Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
1/6/2015
12:10 PM
Michael Sentonas
Michael Sentonas
Partner Perspectives
100%
0%

Threat Intelligence: Sink or Swim?

The coming flood of threat-intelligence data from the Internet of Things and new classes of endpoints has organizations seriously evaluating their strategies.

Some customers that I speak with are uncertain about the nature, value, and best usage of threat intelligence. The term can mean global threat intelligence (very general), industry threat intelligence (more relevant to you), or local threat intelligence (what your own users, infrastructure, and systems experience). Harnessing any, let alone all, of these intelligence sources creates a big data challenge, now addressable with the combination of innovative threat intelligence platforms and security information and event management (SIEM) systems. Most companies are just getting their strategies in place for threat intelligence and its impact on traditional endpoints. When you factor in the Internet of Things (IoT), we’ll either drown in the data or find a way to swim. 

According to new Forrester research, “One in 10 US online adults has already used a fitness tracker,” and “Today, 68% of global technology and business decision-makers say that wearables are a priority for their firm, with 51% calling it a moderate, high, or critical priority” (Five Urgent Truths About The Future Of Wearables That Every Leader Should Know, December 2014).

The IoT includes connected consumer devices such as personal wearables for monitoring health and fitness, thermostats, smoke detectors, and home video monitors. Business systems, including heating and air conditioning systems, lighting, interior and exterior signage, and transportation sensors, are joining point-of-sale terminals and manufacturing controllers on the IoT. In addition, corporations are dreaming up innovative uses for devices such as smartwatches and silent sensors, whether as services to sell to their customers or as a way to make their own employees more productive, effective, or safe.

All of these devices process, transmit, and store data, from innocuous to highly personal. They also have vulnerabilities, making them not only potential attack targets, but also potential entry points to connected systems. As the newest members of the network, these devices will experience targeted attacks aimed at their vulnerabilities for entry to the enterprise.

With devices proliferating and the most mundane becoming network-connected, the number of potential back doors is almost immeasurable. We have already seen networks compromised via their HVAC systems, surveillance cameras, or smart meters. Why not through a water pump, light bulb, or door lock?

Vendors are actively working to protect the IoT, with chip-level security, firewalls, gateways, secure boot functions, authentication and access controls, and constraints on application execution. Intelligence from this front line will be critical to reducing time to detection and containment.

The challenge is making sense of this intelligence given the size and expanding scale of the data set. Visualize the number of devices on an electrical grid, manufacturing site, or city neighborhood: There are many more zeros on that number than in your typical enterprise network. Each device, firewall, and gateway will publish information on local behavior. Security messaging buses can quickly carry this info to affected and interested systems, making it available to the appropriate security operations center and incident-response team.

Then what?

As networks shift from a majority of human-interface devices (PCs and smartphones) to a majority of machine-to-machine devices, networked systems become more and more industry specific. Threat intelligence and defenses are one aspect of this path, gathering event and context data for vertical industries.

This new flood of data adds to security’s existing big data problem, when security analysts are already being overwhelmed with events and alerts, trying to leverage high performance analytics like Hadoop to find meaning in the masses of information. Log management-oriented SIEM is already giving way to advanced systems that are proficient at filtering, processing, and evaluating this data, picking out anomalous events for further investigation. The IoT will accelerate this transition and put an even heavier burden on appropriate automation – this year’s “must-have” gift for security operations teams.

Vertical threat intelligence, such as what we are seeing with FS-ISAC and from governmental initiatives, will be normalized and correlated with local (my company) and global (the world) threat intelligence to help systems and their people decide what to do.

Vendors will provide device and vertical-industry level threat intelligence, just as they do today for existing endpoints. Your IoT can be protected, but protection will come by thinking about security as an integral part of the infrastructure, not as an afterthought.

Once anomalous behavior is detected and identified as a potential indicator of attack or indicator of compromise, it will be important to share it quickly within a trusted community. With the speed of execution and adaptation of current attacks, keeping a threat private will no longer be acceptable, nor will waiting for security alerts from centralized security teams. It will just take too long to rely on humans to notice and respond to urgent alerts. Instead, community-level information sharing and analysis centers will automatically gather and redistribute threat information to members. The goal remains the same: Security practice needs to move from farming all of the data reactively to hunting with it proactively. Shared threat intelligence, linked by a threat-intelligence exchange, combines global, national, local, vertical, and targeted threats into a customized, holistic view for each organization. 

