Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

12/3/2019
10:00 AM
Paul Kurtz
Paul Kurtz
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Leveraging the Cloud for Cyber Intelligence

How fusing output datasets and sharing information can create a real-time understanding of suspicious activity across your enterprise.

In a recent New York Times opinion piece, National Security Agency General Counsel Glenn Gerstell described how traditional national security systems, developed after World War II, dependably gave early warning of foreign military developments, such as firing missiles and the movement of tanks, aircraft, ships, and submarines. Fusing telemetry data with advanced surveillance technology gave us a level of confidence that we were safe and could manage contingencies. However, Gerstell makes a compelling argument that that is no longer the case. The technology revolution has "upended" our national security infrastructure and institutions, according to Gerstell.

Gerstell is not alone in his thinking. Joseph Hill, the acting director of National Intelligence, also believes cyberspace is our biggest vulnerability. Outside of government and the military, a recent survey of America’s businesses of all sizes, conducted by Travelers Companies, found that cybersecurity was respondents' No. 1 concern.

As an enterprise leader, it is worth recalling why our post-World War II strategy was successful: We integrated what we knew about foreign military developments in real time. Unfortunately, today we are too focused on finding a better mousetrap and not integrating what we know.

Time to Stop Playing Security Whack-a-Mole
I recently spoke with a CISO about how he won approval to procure 15 tools to bolster security operations but heard little about fusing output datasets to create a real-time understanding of suspicious activity across the enterprise.

The CISO's focus was on more analysts, who are hard to find and burn out quickly from a daily whack-a-mole game of responding to redundant incidents without correlating them with what they've seen in the past. Companies that can afford one of everything acknowledge this strategy generates too much noise. The combination of too many tools, redundant threat feeds, and analyst burnout leads companies to spend more and become less secure. This strategy at-scale becomes even more inefficient and costly when whole sectors and industries choose to "tool up" rather than take a disciplined approach of managing and fusing cyber intelligence. We must reset our strategy on how best to secure ourselves rather than search for a better mousetrap (or buy more of them). We must fuse the tools that we already have.

How to Leverage What You Have
Start by taking a page from how security teams handle traditional security threats to weave together a system of ecosystems in the cloud. There are typically three stages.

Stage 1. Companies leveraging the cloud fuse alerts from their own systems with their external intelligence providers. This requires companies to easily integrate the output from their existing tech stack (SIEM, EDR, case management, orchestration) with input from internal intel sources without disrupting analyst workflow.

Stage 2. Layer in security-related activity beyond security operations to fraud and abuse. Each leads to security problems within the enterprise and for companies down-range. For example, account takeovers (ATOs) can not only be used for malicious activity inside a company but can also lead to adversaries misusing an account to attack others.

Stage 3. Reach out to other companies to exchange information about your common security and fraud challenges. This is where the cloud holds significant advantages as companies choose partners based on a variety of needs, ranging from securing supply chains to battling specific threats within and between sectors. The cloud allows both the public and private sector to work with each other. Rather than just sharing information, companies can define use cases and have the means to quickly and seamlessly exchange and analyze data. The cloud also enables companies to derive insights and trends within their own company as well as how they compare with others.

A New Model: LA CyberLab
Hundreds of companies are already changing course to a cloud-based model to fuse their internal data with external threat information. They ingest and enrich cyber intel from a variety of tools ranging from security event management systems to endpoint detection and case management systems to third-party intelligence. A successful platform combines several capabilities: ingesting and normalizing structured and unstructured data, permissions and access management, fusing and enriching data, and redacting sensitive and proprietary information. A platform must also be extensible so that companies can fuse data between separate security-related operations such as security operations centers, fraud, and internal investigations within companies and between companies.

In September, Los Angeles Mayor Eric Garcetti launched the LA CyberLab, a TruStar customer, to fuse data from the public and private sector, local municipalities, and consumers. The exchange of suspicious event data will speed investigations, identify trends, and ultimately improve security. It has backing from the mayor, the Department of Homeland Security, IBM, innovative technology platforms, as well as some of Los Angeles' biggest business leaders.

LA's model can be replicated, creating new ecosystems of fused data involving suspicious events. Leaders recognized that threat actors commodify and replicate attacks across sectors and local, state, and federal government. Sector-based sharing models like ISACs and ISAOs will remain important, but LA's model is different. The potential power of fusion is immense when we start to think about security in terms of interconnected systems instead of siloing data between tools and sectors. We must converge our cyber intelligence systems in order to achieve full visibility of the attack landscape. We should look to LA as a model of where we must go.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "In the Market for a MSSP? Ask These Questions First"

Paul Kurtz is the CEO and cofounder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the managing partner ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
joshuaprice153
50%
50%
joshuaprice153,
User Rank: Apprentice
12/11/2019 | 1:54:13 AM
Leveraging the Cloud for Cyber Intelligence
For someone new like me, you've introduced the topic fairly effective that I can easily grasp your points. I look forward to more practical entries like this. thanks. pressure washing Port Orange
 
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9720
PUBLISHED: 2020-01-24
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.
CVE-2015-1525
PUBLISHED: 2020-01-24
audio/AudioPolicyManagerBase.cpp in Android before 5.1 allows attackers to cause a denial of service (audio_policy application outage) via a crafted application that provides a NULL device address.
CVE-2015-1530
PUBLISHED: 2020-01-24
media/libmedia/IAudioPolicyService.cpp in Android before 5.1 allows attackers to execute arbitrary code with media_server privileges or cause a denial of service (integer overflow) via a crafted application that provides an invalid array size.
CVE-2015-2688
PUBLISHED: 2020-01-24
buf_pullup in Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle unexpected arrival times of buffers with invalid layouts, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets.
CVE-2015-2689
PUBLISHED: 2020-01-24
Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle pending-connection resolve states during periods of high DNS load, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets.