-1 position:50% size:54% If you think about the automotive setting, 00:03:49.646 --> 00:03:55.986 align:center line:-1 position:50% size:60% again where you're an automaker, you're operating a network that's talking to connected cars, 00:03:55.986 --> 00:04:02.075 align:center line:-1 position:50% size:66% we've talked already about the attack surface and the exposure and the risk profile that you have. 00:04:02.075 --> 00:04:07.914 align:center line:-1 position:50% size:65% so it's really, really important for the threat intelligence that you're applying to your defenses 00:04:07.914 --> 00:04:09.374 align:center line:-1 position:50% size:22% to be up to date. 00:04:09.374 --> 00:04:14.671 align:center line:-1 position:50% size:70% You want to know what the bad guys are going to do before they do it to your network. 00:04:14.671 --> 00:04:19.468 align:center line:-1 position:50% size:68% Having something like a threat intelligence gateway that's helping you stay ahead of the curve, 00:04:19.468 --> 00:04:25.640 align:center line:-1 position:50% size:70% is going to really help you keep your network and your cars and your consumers safe from attack.