Perimeter
9/25/2012
11:45 AM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Security Intelligence = Table Stakes

Smart security practitioners know they can no longer rely on their vendors to provide the intelligence they need to deal with today's attacks

Evidently you can't be a player in the security market without some kind of security "intelligence," which is a fancy term for research. Two or three threat reports hit my inbox every week, many coming from vendors I've never heard of. If I wanted to read all of the reports issued each week, I wouldn't have time for anything else. Clearly the hype around intelligence is reaching a fever pitch, but isn't this more repackaged marketing hyperbole? Hasn't every security vendor had a research capability forever? Why is this any different?

To be clear, at surface level, it's not any different. Security research has been a mainstay since the AV vendors fielded teams of interns sitting in closets somewhere building signatures for the samples they got from the Wild List. A different but similar set of security researchers emerged when IDS devices needed to be fed with current signatures. But ultimately these first generation of researchers were all about keeping the signature databases up to date.

Obviously signatures aren't the way to detect much of anything nowadays. But that aspect of research (analyzing bad crap) hasn't changed that much, though the scale clearly has. Now a research team needs fancy big data engines, racks and racks of spindles, and hundreds of millions of sensors out there to stay on top of the bad stuff. That's a bit tongue in cheek, since the data analysis tools used by today's researchers are necessarily bigger because they have to deal with A LOT more data. This data needs to be normalized and correlated to see the patterns. So from that perspective security research continues to evolve.

The real difference between security research and security intelligence is the intel aspect. This was a concept I first learned over a decade ago when the research team at TruSecure had folks that actually penetrated hacker networks. They even trained a dude to speak Russian, so he could figure out what they were going to attack next. Guys like Brian Krebs now do this every day, but amazingly enough that was pretty novel back then. Of course, spy craft is maybe the third oldest profession, so the concept isn't new, but this practice hasn't always been commonplace in computer security.

Now every vendor has folks that troll around carder forums. They try to buy malware and subscribe to the DDoSaaS (yes, you can buy a denial of service attack as a service) offerings to track the tactics. They crowd-source attacks and try to shorten the window between when interesting malware shows up and when it's detected. They write up long reports to prove how smart they are. And they don't share anything interesting: That stuff they keep for themselves (and presumably their customers). Don't get me started on the "value" of intelligence as a reason to hoard it.

This is all good and well for the vendors, and it's even better for PR flacks and beat reporters who have an endless stream of uninteresting findings to drive page views. But targeted organizations out there need to take it one step further. The leading edge (dare I say "lean forward") practitioners are building their own security intel functions. Sure, they buy data from the vendors. But they take that data and apply it to their environment. These folks study their adversaries. They profile them and they learn their tactics. These folks realize they are in a battle. Maybe it's against a nation state, organized crime, or maybe even their competitors. And they are taking proactive steps to try to figure out what's coming. They no longer rely on the age old security tactic of reacting to what's already happened.

In fact, I believe we'll see a much bigger demand for security intelligence data moving forward which ultimately will change the perceived value of security products/services. Right now, the intelligence makes the product/service better. It's not something organizations buy as a stand-alone. Over time, as we see the increasing commoditization of inspection and policy enforcement, the value of vendors bring will be more about the knowledge they provide and less about their hardware or software agents.

A possibly unfortunate side effect will be furthering the gap between the security haves and have-nots. Putting more organizations below Wendy's security poverty line. But that's life. The rich get richer and the rest have their IP sold to the highest bidder.

So you have a choice. Do you continue to invest in stuff that doesn't work, or do you think a bit about the inflection Rich Mogull describes?

As always, the choice is not yours, it remains with your executives. Now is the time to start helping them understand why an internal security intelligence capability is table stakes in today's environment.

Mike Rothman is president of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I decided to treat the kiddos to a TV dinner tonight.
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Title Partners Role in Perimeter Security
Title Partners Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.