July 29, 2014
Hugh Njemanze

There Has to Be a Better Way

<p>Like SIEM 14 years ago, threat intelligence is an exciting new market in the realm of security.  It’s gotten so much attention in the past year that it would be easy to think that threat intelligence is a mature market, but no; we are still in the early days of defining threat intelligence products, and in determining whether and how to share intelligence within and outside of a given organization.</p><p>Much of the public discussion around threat intelligence has been focused on the debate taking place within enterprises, government agencies, and industries regarding the sharing of threat intelligence.  There are some notable efforts pointing in the right direction, such as the Information Sharing &amp; Analysis Centers, or ISACs, that provide a trusted threat-sharing environment among organizations within specific industries – such as finance, retail, oil and gas, and the auto industries.  However the kind of threat sharing that transpires within an ISAC is largely based on human readable or anecdotal information shared among peers; not the high volume, high speed threat data that an organization’s security products are flagging literally every second of every day.</p><p>As the growth in the number of ISACs indicates, it’s clear many enterprise security executives and practitioners support the notion that threat information sharing can have a dramatic impact on how an organization protects and defends itself.  It just makes sense that if Company A can provide early warning to Company B about a new threat or bad actor based on direct observation, then Company B can put protective measures in place that enable it to avoid falling victim to that threat, or to recover more quickly if the threat still succeeds in gaining a foothold.  But sharing this information requires that Company A reveal a vulnerability that could potentially have a material impact on its reputation.  There needs to be a trust relationship between organizations – something the ISACs try to foster by keeping a wall around their industry participants – in order for real threat sharing to take place.</p><p>Ironically, this kind of informal or collegiate information sharing and collaboration behavior between organizations can look very similar to “insider threat” activity to an organization’s perimeter defenses.  If a human is emailing or sharing files of corporate data with another organization in the same industry segment, that could be an insider leaking corporate data to a competitor.  And so the protections in place to deter and detect this behavior also serve to make it culturally challenging to even contemplate this kind of sharing for many organizations.</p><p>There has to be a way to enable organizations to collaborate while still respecting the policies and protocols that were established to protect them.  This is why I’m excited to be at ThreatStream.  The team assembled here has years of prior experience building, operating and evolving the security controls that are in wide use within enterprises and government agencies.  They understand the importance of automatically feeding these controls with the threat intelligence that’s essential to making them truly effective at protection and detection.  And they understand the challenges related to threat sharing, the next and most critical step to making threat intelligence something that will change the dynamic between bad actors and enterprise security teams, giving the good guys the advantage for once.</p><p>Our approach:  Intelligent threat aggregation, which means providing a curated intelligence stream with deep context, actionable advice and priority ranking of threats; automated enterprise integration, which means integrating the millions of threat indicators that we aggregate from around the Internet directly into an organization's existing security infrastructure at the machine level, thereby continuously upgrading the ‘smarts’ of an organization’s defenses; and trusted collaboration and analysis, which means enabling our customers to share threat intelligence findings either publicly or privately in order to better identify and defend against today’s most malicious cyber attacks.  It’s this last piece – trusted collaboration – that’s especially exciting to me.</p><p>SIEM provided the visibility enterprises needed to find and remediate threats more effectively.  Now it will be my goal to ensure that ThreatStream provides the added intelligence and collaboration capabilities required to keep our customers ahead of the ever-changing malicious threats that jeopardize not only their businesses, but economies -- and even our personal safety -- every day.</p><p>A recent Ponemon report, titled Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, found that 71 percent of its 701 IT and IT security practitioner respondents say “there has to be a better way to exchange threat intelligence than what exists today… current approaches are slow, insecure and unreliable.”</p><p>ThreatStream is devoted to addressing this challenge. </p><p>* * * * *</p><p>Sign up to use ThreatStream’s OPTIC™ Cloud for free, and learn more about our OPTIC Platform.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.