Attacks/Breaches

6/2/2015
12:00 AM
100%
0%

Threat Intelligence Platforms: The Next 'Must-Have' For Harried Security Operations Teams

New category of technology promises to aggregate all threat intelligence feeds and help security teams find the attacks that could cause the most damage

At the headquarters of a major bank in New York, a team of IT security specialists is poring over reams of data. They’ve just received word that there’s a new online banking exploit in the wild, and they’re working against the clock to figure out what the attack looks like – and whether it has breached their defenses. At this moment, though, their enemy isn’t a hacker. It’s the dozens of disparate, uncoordinated data feeds that might contain information about the new threat – but can only be scanned manually.

Every day, security operations center (SOC) staffs in all types of industries and geographies are faced with scenarios similar to this one. They’ve subscribed to many different threat intelligence feeds that promise insight on the latest attacks -- but now they’ve got so much data that identifying and correlating information about a single attack is like finding a needle in a haystack. And if they don’t find the key threat data they need, they could leave their organizations open to a damaging attack.

Several startup technology vendors – including one, ThreatQuotient, just emerging from stealth today – have launched recently to help enterprises aggregate and correlate incoming threat data from many different sources and speed the process of digging out the relevant indicators of compromise. These "threat intelligence platforms" promise to provide a single funnel for channeling and analyzing the growing firehose of threat data emanating from dozens of disparate threat intelligence services and open-source organizations that provide notifications of newly-emerging exploits and vulnerabilities.

Another startup, TruStar, promises to advance the security information sharing process by providing the means to anonymously report and share threat and breach data across enterprises -- and eventually, entire industries

"Security analysts are being inundated with threat information," notes Wayne Chiang, CEO and co-founder of ThreatQuotient, which announced its official launch June 2. "It’s reached the point where that glut of data is preventing them from doing the one thing that all of these feeds were supposed to do in the first place, which is to identify the threats that are relevant to their organizations and respond."

Threat intelligence platforms -- a new category of software and services coming from emerging players such as ThreatConnect, ThreatQuotient, and ThreatStream – promise to aggregate and help correlate threat data emanating from the growing base of threat intelligence service providers, such as CrowdStrike and iSight Partners. The platform vendors, all less than three years old, offer a single portal for analyzing data not only from commercial providers, but from open-source threat data providers such as US-CERT.

"Threat intelligence is one of the fastest ways of getting real information about new attacks and detecting the indicators of advanced, sophisticated attacks," says Wade Baker, vice president of strategy and risk analytics at ThreatConnect. Baker formerly was a founding author of Verizon Business’ Data Breach Investigations Report (DBIR), one of the industry’s best-known sources of information about IT security compromises. "Threat intelligence works – the problem is just that there’s so much information that it’s difficult to organize and confusing to the people who have to develop a response."

The problem, experts say, is that there are so many sources of threat information – and threat data is not filed in a common format. Mitre Corp. has helped the situation by developing the specifications known as Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII), but threat reports can still be found in many different formats, ranging from simple text to PDF documents and Excel spreadsheets.

"STIX and TAXII help, but we still find a lot of threat data that is in lots of different formats, and a lot of it contains information that shouldn’t be in the stream," says Colby DeRodeff, chief strategy officer at ThreatStream.

Most large enterprises use security information and event management (SIEM) systems to aggregate and analyze their internal security log and event data. But SIEM data requires a good deal of filtering, DeRodeff notes, and simply pouring threat data into a SIEM system can create an overabundance of false positives that cause alarm bells to ring unnecessarily -- and may cause security operations teams to expend time unproductively.

SIEM systems may also not support the various tools that security data analysts use to evaluate threat data, Baker says. "SIEM works well for collecting event data, but it’s not a great toolbench for data analysts," he states.

Threat intelligence platforms provide a lighter, more versatile system for importing threat data from many different sources, correlating that data, and then exporting it to systems such as SIEM or trouble ticketing systems that can trigger the IT staff to take steps toward remediation. A threat intelligence platform significantly reduces the time spent by data analysts to aggregate and rationalize the threat data they receive, the technology vendors say. And it may also help enterprises to identify the threat sources and data that are the most useful and accurate for their own environment, potentially reducing the costs associated with unnecessary commercial threat feeds.

"Ultimately, we can give you a sense for how much value there is in a feed," says Chiang. "But for the near term, the biggest benefit is the time it saves the people who do the analysis. We’re giving them a way to operationalize all of the data they are getting, putting them in a better position to act on it."

