At the headquarters of a major bank in New York, a team of IT security specialists is poring over reams of data. They’ve just received word that there’s a new online banking exploit in the wild, and they’re working against the clock to figure out what the attack looks like – and whether it has breached their defenses. At this moment, though, their enemy isn’t a hacker. It’s the dozens of disparate, uncoordinated data feeds that might contain information about the new threat – but can only be scanned manually.
Every day, security operations center (SOC) staffs in all types of industries and geographies are faced with scenarios similar to this one. They’ve subscribed to many different threat intelligence feeds that promise insight on the latest attacks -- but now they’ve got so much data that identifying and correlating information about a single attack is like finding a needle in a haystack. And if they don’t find the key threat data they need, they could leave their organizations open to a damaging attack.
Several startup technology vendors – including one, ThreatQuotient, just emerging from stealth today – have launched recently to help enterprises aggregate and correlate incoming threat data from many different sources and speed the process of digging out the relevant indicators of compromise. These "threat intelligence platforms" promise to provide a single funnel for channeling and analyzing the growing firehose of threat data emanating from dozens of disparate threat intelligence services and open-source organizations that provide notifications of newly-emerging exploits and vulnerabilities.
Another startup, TruStar, promises to advance the security information sharing process by providing the means to anonymously report and share threat and breach data across enterprises -- and eventually, entire industries
"Security analysts are being inundated with threat information," notes Wayne Chiang, CEO and co-founder of ThreatQuotient, which announced its official launch June 2. "It’s reached the point where that glut of data is preventing them from doing the one thing that all of these feeds were supposed to do in the first place, which is to identify the threats that are relevant to their organizations and respond."
Threat intelligence platforms -- a new category of software and services coming from emerging players such as ThreatConnect, ThreatQuotient, and ThreatStream – promise to aggregate and help correlate threat data emanating from the growing base of threat intelligence service providers, such as CrowdStrike and iSight Partners. The platform vendors, all less than three years old, offer a single portal for analyzing data not only from commercial providers, but from open-source threat data providers such as US-CERT.
"Threat intelligence is one of the fastest ways of getting real information about new attacks and detecting the indicators of advanced, sophisticated attacks," says Wade Baker, vice president of strategy and risk analytics at ThreatConnect. Baker formerly was a founding author of Verizon Business’ Data Breach Investigations Report (DBIR), one of the industry’s best-known sources of information about IT security compromises. "Threat intelligence works – the problem is just that there’s so much information that it’s difficult to organize and confusing to the people who have to develop a response."
The problem, experts say, is that there are so many sources of threat information – and threat data is not filed in a common format. Mitre Corp. has helped the situation by developing the specifications known as Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII), but threat reports can still be found in many different formats, ranging from simple text to PDF documents and Excel spreadsheets.
"STIX and TAXII help, but we still find a lot of threat data that is in lots of different formats, and a lot of it contains information that shouldn’t be in the stream," says Colby DeRodeff, chief strategy officer at ThreatStream.
Most large enterprises use security information and event management (SIEM) systems to aggregate and analyze their internal security log and event data. But SIEM data requires a good deal of filtering, DeRodeff notes, and simply pouring threat data into a SIEM system can create an overabundance of false positives that cause alarm bells to ring unnecessarily -- and may cause security operations teams to expend time unproductively.
SIEM systems may also not support the various tools that security data analysts use to evaluate threat data, Baker says. "SIEM works well for collecting event data, but it’s not a great toolbench for data analysts," he states.
Threat intelligence platforms provide a lighter, more versatile system for importing threat data from many different sources, correlating that data, and then exporting it to systems such as SIEM or trouble ticketing systems that can trigger the IT staff to take steps toward remediation. A threat intelligence platform significantly reduces the time spent by data analysts to aggregate and rationalize the threat data they receive, the technology vendors say. And it may also help enterprises to identify the threat sources and data that are the most useful and accurate for their own environment, potentially reducing the costs associated with unnecessary commercial threat feeds.
"Ultimately, we can give you a sense for how much value there is in a feed," says Chiang. "But for the near term, the biggest benefit is the time it saves the people who do the analysis. We’re giving them a way to operationalize all of the data they are getting, putting them in a better position to act on it."
Over the longer term, threat intelligence platforms have the potential to become more strategic in scope, some technology vendors say. For example, several of the early platforms have the ability to rank threats according to their severity, the reputation of the data source, and/or the relevance of the threat to a specific organization. By collecting such data, the threat intelligence platform could eventually become a good tool for benchmarking enterprise cyber risk – a metric that is essential to the business but elusive in its measurement.
"You could see it following a path similar to GRC [governance, risk, and compliance], only for threats," Baker says. "You’re using the platform to determine which threats are most important to your organization, who’s targeting you, where the risk is coming from. This is something that a lot of security people – and a lot of top executives – have been asking for."
And once the enterprise team can quickly identify its own compromises, threats, and risks, there is greater opportunity for information sharing among private enterprises and across entire industries, notes Paul Kurtz, co-founder and CEO of TruSTAR, a startup company that has developed a patented technology for the anonymous sharing of security compromise and threat data. TruSTAR’s goal is to build a community of members that quickly report new attacks and threats, sharing them with other organizations in a safe environment.
"The government-oriented initiatives for information sharing have frustrated a lot of private companies, because the information is not always shared quickly and government agencies own the keys and can identify the companies that are reporting," Kurtz observes. "What we wanted to do is create a place where you can anonymously report a problem or threat and be rewarded immediately by getting feedback on whether that threat has been seen in other places, and with what impact."
While threat intelligence platforms could help companies make sense of threat data at the enterprise level, TruStar will harvest data from many enterprises and data sources and make all of that data available to the member, Kurtz says. And it can be used today, without waiting for legislation or the slow movement of government-sponsored information sharing initiatives.
"If companies are exchanging data, they are finding out about new threats faster and taking action more quickly. That way, everybody’s job gets easier," Kurtz says. "It’s a classic case of a rising tide raising all boats."
One of the challenges that enterprises face as they look at new technology for aggregating and analyzing threat data is figuring out which tools to use. ThreatQuotient, which was founded by experienced security operations professionals, focuses heavily on operationalizing threat information. ThreatConnect, which was founded by former intelligence analysts, focuses on providing the best tools and capabilities for data analysis in the near term – and risk analysis in the longer term. ThreatStream, which was founded by former executives at SIEM vendors, provides strong integration between external threat intelligence feeds and internal SIEM systems; the company already has developed 12 different interconnects with systems that the enterprise may already have onsite.
"We’re all coming at it from different angles, but the fact that you see several vendors attacking the same problem helps to demonstrate the need and validate this whole category of products, Baker says. "I think you’ll see a lot more happening in this space."