|By Adam Vincent||
|March 6, 2013 12:45 PM EST||
The RSA conference this year was abuzz with talk of threat intelligence and its usage in detecting and protecting against more advanced threats. There was re-branding of existing products and the entrance of new products, all of which claimed to support some type of “intelligence” capability. As I walked around it struck me that usage of the term was not consistent. We need to have a detailed understanding of what it means to use intelligence to secure our enterprise from cyber attacks, and maintain business operations in the face of sophisticated threats.
Defining Threat Intelligence
In April of 2011, Cyber Squared defined Threat Intelligence as “an emerging information security discipline that seeks to recognize and understand sophisticated cyber adversaries, specifically why and how they threaten data, networks, and business processes. With enhanced knowledge of the threat develop better protective measures against them.” Not many companies would use the word “emerging” as it relates to their primary business, but we did, because at the time most clients were not yet worried about sophisticated threats, nor did they know how they would use threat intelligence to protect themselves from them. Almost two years later and Threat Intelligence has now become a market within the broader security space. For you skeptics that think it is yet another marketing term, don’t take my word for it. SANS has sponsored a Summit on this single topic.
The Cyber Threat Intelligence Summit will be held in March. I’ll be presenting a lightning round presentation on the topic of crowdsourcing threat intelligence, and Rich Barger, Cyber Squared’s Chief Intelligence Officer, will be participating on a panel. This is such an important topic for the industry that SANS is putting on this event, and in doing so have started the process for an industry wide definition of Threat Intelligence.
Why is it needed
The Advanced Persistent Threat (APT) facing many modern networked organizations has rendered intrusion detection systems, anti-virus and traditional incident response approaches insufficient. The APT represents well-resourced and trained adversary’s who use advanced tools and techniques designed to circumvent most conventional computer network defense mechanisms. Their multi-year intrusion campaigns target highly sensitive and valuable data for competitive edge.
What is it
Network defense techniques that leverage knowledge about these adversaries – known as cyber threat intelligence – can enable defenders to establish a state of information superiority which decreases the adversary’s likelihood of success with each subsequent intrusion attempt. Threat intelligence can be a force multiplier and provide security managers accurate, timely and detailed information to continuously monitor new and evolving attacks. Earlier detection can minimize losses or disruption within the network, and lessen the cost of cleanup efforts. With Threat Intelligence you can provide a more effective defensive posture then would be otherwise be possible.
A Threat Intelligence Ecosystem can be broken down into the following basic functional areas: information collection and analysis, decision support, and mitigations. All three must work in concert in order to keep pace with the threat. So to make Threat Intelligence possible, we must connect the efforts of our decision makers with security personal, and provide them with a robust ability to leverage more comprehensive knowledge of their particular cyber threats. Taking the concept of a Threat Intelligence one step further. We must unite the efforts of the community around the threat, and crowdsource our need for threat intelligence. The Threat Intelligence Ecosystem is so much more knowledgeable and powerful than a single individual or organization.
How crowdsourcing can help
We know that responding quickly to cyber threats is of critical importance, and the only way to really change the game is to understand how the adversary works and predict where they might go next. We realize that we can’t win this battle by fighting alone. While progress is being made to create and use Threat Intelligence within organizations, unfortunately today this is only possible with the more mature and resourced organizations. It takes a significant investment to collect, create, enrich, and leverage Threat Intelligence, leaving less resourced businesses from protecting themselves in the same manner. The adversary doesn’t discriminate between those organizations with and without resources. The adversary is targeting those who have sensitive and valuable data.
