Addressing Threat Blindness

September 21, 2017 | Dan Barahona

In just four years since launching Anomali we’ve seen Threat Intelligence become a standard element of enterprise security programs. Last week we published a Ponemon Institute report on “The Value of Threat Intelligence” (our 2nd year sponsoring this research) – in it we found:

80%

of enterprises now leverage threat intelligence in their security programs

84%

indicated threat intelligence is “essential to a strong security posture”

Despite this rapid adoption we still see organizations struggling to take full advantage of threat intelligence. Fully 68% of Ponemon respondents said threat intelligence is too voluminous and complex. This speaks to the real promise of threat intelligence – what matters isn't the list of threats itself, but which of those threats are active in my environment. This requires finding the cross section between my threat feeds and my network activity.

New Versus Old Threats

Most organizations subscribe to numerous threat feeds, whether from open source, premium/3rd party, ISACs, government sharing, etc. Security teams will typically collect and accumulate millions of IOCs (indicators of compromise) from their various threat sources. Every day new threats are added to the list. As it turns out, we need to handle newly discovered threats differently than previously known threats. Here’s why:

Previously known threats: All previously known threats need to be monitored daily to make sure we haven't become a target. It's like routine health checks - we need to verify that nothing bad happened today from any of these threats.

Newly discovered threats: Newly discovered threats discovered threats are a different beast altogether. These threats became known today, but they didn't become bad today. They may have been active for weeks, months or years. Attackers do their best to stay under the radar. When new threats are discovered it’s not enough to be on the lookout for them going forward. Perhaps more importantly, we need to go back in time to see we’ve already been targeted by these actors.

Organizations Flying Blind

The challenge for security teams is how to realistically monitor for known threats and assess exposure to new threats on a daily basis.

Consider the previously known threats. Sounds easy enough to simply alert against any matches against my threat list. Here’s the issue – if you’re a moderate sized enterprise you’re likely generating 1 billion or more log events per day. If you’ve got a (relatively small) threat list of, say, 1 million indicators then you need to compare 1 billion events against 1 million threats. That’s 1,000 TRILLION comparisons per day!

Now consider newly discovered threats. Here you might get 10, 100, 1000 new threats on a given day. The challenge here isn’t the daily monitoring – it’s going back to assess prior exposure. Given how long attacks often take (200 days or more), it’s important to be able to back at least 1 year to get a clear picture of possible prior exposure. Let’s do the math: 1 billion events/day, 365 days, 100 new threats/day = 36.5 trillion comparisons.

The Ponemon survey asked respondents how much historical data they maintain online (e.g., in a SIEM). 72% keep 3 months or less. Plus, running a query over that amount of data would take hours or even days. The end result is organizations are pretty much flying blind with respect to the vast majority of these known threats. Our solution for this is Real Time Forensics.

Real Time Forensics

Anomali innovated the concept of Real Time Forensics (RTF) to address this fundamental threat visibility issue. RTF is the core technology that powers Anomali Enterprise. RTF is an extraordinarily powerful engine that can perform searches over massive amounts of data instantly. In just a few seconds RTF can literally:

  • Identify all matches for millions of IOCs across billions of events
  • Search years of historical data and return all matches

RTF does this WITHOUT duplicating log storage. It integrates with existing log repositories/sources such as SIEMs, syslog, Netflow/sFlow and AWS S3.

We developed RTF with three key objectives in mind:

VisibilityVisibility: providing complete visibility into all threats, all network activity, for all time
ClarityClarity: integrating threat context from ThreatStream to provide a complete picture of the threat and how to respond
AutomationAutomation: automatically evaluating new and existing threats; alerting security teams to real, active threats in their networks

These objectives aren’t new, but RTF’s capabilities give them a whole new meaning. The second an organization gets a hold of indicators from the latest network breach they can identify whether or not they were affected. Unmanageable data sets are no longer an obstacle to full threat visibility.

As it turns out, the future of security isn’t the ability to look forward, but the ability to look back.

Dan Barahona
About the Author

Dan Barahona

Dan is the Chief Marketing Officer at Anomali and leads the marketing and business development activities, bringing together his technical and background and business savvy. His career spans many sectors of security and many different roles.

Get the latest threat intelligence news in your email.