Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:45 AM
Bradon Rogers
Bradon Rogers
Partner Perspectives

Endpoints, Gateways, and Networks: Teamwork Is Better Than Lone Rangers

Security vendors have a common goal when it comes to protecting their customers from danger. What's missing is a common language and protocols for how and what to share.

In police work, multiple witnesses, pieces of evidence, and investigating officers are better than a lone detective and a smoking gun. They bring different perspectives to the problem, comparing and analyzing elements and pursuing leads until the crime is solved.

Unfortunately, cybersecurity today seems more like a bunch of individual crime fighters or private investigators. Beat cops are checking for malware at the endpoints. Security guards are checking the comings and goings at each entrance and exit. Detectives are interrogating suspicious characters in the sandbox. Secret agents are gathering intelligence on potential threats. Thankfully, society’s law enforcement officials don’t work in silos; they actively share facts and ideas. However, in the cyberworld, a lack of orchestration is unfortunately the norm.

We have seen the silo effects of policing in the real world, and these groups are trying harder to work together. They have the benefit of common goals, shared language, and evolving protocols on how and what to share. We need the same thing in cybersecurity.

For example, when a suspicious email arrives, the firewall security guard can see the source IP and MAC addresses, but the endpoint cop only sees it as coming from the safe harbor of the internal mail server. If the email has a known malicious link, the email gateway can block it, but it should also be equipped to share that info with other controls such as the Web gateway to protect anyone from following that link, should they get it from another source.

I am certain that security vendors have a common goal when it comes to protecting their customers from danger. What’s missing is a common language and protocols for how and what to share. Intel Security has a remedy for this in the form of a real-time security Data Exchange Layer. DXL is built to deliver an architecture with a common communications framework that can connect to existing and future systems from Intel Security and, most importantly, to other systems in the ecosystem. DXL can be centralized or decentralized, as appropriate to the individual security functions and the network structure.

How DXL Works

With DXL, the combined system of security technologies is equipped to continually share intelligence for optimal protection. In our email example, when suspicious or malicious activity is detected, awareness of which endpoints have clicked the malicious email links helps identify those impacted hosts. This information allows the environment to automatically quarantine those hosts and perform in-depth inspection to identify the relevant components of the infection and any further potential impact. With this understanding, the environment rapidly corrects the impacted infrastructure by performing such actions as killing malicious processes, cleaning registry entries, removing malicious files, and killing connectivity to command-and-control infrastructure. This process contains the initially visible aspects of the event. Next, analysts can leverage various indicators found in these exercises to look for other affected systems that could result from lateral movement and persistence.

To facilitate this analysis, the environment queries the historic analytics repository for any other event artifacts. Any findings can be scoped and remediated, preferably using policies and scripts. Finally, with these new learnings, the environment continuously hunts going forward, looking for variants or related impacts. Pertinent newly found intelligence is ultimately shared with the rest of the organizational controls via DXL. This form of automated intelligence sharing and active defense rarely exists in most organizations, yet most will agree it is necessary in today’s cyberfight.

As our industry has evolved, some security vendors have developed proprietary systems that connect their own parts together. However the challenge is that these systems may not have all of the components you need, or worse yet, they deliver a false sense of security with great reports and tons of information, yet very little actual integration into the security fabric of the organization for delivering an active defense framework. These barriers can no longer be permitted to stand if we are to combat modern attack complexity with the velocity and accuracy needed to win the battle.

In law enforcement, catching and stopping criminals does not happen effectively in isolation, by one individual, one precinct, or one organization. Instead, disparate law enforcement organizations and entities work closely together to effectively thwart the most advanced of criminal activities. In the world of cybersecurity, we must rapidly evolve from the bankrupt isolated approaches of the past if we are to deliver on the active defense measures that are necessary against today’s adversaries.

Bradon Rogers is the Senior Vice President of Product and Solution Marketing at Intel Security, and is a 14 year veteran in the security space. In this role, Bradon is responsible for worldwide go-to-market of the Intel Security product portfolio. In his prior role at Intel ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue