In the rapidly expanding world of threat intelligence, avalanches of static lists combine with cascades of streaming data to be molded by evermore sophisticated analytics engines the output of which are finally presented in a dazzling array of eye-candy graphs and interactive displays.
For many of those charged with securing their corporate systems and online presence, the pressure continues to grow for them to figure out some way to incorporate this glitzy wealth of intelligence into tangible and actionable knowledge.
The prospect of transmuting streaming data into intelligence and from there into knowledge is something the alchemists of lore would seek to tackle after turning lead into gold.
The information security industry is placing great hope in threat intelligence being the solution that finally closes the gap between attacker and victim.
When the RSA Conference USA kicks off at the end of February in San Francisco, it’s guaranteed that the vocabulary of the vendors lined from wall-to-wall will include oft-repeated terms such as “actionable intelligence,” “threat analytics,” “machine learning,” “intelligence cloud,” and even “immune system” as they describe the data they push – or pull – to their products.
If you happen to speak with someone in sales at one of these vendor booths, they’ll likely throw in the term “unique” for good measure.
When I look around at the rapidly increasing number and variety of commercial threat feeds, the promises being made over their “value” and the way many vendors and enterprises alike describe how they anticipate using them, it appears like a large proportion of the industry may be on a trajectory to solve the wrong problem.
This rapidly bloating threat feed and analytics industry, for all its variety, feels a little too consumed with novelty. Being the cynical sort of person I am, I’d liken the industry to a newly opened frozen yogurt franchise. The prospect of being able to fill your bowl with any number of two dozen fabulous-sounding frozen yogurt flavors sets many hearts aflutter.
Then, if that wasn’t enough, as you get closer to the cash register you can take your pick of dozens upon dozens of different colored and flavored sprinkles, frozen and freeze-dried tidbits, and mouthwatering pourable syrups. And whipped cream of course!
As desserts go, custom-tuned sugar-loaded bowls of frozen yogurt are fun and delight the kids. But, as every adult knows – and every kid wishes wasn’t so – you can’t survive by just eating dessert.
Practically all of the boutique threat feeds, blacklists and streaming intelligence options on the market anticipate being wedded, merged and correlated with other data products. While there’s most certainly a high appeal to an organization to craft their own unique frozen yogurt sundae, it’s easy to be distracted by the novelty and the perceived value of the data streams that combined to make it and to miss the business goals.
Combating today’s broad spectrum of advancing threats is not all about planning for dessert. Organizations need a robust strategy that continually monitors their security investments and ensures the core intellectual property and their value proposition are thoroughly covered first.
As much as firewalls, IDS, ADS, and DLP may be boring and increasingly prone to evasion or limited by the diversification of the endpoint, they’re still the stodgy “meat and three vegetables” recommendation of the security world.
While such an assortment of core technologies may feel a little dated, careful selection of data feeds and specialized or supplemental technologies that augment them and fill in specific gaps can reap substantial returns.
Great advances have been made in the last half-decade in our ability to analyze and dissect ever larger increases in data volume, and new visualization techniques have made it easier for that intelligence to be consumed. But the gap between intelligence and knowledge continues to exist, and knowing that chocolate sprinkles don’t make a good garnish for steak is important.
Günter Ollmann is CSO of the cloud and AI security devision at Microsoft and an advisor for Vector AI. Previously, he held the position of CSO at Vectra where he assisted in building the next generation of threat detection technologies capable of illuminating persistent threats, lateral movement, IoT integrity compromise, and attacks that bypassed the front-door. Günter was also a founder and principal at Ablative Security as well as an advisor for C3 Security and Yaxa. He received a B.S. in applied physics and mathematics and a M.S. in atmospheric physics at the University of Auckland.