Over the longer term, threat intelligence platforms have the potential to become more strategic in scope, some technology vendors say. For example, several of the early platforms have the ability to rank threats according to their severity, the reputation of the data source, and/or the relevance of the threat to a specific organization. By collecting such data, the threat intelligence platform could eventually become a good tool for benchmarking enterprise cyber risk – a metric that is essential to the business but elusive in its measurement.

"You could see it following a path similar to GRC [governance, risk, and compliance], only for threats," Baker says. "You’re using the platform to determine which threats are most important to your organization, who’s targeting you, where the risk is coming from. This is something that a lot of security people – and a lot of top executives – have been asking for."

And once the enterprise team can quickly identify its own compromises, threats, and risks, there is greater opportunity for information sharing among private enterprises and across entire industries, notes Paul Kurtz, co-founder and CEO of TruSTAR, a startup company that has developed a patented technology for the anonymous sharing of security compromise and threat data. TruSTAR’s goal is to build a community of members that quickly report new attacks and threats, sharing them with other organizations in a safe environment.

"The government-oriented initiatives for information sharing have frustrated a lot of private companies, because the information is not always shared quickly and government agencies own the keys and can identify the companies that are reporting," Kurtz observes. "What we wanted to do is create a place where you can anonymously report a problem or threat and be rewarded immediately by getting feedback on whether that threat has been seen in other places, and with what impact."

While threat intelligence platforms could help companies make sense of threat data at the enterprise level, TruStar will harvest data from many enterprises and data sources and make all of that data available to the member, Kurtz says. And it can be used today, without waiting for legislation or the slow movement of government-sponsored information sharing initiatives.

"If companies are exchanging data, they are finding out about new threats faster and taking action more quickly. That way, everybody’s job gets easier," Kurtz says. "It’s a classic case of a rising tide raising all boats."

One of the challenges that enterprises face as they look at new technology for aggregating and analyzing threat data is figuring out which tools to use. ThreatQuotient, which was founded by experienced security operations professionals, focuses heavily on operationalizing threat information. ThreatConnect, which was founded by former intelligence analysts, focuses on providing the best tools and capabilities for data analysis in the near term – and risk analysis in the longer term. ThreatStream, which was founded by former executives at SIEM vendors, provides strong integration between external threat intelligence feeds and internal SIEM systems; the company already has developed 12 different interconnects with systems that the enterprise may already have onsite.

"We’re all coming at it from different angles, but the fact that you see several vendors attacking the same problem helps to demonstrate the need and validate this whole category of products, Baker says. "I think you’ll see a lot more happening in this space."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RedTigerLabs
50%
50%
RedTigerLabs,
User Rank: Apprentice
6/6/2015 | 9:25:49 AM
Threat Modeling without Compliance goals or Remediation is only "Art"
Visualization of threat information is a great first step. Toolsets need to build this information into resilience objectives that align with standards and policy objectives. This toolset, built into redtigerlabs dot com, was designed specifically for SCADA and Crtitical Infrastructure, where this information is needed most. 
Cory-C
50%
50%
Cory-C,
User Rank: Apprentice
6/4/2015 | 11:22:02 AM
Standards for federating threat intelligence information

As suggested in this article, federation across the many sources, platforms and tools for threat information is essential to understand and respond to the sophisticated threats we face today. We need to understand all threats and all hazards across all sources, particularly where cyber and physical come together. While startups can help, emerging standards are the key. There is an ongoing standards effort in the Object Management Group (OMG) to define a federating model such that tools that implement this standard will be able to federate, analize and exchange information in a variety of formats and technologies. CSOs and threat intelligence vendors may want to engage in this standard top make sure it meets the needs of the community. More information can be found on threatrisk dot org.

Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Why the CISSP Remains Relevant to Cybersecurity After 28 Years
Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron,  11/6/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19220
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows remote attackers to execute arbitrary PHP code via the host parameter to the install/ URI.
CVE-2018-19221
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows SQL Injection via the admin/login.php guanliyuan parameter.
CVE-2018-19222
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows a /install/mysql_hy.php?riqi=0&i=0 attack to reset the admin password, even if install.txt exists.
CVE-2018-19223
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the first input field to the admin/type.php?id=1 URI.
CVE-2018-19224
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoofing of the id and guanliyuan cookies.