Threat Intelligence: Sink or Swim?The coming flood of threat-intelligence data from the Internet of Things and new classes of endpoints has organizations seriously evaluating their strategies.
Some customers that I speak with are uncertain about the nature, value, and best usage of threat intelligence. The term can mean global threat intelligence (very general), industry threat intelligence (more relevant to you), or local threat intelligence (what your own users, infrastructure, and systems experience). Harnessing any, let alone all, of these intelligence sources creates a big data challenge, now addressable with the combination of innovative threat intelligence platforms and security information and event management (SIEM) systems. Most companies are just getting their strategies in place for threat intelligence and its impact on traditional endpoints. When you factor in the Internet of Things (IoT), we’ll either drown in the data or find a way to swim.
According to new Forrester research, “One in 10 US online adults has already used a fitness tracker,” and “Today, 68% of global technology and business decision-makers say that wearables are a priority for their firm, with 51% calling it a moderate, high, or critical priority” (Five Urgent Truths About The Future Of Wearables That Every Leader Should Know, December 2014).
The IoT includes connected consumer devices such as personal wearables for monitoring health and fitness, thermostats, smoke detectors, and home video monitors. Business systems, including heating and air conditioning systems, lighting, interior and exterior signage, and transportation sensors, are joining point-of-sale terminals and manufacturing controllers on the IoT. In addition, corporations are dreaming up innovative uses for devices such as smartwatches and silent sensors, whether as services to sell to their customers or as a way to make their own employees more productive, effective, or safe.
All of these devices process, transmit, and store data, from innocuous to highly personal. They also have vulnerabilities, making them not only potential attack targets, but also potential entry points to connected systems. As the newest members of the network, these devices will experience targeted attacks aimed at their vulnerabilities for entry to the enterprise.
With devices proliferating and the most mundane becoming network-connected, the number of potential back doors is almost immeasurable. We have already seen networks compromised via their HVAC systems, surveillance cameras, or smart meters. Why not through a water pump, light bulb, or door lock?
Vendors are actively working to protect the IoT, with chip-level security, firewalls, gateways, secure boot functions, authentication and access controls, and constraints on application execution. Intelligence from this front line will be critical to reducing time to detection and containment.
The challenge is making sense of this intelligence given the size and expanding scale of the data set. Visualize the number of devices on an electrical grid, manufacturing site, or city neighborhood: There are many more zeros on that number than in your typical enterprise network. Each device, firewall, and gateway will publish information on local behavior. Security messaging buses can quickly carry this info to affected and interested systems, making it available to the appropriate security operations center and incident-response team.
As networks shift from a majority of human-interface devices (PCs and smartphones) to a majority of machine-to-machine devices, networked systems become more and more industry specific. Threat intelligence and defenses are one aspect of this path, gathering event and context data for vertical industries.
This new flood of data adds to security’s existing big data problem, when security analysts are already being overwhelmed with events and alerts, trying to leverage high performance analytics like Hadoop to find meaning in the masses of information. Log management-oriented SIEM is already giving way to advanced systems that are proficient at filtering, processing, and evaluating this data, picking out anomalous events for further investigation. The IoT will accelerate this transition and put an even heavier burden on appropriate automation – this year’s “must-have” gift for security operations teams.
Vertical threat intelligence, such as what we are seeing with FS-ISAC and from governmental initiatives, will be normalized and correlated with local (my company) and global (the world) threat intelligence to help systems and their people decide what to do.
Vendors will provide device and vertical-industry level threat intelligence, just as they do today for existing endpoints. Your IoT can be protected, but protection will come by thinking about security as an integral part of the infrastructure, not as an afterthought.
Once anomalous behavior is detected and identified as a potential indicator of attack or indicator of compromise, it will be important to share it quickly within a trusted community. With the speed of execution and adaptation of current attacks, keeping a threat private will no longer be acceptable, nor will waiting for security alerts from centralized security teams. It will just take too long to rely on humans to notice and respond to urgent alerts. Instead, community-level information sharing and analysis centers will automatically gather and redistribute threat information to members. The goal remains the same: Security practice needs to move from farming all of the data reactively to hunting with it proactively. Shared threat intelligence, linked by a threat-intelligence exchange, combines global, national, local, vertical, and targeted threats into a customized, holistic view for each organization.
Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, ... View Full Bio