Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Threat Intelligence is Not Intellectual Property

The breadth and depth of threat intelligence is a primary differentiating factor for security vendors is a widely held assumption in the security industry that we collectively need to disprove and change our perspective on.

The breadth and depth of threat intelligence is a primary differentiating factor for security vendors is a widely held assumption in the security industry that we collectively need to disprove and change our perspective on.

When vendors and individuals attempt to keep threat intelligence private, they limit the ability of the entire group to identify and mitigate new threats as they are developed and launched against organizations. The days when IPS signatures and host-based anti-malware products were enough to secure your network are long gone. Sophisticated adversaries are constantly deploying new methods of evading detection. Whether this is in the form of new exploits, rapidly changing malware, or new attack vectors, it is clear that successful data breaches continue to escalate.

The velocity of attacks, both in volume and method, also continues to increase—meaning the quicker your security solutions gain access to relevant intelligence, the safer you become. Specifically, your solutions must be able to turn indicator sets on campaigns and adversary groups into new prevention mechanisms to stop attacks. This is an important distinction, as malware is so easily changed, that simply adding new signatures that look for a specific file is not nearly enough. In contrast, Indicators of Compromise (IOCs), such as the IP address for an attacker’s command-and-control communication infrastructure, are common across entire campaigns or attack groups.

Threat Information Sharing

When looking at the common language of threat intelligence, security vendors often fall into the “big numbers” trap, where they tout how they have “billions” or even “trillions” of events. That is often the easy way out, and doesn’t actual provide insight into how relevant or valuable these events are. They certainly sound impressive when projected on a big screen during a conference, but many are likely commodity indicators on the common attacks everyone already knows about. While breadth of intelligence is important, even the largest sensor network in the world is limited by its very nature. It only has insight into the events it can directly observe, from members of the collective.

To illustrate this point, let’s play the math out:

• Medium-sized security vendors have 30,000 customers each. Let’s assume for the sake of simplicity that there are twenty of these in the world. This means there is the potential for these twenty vendors to be receiving intelligence from 600,000 users on the threats they are observing.

• Large security vendors have 100,000 customers each, and let us assume there are five of them. In total, these large vendors could be receiving data from 500,000 customers.

In this scenario, there are 1.1 million potential customers who could be contributing intelligence to help protect other organizations. The problem is that no security vendor is seeing more than 11 percent of the total intelligence being created! In the real world, there are of course even more organizations providing security solutions, meaning these numbers are orders of magnitude larger.

Advertisement. Scroll to continue reading.

As a security leader, what if your vendor told you they could only stop 10% of all possible attacks? Would you be satisfied with that response? This is essentially what the industry’s response has been up until this point. Now consider the value security vendors could provide to the security community if they shared threat intelligence in a free and open manner. The attackers do not care which product you have protecting your network, and your security posture should not be limited by this. This is not to say every vendor will be equal in terms of innovation and ways to implement this common intelligence to prevent attacks, but we should judge them on those metrics, versus the size of their database.

In order to change this belief, we must push for change. The next time you are talking with your vendor of choice, ask them the following question:

• Are they sharing threat intelligence with their peers?

• Can they create new protections from shared intelligence?

• Are they members of industry-level threat intelligence sharing groups?

• How are they working with government entities to share data between public and private?

There are some organizations attempting to pioneer this new way forward, including the Cyber Threat Alliance, founded by Fortinet, Intel Security, Palo Alto Networks, and Symantec, and at an industry peer level with the ISACs. In addition to helping push vendors to change, consider how you can joint these types of organizations, and share intelligence with your peers.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...