Confidence in Security Intelligence

  • Wednesday, 23 Sep 2020 3:30PM EDT (23 Sep 2020 19:30 UTC)
  • Speaker: John Wetzel

Within security intelligence, confidence frequently focuses on conviction of suspected IOCs. Unfortunately, both open and commercial threat intelligence feeds suffer from both false positives and lack of context. An open threat feed may flag an IP address as malicious, but there is no truth in IOC conviction, only evidence which supports or refutes conviction. In this session, we'll show how to reach a level of \full trust", where analysts can narrow their focus from an omniscient, catch-all approach to an intelligence-driven process that identifies the criteria necessary for conviction, automates checks for high-fidelity evidence, and aggregates lower-fidelity evidence for human analysis.