 

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MichaelSentonas
50%
50%
MichaelSentonas,
User Rank: Apprentice
1/14/2015 | 8:24:51 PM
Device and industry threat intelligence

With all of the device and industry threat intelligence, I would love to tag all the information by source to make it easier to see what information is providing value.  If I am not getting any value from certain feeds then maybe stop using it, might be a nice "feature" especially to work out what you pay for in the upcoming year. 

MichaelSentonas
50%
50%
MichaelSentonas,
User Rank: Apprentice
1/12/2015 | 4:02:01 PM
Re: What about privacy?
Protecting privacy is critical and needs to be carefully respected with any sharing. Sharing intelligence should never weaken and compromise privacy but there is meaningful information that can be provided to help identify indicators of attack and compromise. There certainly have been a lot of proof of concept hacks on consumer based IoT devices, but it's in the business where there will likely be real threats that we will see in 2015. Last year we saw an attack that used the HVAC system, this year it is plausible that we will see attacks that will exploit IoT devices in the enterprise and then move laterally once inside. We should be capturing information from these devices and using the event information to better protect ourselves.
MichaelSentonas
50%
50%
MichaelSentonas,
User Rank: Apprentice
1/12/2015 | 12:09:05 PM
Re: Forwarding of all raw Data to Event Managers
You bring up a really good point, most SIEM solutions today struggle as it is, so forwarding all the event information from so many additional devices will become a massive issue if you cannot correlate it quickly and an even bigger problem if you cannot remove noise.  That said, I want to know if someone unlocked a door— say in a semiconductor fabrication plant— when they were meant to be on holidays. To your point, big data can be a big problem in the security world when you are trying to find a very specific, targeted issue, but this is also when we need to move past the traditional SIEM products which are fast becoming irrelevant and adopt more analytics and contextualization.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/8/2015 | 9:31:34 AM
Re: Forwarding of all raw Data to Event Managers
That's makes sense. I too am interested to see how the IoT will fare in terms with privacy. Also the difference in how enterprises will handle enterprise given devices versus personal devices as the security safeguards will differ from device to device.
1eustace
50%
50%
1eustace,
User Rank: Strategist
1/7/2015 | 8:40:28 PM
Re: Forwarding of all raw Data to Event Managers
True, the volume of data would be enormous, but one could envision a solution involving distributed real-time processing by some, if not most of the IoT nodes which themselves happen to be computing devices.  This would be similar to statistical process controls (SPC) used in manufacturing whereby humans would only be alerted on anormalies for closer examination. Create a hierarchical distributed processing architecture among processor capable nodes and gateways you may end up not needing a supercomputer afterall.  Improve algorithms with experience and you might just stand the chance to eliminate false alarms.  It is actually a clever scheme, and probably an inevitable approach as IoT node count grows, but I worry about privacy as posted in another comment.
1eustace
50%
50%
1eustace,
User Rank: Strategist
1/7/2015 | 8:27:26 PM
What about privacy?
I love the idea of "community-level information sharing and analysis centers" but what about privacy? Forward event managers a winter day log in Canada that includes sudden drop in energy consumption by the furnace, missing pet door activity, garage door access, a call to the vet, another garage door access, and the event managers will deduce with high probability of success that you came home to a sick dog.  You inadvertently just gave away pertinent detail in the form of metadata.  Point is metadata is data and can reveal a lot more than actual data.  When you start sharing IoT logs, where do you draw the line to privacy?  Thoughts?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/7/2015 | 3:32:14 PM
Forwarding of all raw Data to Event Managers
Would you recommend with the IoT that all logs from these devices get forwarded to event managers? My worry is that with emerginng technologies that these new log streams won't be able to be processed efficiently until we fully comprehend their exploits. I feel in that case logs may just become noise. Thoughts?
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3571
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
CVE-2019-9700
PUBLISHED: 2019-07-16
Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
CVE-2019-12990
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal.
CVE-2019-12991
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).