We’ve all heard of the No-Fly List. Managed by the FBI’s Terrorist Screening Center, the list bans people on it from boarding commercial aircraft within, into, or out of the United States. The No-Fly List is only one tactic that the U.S. uses in its fight against terrorism, but since its inception there haven’t been any plane-based attacks within U.S. borders. Although the list is certainly not perfect — it has been criticized for profiling and false positives, among other things — its effectiveness makes this type of intelligence-based defense worthy of consideration by all organizations that are regularly targeted by cyberthreats.
The Transportation Security Administration’s machines, checkpoints, and rules are analogous to many of the security devices that enterprises use, which include network monitoring tools, firewalls, and endpoint management systems. Just like air travel, enterprise networks play host to millions of “passengers” each day, in the form of information packets. Companies enforce rules reduce the odds of being compromised. These measures work some of the time, but it is often hard to distinguish between risky traffic and good traffic, especially when risky traffic follows the rules. To address these shortcomings, enterprises require additional intelligence regarding the reputation, history, and context of the traffic on their networks.
A cyber No-Fly List can use deeper context and existing intelligence about digital traffic. With an up-to-date threat list, enterprises can stay informed about the many factors that reveal the true nature of network traffic, including whether it’s associated with a known threat, who and what might be behind it, and whether it has been reported as a threat to others.
Because all companies have unique characteristics and threat landscapes, there is no definitive or “master” cyber No-Fly List. Every company should develop its own threat list using the research that is most relevant to its industry, geography, business and other factors. Fortunately, there is an entire industry of cyber intelligence research providers can draw on, which includes proven feeds and analysis from organizations like CrowdStrike, FlashPoint, Digital Shadows, and Intel 471. Additionally, there are threat intelligence platforms to help simplify, make sense of, and integrate the intelligence into existing infrastructures and processes.
Based on what threat intelligence platform providers have seen, just four years ago researchers were tracking around 100,000 cyber threat indicators. Today the threat indicators number in the hundreds of millions. A large enterprise easily records over 1 billion network and system events per day. To gain visibility into all active cyber threats in the network, an organization would have to look at all of those events and evaluate them against hundreds of millions of threat indicators. Doing this effectively requires having powerful tools to identify the malicious traffic hidden in vast quantities of legitimate traffic.
Threat intelligence platforms are a key to effectively identifying threats and malicious traffic. Finding these threats, however, is not an easy feat – CSOs and other decision makers are faced with a crowded intelligence space and a shortage of qualified cybersecurity staff. They must ensure that the platform they choose to manage their list is providing quality data that is highly relevant to both the industry and organization. Because of these challenges, technologies that automate collection, optimization and integration of threat intelligence play a critical role in helping companies build their cyber No-Fly lists.
Newly discovered cyber threats are an important part of the list. Every day, researchers identify thousands of new malicious indicators. Organizations can’t just start looking for threats, they must identify if their networks have already been infected. This means looking back over months or even years of traffic to identify breaches. This would be similar to adding a new terrorist cell to the No-Fly List and then identifying whether its members have already entered the country and when and where they have flown at any time in the past. Unlike humans, cyber actors can quickly and easily change their “fingerprints”; sophisticated actors monitor public threat lists, which shows them when they’ve been detected. This is why it is critical to analyze network traffic history when evaluating new threats.
Despite these challenges, cyber No-Fly lists work. Our recent study of 1,000 cybersecurity experts found that over 80% use threat intelligence – aggregated data on threats and the actors behind them – in their daily security operations. They typically integrate this intelligence with internal monitoring and network equipment. Recent events like the WannaCry and Petya attacks demonstrate the need for rapid intelligence. Within hours of the Petya outbreak, threat intelligence providers began sending out specific, actionable threat indicators — the fingerprints of the attacker — so that organizations could put in place safeguards such as firewall blocking rules and network monitoring alerts.
The cyber No-Fly List approach works because it leverages one of the most effective tools in warfare – intelligence. By knowing in advance who existing and potential foes are, enterprises can take proactive steps to stop them from passing through their gates.
* This blog has been adapted from an original article, posted on Harvard Business Review. Read it here
Hugh has an illustrious 30-year career in the enterprise software industry. Hugh co-founded ArcSight in May 2000 and served as CTO as well as Executive Vice President of Research and Development. He led product development and product research at ArcSight, and expanded these responsibilities to lead all engineering and R&D efforts for HP Enterprise Security, the organization ArcSight became part of post-acquisition. After HP, Hugh was an advisor and entrepreneur at investment firm, Kleiner Perkins Caufield & Byers (KPCB). Hugh has also been honored with the Northern California Ernst & Young LLP Entrepreneur of The Year award in 2010.