Enterprises Should Bring Some Security Research In-House

Rapid7 researcher pleads case for enterprises to dedicate resources to analyze in-the-wild malware data to prioritize vulnerability mitigation
When it comes to prioritizing vulnerabilities, some security experts believe organizations put too much emphasis on the technical impact rankings from security research community rather than focusing mitigation efforts based on which attacks are already actively targeting businesses similar to theirs. Next week, a security researcher with Rapid7 will present a talk at the UNITED Security Summit that will explain how organizations should stop relying wholly on security companies for research into malware and build a malware analysis function in-house that can take general crimeware statistics and tailor it to the business' specific risk priorities.

[Using SQL injection to attack PDFs. See Serving Up Malicious PDFs Through SQL Injection.]

"People still tend to prioritize the way that they react against vulnerabilities based on the old-fashioned rankings of technical impacts of a specific vulnerability, instead of realizing which vulnerabilities are actually being used in the wild and which are relevant to them because it goes after a specific asset or element of their company," says Claudio Guarnieri, security researcher for Rapid7.

An event focusing primarily on how to move security forward through better collaboration and innovation, UNITED Security Summit will highlight a keynote by Dan Heath, the author of Switch, along with a slate of researchers like Guarnieri. For his part, Guarnieri will put forward the premise that enterprises would be much more effective at dealing with the flood of vulnerabilities announced each year if they were better able to analyze how these flaws are really being exploited by the bad guys and match that up with whether or not those attack trends are effecting the specific industry or infrastructure type relevant the organization in question.

This means collecting publicly available data and combining that with data collected from the organization's own logs, SIEM feeds and collected malware to better track what's going on in the wild and inside the company itself to create a threat model far more customized to handle targeted attacks.

"So you should actually be deploying some internal infrastructure to collect threat intelligence (based on what's) being used in the wild and using the data itself for proactively blocking off malicious domains, malicious IPs and anything like that," he says. "Then combine those types of separate intelligence together with different technologies you already have in place for better-designed security."

Guarnieri plans on highlighting a tool he helped write called Cuckoo Sandbox that can help organizations with a piece of this intelligence: malware analysis. The open source tool automatically picks apart malware samples to offer statistics that give the user a view into how it works, the resources that it targets and the vulnerabilities it uses to wreak havoc. Utilizing a tool like that in-house against the type of malware most used within an organization's industry could show IT that some groups of vulnerabilities it focuses on mitigating quickly may not actually be used in the wild as often as another group of vulnerabilities getting the short shrift.

"Then you have a pretty good perspective on how the threat space looks and you're able to prioritize the security flaws you have in your infrastructure not by the severity of the vulnerability or of the malware itself but by the relevance of that specific type thing to your infrastructure," he says. "So you can actually understand why one thing should be more important than another from a real world perspective, not just because some researcher told you so."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.