Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Threat Intelligence is Not Intellectual Property

The breadth and depth of threat intelligence is a primary differentiating factor for security vendors is a widely held assumption in the security industry that we collectively need to disprove and change our perspective on.

The breadth and depth of threat intelligence is a primary differentiating factor for security vendors is a widely held assumption in the security industry that we collectively need to disprove and change our perspective on.

When vendors and individuals attempt to keep threat intelligence private, they limit the ability of the entire group to identify and mitigate new threats as they are developed and launched against organizations. The days when IPS signatures and host-based anti-malware products were enough to secure your network are long gone. Sophisticated adversaries are constantly deploying new methods of evading detection. Whether this is in the form of new exploits, rapidly changing malware, or new attack vectors, it is clear that successful data breaches continue to escalate.

The velocity of attacks, both in volume and method, also continues to increase—meaning the quicker your security solutions gain access to relevant intelligence, the safer you become. Specifically, your solutions must be able to turn indicator sets on campaigns and adversary groups into new prevention mechanisms to stop attacks. This is an important distinction, as malware is so easily changed, that simply adding new signatures that look for a specific file is not nearly enough. In contrast, Indicators of Compromise (IOCs), such as the IP address for an attacker’s command-and-control communication infrastructure, are common across entire campaigns or attack groups.

Threat Information Sharing

When looking at the common language of threat intelligence, security vendors often fall into the “big numbers” trap, where they tout how they have “billions” or even “trillions” of events. That is often the easy way out, and doesn’t actual provide insight into how relevant or valuable these events are. They certainly sound impressive when projected on a big screen during a conference, but many are likely commodity indicators on the common attacks everyone already knows about. While breadth of intelligence is important, even the largest sensor network in the world is limited by its very nature. It only has insight into the events it can directly observe, from members of the collective.

To illustrate this point, let’s play the math out:

• Medium-sized security vendors have 30,000 customers each. Let’s assume for the sake of simplicity that there are twenty of these in the world. This means there is the potential for these twenty vendors to be receiving intelligence from 600,000 users on the threats they are observing.

• Large security vendors have 100,000 customers each, and let us assume there are five of them. In total, these large vendors could be receiving data from 500,000 customers.

In this scenario, there are 1.1 million potential customers who could be contributing intelligence to help protect other organizations. The problem is that no security vendor is seeing more than 11 percent of the total intelligence being created! In the real world, there are of course even more organizations providing security solutions, meaning these numbers are orders of magnitude larger.

As a security leader, what if your vendor told you they could only stop 10% of all possible attacks? Would you be satisfied with that response? This is essentially what the industry’s response has been up until this point. Now consider the value security vendors could provide to the security community if they shared threat intelligence in a free and open manner. The attackers do not care which product you have protecting your network, and your security posture should not be limited by this. This is not to say every vendor will be equal in terms of innovation and ways to implement this common intelligence to prevent attacks, but we should judge them on those metrics, versus the size of their database.

In order to change this belief, we must push for change. The next time you are talking with your vendor of choice, ask them the following question:

• Are they sharing threat intelligence with their peers?

• Can they create new protections from shared intelligence?

• Are they members of industry-level threat intelligence sharing groups?

• How are they working with government entities to share data between public and private?

There are some organizations attempting to pioneer this new way forward, including the Cyber Threat Alliance, founded by Fortinet, Intel Security, Palo Alto Networks, and Symantec, and at an industry peer level with the ISACs. In addition to helping push vendors to change, consider how you can joint these types of organizations, and share intelligence with your peers.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.