What if we applied the crowdsourcing model? Applying a crowdsourcing approach to Threat Intelligence would involve being able to assemble an impromptu, virtual army of trusted cyber defenders to more quickly and comprehensively understand the threat and predict where they will go next. It would require the ability to create dynamic relationships with trusted sharing partners who have common threat interests, and being able to register and receive notifications when threats change. By transitioning today’s more static “sharing” model to a more dynamic “crowdsourcing” approach for Threat Intelligence, we could actually improve response times and predict attacks. Furthermore, it is possible that an established, successful crowdsourcing Threat Intelligence solution could serve as a deterrent for cyber adversaries. Benefits of crowdsourcing include:
- Less time commitment to understand the threat
- Lower costs to obtain a larger understanding of the threat
- Obtain insights that would not be otherwise obvious
- Connect with other stake holders who are also experiencing the same problem
- Ability to track / measure the threat, effectively explaining and articulating the problem to decision makers
Based on established current day environmental factors, we should have at our disposal the necessary ingredients to create a successful crowdsourcing environment for threat intelligence. For instance, the enormous popularity of social media has turned strangers into virtual friends. Facebook’s “like” feature virtually binds people into a community via a common interest. There is a growing awareness and acceptance of using crowdsourcing to solve problems. We can bind these concepts into a crowdsourcing, internet-based solution for Threat Intelligence that includes rankings, statistics, and metrics to facilitate “co-ompetition”.
Unfortunately, there is going to be a great deal of confusion around Threat Intelligence for the foreseeable future. Just remember that Threat Intelligence is not something you buy, it’s something you create. You can streamline the process of building Threat Intelligence using security analysis products that support data feeds and crowdsourcing . Please come out on March 22nd and see what I have to say about Crowdsourcing Threat Intelligence – the BIG (data) idea behind ThreatConnect.com.
- The Odd Couple: Marrying Agile and Waterfall
- Fanning the Flames of Agile
- Internet of @ThingsExpo Silicon Valley Call for Papers Now Open
- April and May 2014 Server and StorageIO Update newsletter
- MangoApps to Exhibit at Cloud Expo New York
- WSO2 Introduces Industry’s First Enterprise Identity Bus With the Launch of WSO2 Identity Server 5.0
- Practical WebRTC: From API to Solution
- Last Chance to Register for LTE World Summit
- The Butterfly Effect Within IT
- The Business Challenges Impacting Digital Transformation
- Stay Current on the Internet of Things
- Setting the Bar for Agile Architecture
- How to Get the Best From Virtual Employees
- Global Financial Firms Can Effectively Address Technology Risk Guidelines
- .CLUB Domain Name Extension Now Available for General Registration
- MapR Technologies Announces Upcoming June Conferences
- More Mainstream Businesses Depend on Open Source
- AMAG, HP, ImageWare Systems, March Networks and StrikeForce Discuss Security Solutions in SecuritySolutionsWatch.com Interviews
- F5 to Present at Upcoming Technology and Investor Conferences
- The Odd Couple: Marrying Agile and Waterfall
- Flexera Software’s InstallShield 2014 Release Introduces New Support of Cloud and Virtualised Installations, High-DPI Displays and Touch Devices, and Agile Development
- FlexNet Manager Suite Wins CODiE Award for Best Asset Management Solution - 4th CODiE Award for Flexera Software
- Fanning the Flames of Agile
- WSO2 Guest Speakers at WSO2Con Europe 2014 Will Examine Technology Developments and Best Practices Enabling the Connected Business
- The Top 150 Players in Cloud Computing
- Who Are The All-Time Heroes of i-Technology?
- Where Are RIA Technologies Headed in 2008?
- Success, Arrogance, Rise and Fall
- AJAX World RIA Conference & Expo Kicks Off in New York City
- The Top 250 Players in the Cloud Computing Ecosystem
- Personal Branding Checklist
- i-Technology Viewpoint: Attack of the Blogs
- Exclusive Q&A with Jeff Haynie, Co-Founder & CEO, Appcelerator
- Cloud People: A Who's Who of Cloud Computing
- Ulitzer Names the World's 30 Most Influential Cloud Computing Bloggers
- Web 2.0 News and Wrapping Up "Real-World AJAX" Seminar