It is no secret that timely and accurate information is at the heart of any successful attack campaign. As we build up our defenses in the escalating conflict against cyberattacks, getting timely and accurate information to and from various defense agents, gateways, firewalls, sensors, and managers has become a critical part of the counter-attack.
Traditionally in IT systems, data is collected by logs, in scheduled batches, or as a result of an ad hoc pull or push action. If two products aren’t integrated, they won’t share data, and data correlation is often a manual and tedious process. In the cyberwar, shared data is critical since a single piece of information, from one data source, with no context, is seldom enough to confidently convict an offender.
Other IT applications have solved this problem through creation of a message bus, a high-speed interconnect that facilitates sharing of information in real time. Intel’s Data Exchange Layer (DXL) brings this model to security. It provides an open way for security products to publish and subscribe to relevant information in real time. Why does speed matter? The good guys need all the help they can get. The latest Verizon Data Breach Investigations Report says that “75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours). Over 40% hit the second organization in less than an hour.”
In its first year, DXL was woven throughout the Intel Security portfolio as we evolved our product lines. Now in year two, our technology partners are integrating this messaging fabric based on a new software development kit (SDK) and releasing products and services that attach to DXL.
Titus, for example, has introduced its Classification Suite 4, which leverages DXL to extend data classification and information protection to detect insider threats and other inappropriate use of sensitive or confidential material. Where many of the initial DXL use cases have focused on threat-intelligence sharing, Titus is using DXL to publish data classification decisions in real time to take more appropriate security action based on the sensitivity level of the data as it happens.
Instantaneous data exchange is the critical enabler of adaptive and resilient information security that enterprises require in today’s cyberwar. Obtaining and sharing information from multiple products across all parts of the network helps build the context needed to identify anomalous behavior as it happens.