This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
According to the Global State of Information Security Survey 2015, the compound annual growth rate (CAGR) of detected security incidents has increased 66% year-over-year since 2009. The Ponemon Institute says the average time to resolve one security incident went from 32 days in 2013 to 45 days in 2014. No wonder security analysts feel like they are drinking from a fire hose!
If attacks are coming in fast and furious, so is the threat intelligence about them. Enterprise organizations typically subscribe to a range of services that provide threat information. This intel about known indicators of compromise (IOCs) might come from free open sources, commercial companies, government agencies like the FBI, and industry-specific information sharing and analysis centers (ISACs). A large enterprise might get tens or hundreds of thousands of indicators every day, and the security team has to figure out what is relevant and what requires further investigation. It's the equivalent of having to find a needle in a haystack every single day.
The deluge of threat information is overwhelming most organizations to the point where important IOCs end up on the floor. Even Target Corp. is said to have had signals from FireEye that something was amiss, but no one followed up on those clues. Unfortunately, this is becoming more common as threats and attacks increase and available qualified security personnel are in short supply.
BrightPoint Security is trying to address these pain points with a threat intelligence platform that adds relevance and context to the steady stream of external IOCs and pinpoints threats that deserve the security analyst's attention. BrightPoint claims it can help organizations answer three critical questions in minutes, not days:
- Are we under attack right now?
- Are we the only ones being attacked?
- What should we do about this attack?
BrightPoint's Sentinel platform is a software based appliance installed within your perimeter. The appliance ingests threat feeds from all types of external sources and then parses and normalizes the data. BrightPoint then compares this information about generic IOCs to the customer's own infrastructure to determine relevancy. It does this by querying databases, log stores, SIEMs, and so on, to identify current and historic activity. This process is said to whittle down tens of thousands of IOCs to a few dozen for the security team to look at.
For example, BrightPoint might have an IP address for a known command and control (C&C) server. Sentinel will query the infrastructure devices, machine to machine, to determine if any of the organization's devices have reached out to that C&C server. If not, BrightPoint files that IOC away for additional queries over the next month or so. Maybe there has been no C&C contact yet, but an infection could still happen in the future, so BrightPoint continues to check for relevance as time goes on.
On the other hand, if BrightPoint confirms that a device has contacted the C&C server, the vendor attempts to build as much context as possible around that incident. BrightPoint adds enrichment information, such as who the threat actors are and whether other organizations have seen this threat, and assigns a risk score based on the prioritization of the threat and the predominance of it in the environment.
All of this is done automatically in a matter of minutes with machine to machine interaction. Coming out of the small end of the funnel will be the handful of serious threats that a security analyst should go investigate.
BrightPoint adds a interesting element to threat analysis that it calls "Trusted Circles." This is a defined group that has agreed to share threat information. ISACs for various industries are examples of trusted circles. A company might set up its own circle with subsidiary companies or supply chain partners.
The idea is that an organization can go to its circle to find out if others are experiencing the same attack. Attackers know that companies in the same industry or that have some other relationship often use the same type of applications and infrastructure. An attacker that finds a vulnerability to exploit can create cookie-cutter attacks on similar victims. A good example of this is the recent spate of retail attacks in which the same malware was used to infect one merchant after another.
If multiple members of a circle are experiencing the same attack, they can share approaches to overcome it, and other members know to watch closely for the IOCs in their organizations. This is, after all, the reason why industry ISACs came into being. There is value in sharing security information that outweighs any competitive differentiation by having a better security posture than one's peers.
BrightPoint has been working closely with the National Healthcare Information Sharing and Analysis Center (NH-ISAC). Every organization that is a member of NH-ISAC can get a free "lite" version of BrightPoint Sentinel that enables the healthcare company to query its internal systems to look for the IOCs and provide feedback to the group at large.
BrightPoint claims it is all about getting to actionable threat intelligence quickly—in minutes instead of hours, days, months or even never. This work is done with a simple virtual machine that is all software-based and on-premise. The data feed service is a subscription, and companies can be in complete control of their security-related data, even when it is shared with a trusted circle. The whole idea is to enable security analysts with the best available contextual information so they can do their jobs.