Perimeter
9/25/2012
11:45 AM
Mike Rothman
Mike Rothman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Security Intelligence = Table Stakes

Smart security practitioners know they can no longer rely on their vendors to provide the intelligence they need to deal with today's attacks

Evidently you can't be a player in the security market without some kind of security "intelligence," which is a fancy term for research. Two or three threat reports hit my inbox every week, many coming from vendors I've never heard of. If I wanted to read all of the reports issued each week, I wouldn't have time for anything else. Clearly the hype around intelligence is reaching a fever pitch, but isn't this more repackaged marketing hyperbole? Hasn't every security vendor had a research capability forever? Why is this any different?

To be clear, at surface level, it's not any different. Security research has been a mainstay since the AV vendors fielded teams of interns sitting in closets somewhere building signatures for the samples they got from the Wild List. A different but similar set of security researchers emerged when IDS devices needed to be fed with current signatures. But ultimately these first generation of researchers were all about keeping the signature databases up to date.

Obviously signatures aren't the way to detect much of anything nowadays. But that aspect of research (analyzing bad crap) hasn't changed that much, though the scale clearly has. Now a research team needs fancy big data engines, racks and racks of spindles, and hundreds of millions of sensors out there to stay on top of the bad stuff. That's a bit tongue in cheek, since the data analysis tools used by today's researchers are necessarily bigger because they have to deal with A LOT more data. This data needs to be normalized and correlated to see the patterns. So from that perspective security research continues to evolve.

The real difference between security research and security intelligence is the intel aspect. This was a concept I first learned over a decade ago when the research team at TruSecure had folks that actually penetrated hacker networks. They even trained a dude to speak Russian, so he could figure out what they were going to attack next. Guys like Brian Krebs now do this every day, but amazingly enough that was pretty novel back then. Of course, spy craft is maybe the third oldest profession, so the concept isn't new, but this practice hasn't always been commonplace in computer security.

Now every vendor has folks that troll around carder forums. They try to buy malware and subscribe to the DDoSaaS (yes, you can buy a denial of service attack as a service) offerings to track the tactics. They crowd-source attacks and try to shorten the window between when interesting malware shows up and when it's detected. They write up long reports to prove how smart they are. And they don't share anything interesting: That stuff they keep for themselves (and presumably their customers). Don't get me started on the "value" of intelligence as a reason to hoard it.

This is all good and well for the vendors, and it's even better for PR flacks and beat reporters who have an endless stream of uninteresting findings to drive page views. But targeted organizations out there need to take it one step further. The leading edge (dare I say "lean forward") practitioners are building their own security intel functions. Sure, they buy data from the vendors. But they take that data and apply it to their environment. These folks study their adversaries. They profile them and they learn their tactics. These folks realize they are in a battle. Maybe it's against a nation state, organized crime, or maybe even their competitors. And they are taking proactive steps to try to figure out what's coming. They no longer rely on the age old security tactic of reacting to what's already happened.

In fact, I believe we'll see a much bigger demand for security intelligence data moving forward which ultimately will change the perceived value of security products/services. Right now, the intelligence makes the product/service better. It's not something organizations buy as a stand-alone. Over time, as we see the increasing commoditization of inspection and policy enforcement, the value of vendors bring will be more about the knowledge they provide and less about their hardware or software agents.

A possibly unfortunate side effect will be furthering the gap between the security haves and have-nots. Putting more organizations below Wendy's security poverty line. But that's life. The rich get richer and the rest have their IP sold to the highest bidder.

So you have a choice. Do you continue to invest in stuff that doesn't work, or do you think a bit about the inflection Rich Mogull describes?

As always, the choice is not yours, it remains with your executives. Now is the time to start helping them understand why an internal security intelligence capability is table stakes in today's environment.

Mike Rothman is president of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.