Getting intel into the right hands – early and fast – is part of a new approach in adversary detection
When one walks the floor of a major security trade show such as RSA 2022, it’s hardly a shock to find the concept of “intelligence” – or intel, as a consistent theme – getting so much attention. But the topic is even more pressing at this year’s confab given the pickup in the intensity and sophistication of attacks.
It’s also why some of the heavy hitters in the security world gathered at RSA to participate in a panel discussion centered around “Using Critical Threat Intelligence Strategically.” The discussion focused on the growing collaboration between the private and public sector and how the different application of intelligence information is helping enterprises mitigate potential issues before they become incidents.
The panelists extended kudos – rightfully – to the public and private bodies who helped bring about the formation of the Joint Cyber Defense Collaborative last year. This collaboration between federal agencies and the private sector, led by the Cybersecurity and Infrastructure Security Agency (CISA), marks an important advance in making the nation’s cyber defenses more robust through closer planning, preparation, and information sharing.
Information sharing is part of Anomali’s DNA, particularly in our industry-centric communities where security professionals from around the world can engage safely, without fear of compromise. While this concept is still being developed and vetted with internal and external stakeholders, we are committed to a “rising tide” view of safety and security.
During the panel discussion, an NSA panelist lauded the combination of experts and “in the trenches” knowledge to generate context around the data. The pairing of insight and human intel surely is all to the good. For example, the CISA panelist marked the JCDC’s response to Log4j as a significant milestone in private-public collaboration. In addition to creating a public-facing website so organizations could see if any of the software/hardware they run was susceptible to Log4j, the panelist noted that behind the scenes, they were also tracking adversaries who were looking to exploit Log4j, and examining what sectors were targeted.
At Anomali, we see adversaries working in concert on a daily basis to further their ends, and we believe it’s impossible to truly secure companies and the people that rely on them without doing the same.
Moving from Reactive to Proactive
When we consider adversary detection and response, which we believe will fulfill the ultimate promise of XDR, it becomes clear that relevant intelligence is key to the security of every company and every individual. Why? Because critical threat intelligence should do more than inform and remediate. To secure the future, the promise of big data in cybersecurity cannot stop at understanding. It must extend all the way to the identification of adversaries and the prevention of attacks. And it must be relevant to those using it, when they need it.
How do we get there?
Intelligence is only as good as the data that informs it. Add to this siloed systems and the traditional separation between public and private sectors in sharing information. Yet the results of collaborations like that of the JCDC, as discussed during the RSA panel session, show that more detailed preparation and prevention is possible.
We’ve said many times in this blog that we at Anomali believe in shifting the cybersecurity emphasis from the attack to the attacker. Savvy security professionals understand this. And so, as they make investments in intelligence, they are looking to become more strategic in their detection approach—and thus, more proactive.
All the data being gathered — we refer to it as “telemetry or the X in XDR”— when combined with intelligence, translates into knowledge that keeps organizations secure. Data gets put to tactical, operational, and strategic use — and that’s assuming that you can collect, analyze, and then know what to do with that trove of information.
Different security vendors take different approaches toward becoming more strategic in their detection approach. Ours is based on a differentiated XDR solution that focuses on adversary patterns, instead of victim behavior. The bigger idea here is to move beyond reactive incident response to bolster an organization’s security posture before the advent of an attack.
Deploying Critical Threat Intel to Make a Difference
The other critical piece to this is collaboration between entities like Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs). Intelligence sharing is foundational to Anomali and we have been following a model similar to the one discussed in this week’s RSA panel. It’s based on the notion that shared intelligence and integrated data across systems and entities is required for a more secure future.
This approach hinges on using a secure and automated threat-sharing platform to streamline the sharing and integration of intelligence across different security ecosystems. The result: more intelligent operations with a broader insight into potential threats — and the ability to immediately detect them.
Think about it: How many recent breaches have been limited to a single entity? Adversaries rely on the likelihood that if they attack multiple entities from multiple angles, they’re bound to find an opening. If we can share information and intelligence across traditional boundaries, we’ll be better off. We might even find a new imperative for the industry.
What might this look like?
It means having the ability to target an attacker’s tactics, techniques and procedures to home in on an attack’s origins, even determining when it’s likely to arrive. With a global repository of intelligence gathered from over one hundred million attack sensors, our teams have a unique weapon they can deploy to stop attackers before they strike. This is how intelligence can change the constellation of forces in adversary detection and allow organizations to become proactive.
For additional information, check out the following resources: