Over the last few months, I’ve talked to a number of CISOs and security analytics professionals about threat intelligence, as I’m about to dig into this topic with some primary research.
One of the things I’ve learned is that large enterprises are consuming lots of open source and commercial threat intelligence feeds. In some cases, these feeds are discrete services from vendors like iSight Partners, Norse, or Vorstack. Alternatively, they also purchase threat intelligence along with products from security vendors like Blue Coat, Check Point, Cisco, FireEye, Fortinet, IBM, McAfee, Palo Alto Networks, Symantec, Trend Micro, Webroot and a cast of a thousand others.
Wow, that’s a lot of threat intelligence, but this brings up a fundamental question: when it comes to cyber threat intelligence, does volume equate to better quality or simply massive redundancy?
Some of the most progressive CISOs I know are asking this question and pushing their infosec staff and threat intelligence vendors for answers. This exercise isn’t just a technical/financial assessment, either. A few leading CISOs want to abstract threat intelligence from products, build an infrastructure for threat intelligence consumption, processing, distribution, and analytics, and even automate remediation actions based on real-time threat intelligence feeds.
This type of threat intelligence strategy is pretty visionary, and I believe that this industry will actually move in this direction over the next few years. Nevertheless, cyber threat intelligence is an absurdly confusing space right now. Based on the anecdotal evidence I’ve gathered through many conversations, CISOs have common cyber threat intelligence concerns around:
- Quality. Which threat intelligence is best? Who knows? There is no objective way to answer this question and as far as I know, no one has done any testing. Now, security professionals are cynical by nature, so most analyst/forensic people I speak with believe that at least 90% of all threat intelligence is redundant from feed-to-feed. If this is even remotely true, most organizations are paying several vendors for the same data. Cyber threat intelligence vendors tend to base the quality of their offering with quantitative statistics (i.e. number of nodes, amount of data collected, number of events detected, etc.) rather than any discernable quality metrics (i.e. uniqueness, homegrown threat intelligence analytics, industry expertise, geographic expertise, etc.). No wonder why the demand side is confused and pessimistic.
- Data sharing amongst vendors. First of all, smart security professionals recognize that this isn’t a new phenomenon as AV vendors have been sharing data for years. The assumption here is that vendor data sharing results in higher threat intelligence quality, but, as previously mentioned, no one has defined metrics for threat intelligence quality in the first place. This appears like a proverbial “cart-before-the-horse” scenario.
- Public/private data sharing. In spite of continued pushback from civil libertarians, some members of Congress remain gaga over the Cyber Information Sharing Act (CISA) for public/private threat intelligence sharing. Regrettably, the value of this legislation is tenuous at best. There’s the general threat intelligence quality issue (again) along with widespread skepticism about the government’s ability to provide efficient and effective help. And it’s not like we have a dearth of threat intelligence. On the contrary, we already have too much and we really don’t know what we have, what the Feds have, or what we need.
- Threat intelligence standards. There is a lot of work being done here, resulting in very promising standards like STIX, TAXII, OpenIOC, YARA, etc. Unfortunately, it will take a few more years to sort out this technology as security professionals develop skills and best practices in this area while security analytics systems add threat intelligence standards functionality. In the meantime, cyber threat intelligence standards are way ahead of the market’s ability to utilize them in any meaningful way.
For the time being, the cyber threat intelligence market will sound like a Billy Idol song, pushing users to consume “more, more, more.” This model is unsustainable, however, and it is rapidly approaching a point of massive redundancy, inefficiency, and chaos.
I believe that there may be a sizeable opportunity for someone to sort through industry embellishment and help enterprises create a pragmatic and measurable cyber threat intelligence strategy. CISOs are simply waiting for some leader to step up.