Microsoft to launch real-time threat intelligence feed

Microsoft feed would provide information on botnets, IP addresses and more

Microsoft is looking to share its wealth of security information with the world through a new real-time threat intelligence feed, the company recently announced at the International Conference on Cyber Security in New York.

The project, which is still under development, aims to stream Microsoft's security information on high-profile and dangerous threats to organizations ranging from business partners and private corporations to domestic and foreign governments. Eventually, based on the success of beta testing, Microsoft will consider opening the threat intelligence feed to the public, officials said.

STRIKING BACK: Microsoft kills off a botnet

Paul Henry, security and forensic analyst at Lumension, says although the threat intelligence feed may not be able to prevent threats before they arise, it may be effective in reducing the impact of attacks before they become global problems, like the Rustock or Waledac botnets.

"I don't see a decrease in threats, but I do see this limiting the possible damage from a given threat as the community will be able to respond faster," Henry says.

T.J. Campana, senior program manager in Microsoft's Digital Crimes Unit, said at the event that the feed will function as a Hadoop-based cluster integrated with Windows Server, streaming information from a database that currently contains data on the Kelihos botnet Microsoft first disclosed in September. Given the company's other contributions to high-profile malware strains, including Rustock and Waledac, the threat intelligence feed could play an important role in global malware protection efforts.

Microsoft will still have to answer to privacy skeptics, especially considering the threat intelligence feed will distribute IP addresses of systems that are found to be part of large botnets. But according to Henry, there are ways of sharing information on security threats without invading privacy. Specifically, Henry cited the practices at the SANS Internet Storm Center, which he says Microsoft's threat intelligence feed will resemble, but from a different perspective.

"The information can easily be sanitized to address any privacy concerns," Henry says. "This is nothing new and SANS has addressed the issue in their feed, so I don't see this as being a [privacy] issue at all."

Campana stressed that no personally identifiable information will be published on the threat intelligence feed.

In either case, Henry sees any effort at sharing information as a proactive contribution to worldwide anti-malware efforts. Cybercriminals have been successful to this point as a result of their ability to distribute data quickly. According to Henry, those looking to soften the blow of global botnet attacks can learn from that.

RELATED: Should you share data breach information?

"We are still too secretive about security issues. The bad guys quickly and widely disseminate information, and defenders must do the same," Henry says. "The age-old argument about protecting users from copy-cat attacks because the information exposed a weakness does not hold water. The bad guys are already sharing information on new attack vectors in real-time."

In its efforts to take down Kelihos, for example, Microsoft claims it was able to step in before the botnet got too large.

"Although, Kelihos was considered a relatively small botnet (our investigations to date indicate that approximately 41,000 computers worldwide are infected with Kelihos, and that Kelihos was capable of sending 3.8 billion spam emails per day) and we do not expect its disruption to have the breadth of impact on the internet that our prior takedowns did, we took this action before the botnet had an opportunity to grow further and because we believe accountability is important," the company wrote in a blog post shortly after taking down Kelihos. 

Colin Neagle covers Microsoft security and network management for Network World. Keep up with his blog: Rated Critical, follow him on Twitter: @ntwrkwrldneagle. Colin's email is cneagle@nww.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies