Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/25/2012
11:45 AM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Security Intelligence = Table Stakes

Smart security practitioners know they can no longer rely on their vendors to provide the intelligence they need to deal with today's attacks

Evidently you can't be a player in the security market without some kind of security "intelligence," which is a fancy term for research. Two or three threat reports hit my inbox every week, many coming from vendors I've never heard of. If I wanted to read all of the reports issued each week, I wouldn't have time for anything else. Clearly the hype around intelligence is reaching a fever pitch, but isn't this more repackaged marketing hyperbole? Hasn't every security vendor had a research capability forever? Why is this any different?

To be clear, at surface level, it's not any different. Security research has been a mainstay since the AV vendors fielded teams of interns sitting in closets somewhere building signatures for the samples they got from the Wild List. A different but similar set of security researchers emerged when IDS devices needed to be fed with current signatures. But ultimately these first generation of researchers were all about keeping the signature databases up to date.

Obviously signatures aren't the way to detect much of anything nowadays. But that aspect of research (analyzing bad crap) hasn't changed that much, though the scale clearly has. Now a research team needs fancy big data engines, racks and racks of spindles, and hundreds of millions of sensors out there to stay on top of the bad stuff. That's a bit tongue in cheek, since the data analysis tools used by today's researchers are necessarily bigger because they have to deal with A LOT more data. This data needs to be normalized and correlated to see the patterns. So from that perspective security research continues to evolve.

The real difference between security research and security intelligence is the intel aspect. This was a concept I first learned over a decade ago when the research team at TruSecure had folks that actually penetrated hacker networks. They even trained a dude to speak Russian, so he could figure out what they were going to attack next. Guys like Brian Krebs now do this every day, but amazingly enough that was pretty novel back then. Of course, spy craft is maybe the third oldest profession, so the concept isn't new, but this practice hasn't always been commonplace in computer security.

Now every vendor has folks that troll around carder forums. They try to buy malware and subscribe to the DDoSaaS (yes, you can buy a denial of service attack as a service) offerings to track the tactics. They crowd-source attacks and try to shorten the window between when interesting malware shows up and when it's detected. They write up long reports to prove how smart they are. And they don't share anything interesting: That stuff they keep for themselves (and presumably their customers). Don't get me started on the "value" of intelligence as a reason to hoard it.

This is all good and well for the vendors, and it's even better for PR flacks and beat reporters who have an endless stream of uninteresting findings to drive page views. But targeted organizations out there need to take it one step further. The leading edge (dare I say "lean forward") practitioners are building their own security intel functions. Sure, they buy data from the vendors. But they take that data and apply it to their environment. These folks study their adversaries. They profile them and they learn their tactics. These folks realize they are in a battle. Maybe it's against a nation state, organized crime, or maybe even their competitors. And they are taking proactive steps to try to figure out what's coming. They no longer rely on the age old security tactic of reacting to what's already happened.

In fact, I believe we'll see a much bigger demand for security intelligence data moving forward which ultimately will change the perceived value of security products/services. Right now, the intelligence makes the product/service better. It's not something organizations buy as a stand-alone. Over time, as we see the increasing commoditization of inspection and policy enforcement, the value of vendors bring will be more about the knowledge they provide and less about their hardware or software agents.

A possibly unfortunate side effect will be furthering the gap between the security haves and have-nots. Putting more organizations below Wendy's security poverty line. But that's life. The rich get richer and the rest have their IP sold to the highest bidder.

So you have a choice. Do you continue to invest in stuff that doesn't work, or do you think a bit about the inflection Rich Mogull describes?

As always, the choice is not yours, it remains with your executives. Now is the time to start helping them understand why an internal security intelligence capability is table stakes in today's environment.

Mike Rothman is president of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8904
PUBLISHED: 2020-08-12
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (en...
CVE-2020-8905
PUBLISHED: 2020-08-12
A buffer length validation vulnerability in Asylo versions prior to 0.6.0 allows an attacker to read data they should not have access to. The 'enc_untrusted_recvfrom' function generates a return value which is deserialized by 'MessageReader', and copied into three different 'extents'. The length of ...
CVE-2020-12106
PUBLISHED: 2020-08-12
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows unauthenticated users to send HTTP POST request to several critical Administrative functions such as, changing credentials of the Administrator account or connect the product to a rogue access point.
CVE-2020-12107
PUBLISHED: 2020-08-12
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows command injection via a text field, which allow full control over this module's Operating System.
CVE-2020-7374
PUBLISHED: 2020-08-12
Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the user ...