What separates a great Major League Baseball hitter like David Ortiz from some run-of-the mill player? Great eyesight and intelligence. Ortiz sees more than others and takes all of the rich information he sees to make an intelligent, actionable decision to swing a baseball or not. While lots of players claim to do this, only a few have the right combination of the two to separate themselves from the field.
The same thing can be said for IT security. It takes visibility across the entire attack spectrum, plus analytics and real-world insight, to provide actionable threat intelligence. Many vendors claim to have threat intelligence, but they operate by looking for anomalies in the network to flag something that might be a breach. This can be valuable, but it addresses only part of the security continuum.
+ Also on Network World: How automated investigation can accelerate threat detection +
Cyber criminals are well funded, smarter and better organized than ever before. They used advanced techniques to hide inside company networks, sometimes for months before being exposed. In baseball, players will study each other for months to get an advantage. If you know your opponent, you have a better chance of beating him. In the security industry, identifying and stopping hackers requires an understanding of how they think, work and what kind of information is being targeted. Legacy solutions rely exclusively on signature-based intelligence feeds, which is reactive in nature and cannot anticipate attacks or guide responses.
FireEye stays ahead of attackers
FireEye takes a different approach to stay ahead of the bad guys. Its iSIGHT Threat Intelligence solution combines the core FireEye attack telemetry and context with the adversary information and best-of-breed, victim- and machine-based intelligence from the acquisition of Mandiant.
As I mentioned, there is no shortage of security vendors that claim to have threat intelligence, but FireEye’s solution is unique because it gets its information from the actual adversary’s development ecosystem and has a network of people that provides visibility from first responders to the most sophisticated cyber threats and discovers new motivations to identify attacks that have never been seen before.
The company has a team of over 160 dedicated security researchers and experts around the globe who can apply decades of experience to take data that might appear like nothing to the untrained eye and turn it into actionable intelligence. Machine learning certainly has become a bigger part of advanced security protection, but FireEye combines that with human analytics to get a better understanding of the tools, tactics and procedures used by threat actors.
Role-based intelligence offerings
To make the data digestible by different audiences, FireEye recently introduced a new consumption model that delivers the threat intelligence to different functions or roles of the security organization. Customers will have access to the rich, global coverage of the threats, but they will have the flexibility to choose the right level of intelligence integration and support.
At launch time, the product had five role-based product offerings: Tactical, Operational and Fusion Intelligence, which have cumulatively more information in each package; as well as Executive and Vulnerability Intelligence offerings. Below are details of each:
- iSIGHT Tactical Intelligence: Think of this as an entry-level solution that enhances basic alerting. This offering is an indicator-rich data feed that can be integrated into non-FireEye tools. This would be used most likely by organizations that have relatively low security maturity and are looking for tactical information.
- iSIGHT Operational Intelligence: This is a more advanced solution that provides actionable context of detections and alerts to security teams in order to prioritize responses. A target customer for this would be a security operation center team member at a company that has medium security operations maturity.
- iSIGHT Fusion Intelligence: FireEye has targeted this to highly strategic and sophisticated security buyers and provides them with a combination of analytic reporting and technical intelligence. Security teams that want to get in the heads of threat actors to understand how they operate and the tools they use would gain great value from Fusion, as it provides highly mature security organizations with the ability to “fight fire with fire” and become more proactive.
- iSIGHT Executive Intelligence: This view is for the non-technical security executive who wants better information to make more informed risk decisions. FireEye has done a nice job cutting through the technical details and providing the executives with the real-time, big-picture information they require.
- iSIGHT Vulnerability Intelligence: The company created this view for individuals who are involved in areas such as governance, compliance or vulnerability assessments. These individuals need to make decisions quickly and do not have time to filter through massive amounts of data. To help them, FireEye provides data that contains threat levels, the state of exploitation and patches that are available to mitigate any exposures.
I started this post by saying elite baseball players such as David Ortiz separate themselves from the masses through the use of intelligence and great visibility. In the fast-moving world of cybersecurity, businesses need to decide whether they want to be elite in their ability to protect their data or be one of the many companies that put themselves and their customers at risk every day.
FireEye’s iSIGHT combines great intelligence, real-world experience and telemetry information to provide rich, contextual information to any individual in different roles on the security team. This can help build proactive defenses, understand which alerts to respond to and ultimately improve incident response.