Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/25/2012
11:45 AM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Security Intelligence = Table Stakes

Smart security practitioners know they can no longer rely on their vendors to provide the intelligence they need to deal with today's attacks

Evidently you can't be a player in the security market without some kind of security "intelligence," which is a fancy term for research. Two or three threat reports hit my inbox every week, many coming from vendors I've never heard of. If I wanted to read all of the reports issued each week, I wouldn't have time for anything else. Clearly the hype around intelligence is reaching a fever pitch, but isn't this more repackaged marketing hyperbole? Hasn't every security vendor had a research capability forever? Why is this any different?

To be clear, at surface level, it's not any different. Security research has been a mainstay since the AV vendors fielded teams of interns sitting in closets somewhere building signatures for the samples they got from the Wild List. A different but similar set of security researchers emerged when IDS devices needed to be fed with current signatures. But ultimately these first generation of researchers were all about keeping the signature databases up to date.

Obviously signatures aren't the way to detect much of anything nowadays. But that aspect of research (analyzing bad crap) hasn't changed that much, though the scale clearly has. Now a research team needs fancy big data engines, racks and racks of spindles, and hundreds of millions of sensors out there to stay on top of the bad stuff. That's a bit tongue in cheek, since the data analysis tools used by today's researchers are necessarily bigger because they have to deal with A LOT more data. This data needs to be normalized and correlated to see the patterns. So from that perspective security research continues to evolve.

The real difference between security research and security intelligence is the intel aspect. This was a concept I first learned over a decade ago when the research team at TruSecure had folks that actually penetrated hacker networks. They even trained a dude to speak Russian, so he could figure out what they were going to attack next. Guys like Brian Krebs now do this every day, but amazingly enough that was pretty novel back then. Of course, spy craft is maybe the third oldest profession, so the concept isn't new, but this practice hasn't always been commonplace in computer security.

Now every vendor has folks that troll around carder forums. They try to buy malware and subscribe to the DDoSaaS (yes, you can buy a denial of service attack as a service) offerings to track the tactics. They crowd-source attacks and try to shorten the window between when interesting malware shows up and when it's detected. They write up long reports to prove how smart they are. And they don't share anything interesting: That stuff they keep for themselves (and presumably their customers). Don't get me started on the "value" of intelligence as a reason to hoard it.

This is all good and well for the vendors, and it's even better for PR flacks and beat reporters who have an endless stream of uninteresting findings to drive page views. But targeted organizations out there need to take it one step further. The leading edge (dare I say "lean forward") practitioners are building their own security intel functions. Sure, they buy data from the vendors. But they take that data and apply it to their environment. These folks study their adversaries. They profile them and they learn their tactics. These folks realize they are in a battle. Maybe it's against a nation state, organized crime, or maybe even their competitors. And they are taking proactive steps to try to figure out what's coming. They no longer rely on the age old security tactic of reacting to what's already happened.

In fact, I believe we'll see a much bigger demand for security intelligence data moving forward which ultimately will change the perceived value of security products/services. Right now, the intelligence makes the product/service better. It's not something organizations buy as a stand-alone. Over time, as we see the increasing commoditization of inspection and policy enforcement, the value of vendors bring will be more about the knowledge they provide and less about their hardware or software agents.

A possibly unfortunate side effect will be furthering the gap between the security haves and have-nots. Putting more organizations below Wendy's security poverty line. But that's life. The rich get richer and the rest have their IP sold to the highest bidder.

So you have a choice. Do you continue to invest in stuff that doesn't work, or do you think a bit about the inflection Rich Mogull describes?

As always, the choice is not yours, it remains with your executives. Now is the time to start helping them understand why an internal security intelligence capability is table stakes in today's environment.

Mike Rothman is president of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.