After years of shunning automation and information sharing efforts, the security industry is now embracing them. Every vendor conference I attended this fall talked about the need to automate some security functions in order to increase security teams' efficiency and ability to quickly detect and respond to incidents. The vendors also focused on the need to break down the silos and share information across the security and IT organizations, between vendors, and throughout the security community.
Why the change? The pace of attacks along with the continued stress of resource-constrained organizations are forcing security leaders to find new solutions.
Cybersecurity requires a specialized skillset and a lot of manual work. We depend on the knowledge of our security analysts to recognize and stop threats. To do their work, they need information. Some of that information can be found internally in device logs, network metadata or scan results. Analysts may also look outside the organization at threat intelligence feeds, security blogs, social media sites, threat reports and other resources for information.
This takes a lot of time.
Security analysts are expensive resources. In many organizations, they are overwhelmed with work. Alerts are triaged, so that only the most serious get worked. Many alerts don’t get worked at all. That means that some security incidents are never investigated, leaving gaps in threat detection.
This is not new information for security pros. They get reminded of this every time they read an industry news article, attend a security conference or listen to a vendor presentation. We know there are not enough trained security professionals available to fill the open positions.
Since the start of the Industrial Revolution, we have strived to find technical answers to our labor problems. Much manual labor was replaced with machines, making production faster and more efficient.
Advances in artificial intelligence and robotics are now making it possible for humans and machines to work side-by-side. This is happening now on factory floors all over the world. Now, it’s coming to a new production facility, the security operations center (SOC).
Today, IBM announced a new initiative to use their cognitive computing technology, Watson, for cybersecurity. Watson for Cyber Security promises to give security analysts a new resource for detecting, investigating and responding to security threats.
A lifelong Atlanta Braves fan, Forrester Senior Analyst Joseph Blankenship longs for the mid-1990's with respect to his baseball team, but we promise that he looks to the future as he advises his clients on current and emerging security technologies. He covers security infrastructure and operations, including security information management (SIM), security analytics, and network security, and his research currently focuses on security monitoring, threat detection, operations, and management. Joseph has presented at industry events, been quoted in the media, and has written on a variety of security topics.
Joseph's over 10 years of security experience includes marketing leadership and product marketing roles at Solutionary (NTT), McAfee (Intel Security), Vigilar, and IBM (ISS), where he focused on managed security services, consulting services, email security, compliance and network security. As a marketing leader, Joseph helped to align client needs with marketing strategy, messaging, and go-to-market activities while educating users about security strategy. His background also includes extensive experience in the IT, telecommunications, and consulting industries with Nextel, IBM, Philips Electronics, and KPMG.
Listen to Joseph's conversation with VP, Research Director Stephanie Balaouras to hear about Joseph's biggest surprises since starting as a Forrester analyst, his most frequent client inquiries, and the topics he's excited to research in the coming year:
One of the S&R team’s newest additions, Principal Analyst Jeff Pollard comes to Forrester after many years at major security services firms. His research guides client initiatives related to managed security services, security outsourcing, and security economics, and integrating security services into operational workflows, incident response processes, threat intelligence applications, and business requirements. Jeff is already racking up briefings and client inquiries, so get on his schedule while you still can! (As a side note, while incident response is generally not funny, Jeff is. He would be at least a strong 3 seed in a hypothetical Forrester Analyst Laugh-Off tournament. Vegas has approved that seeding.)
Prior to joining Forrester, Jeff served as a global architect at Verizon, Dell SecureWorks, and Mandiant, working with the world's largest organizations in financial services, telecommunications, media, and defense. In those roles he helped clients fuse managed security and professional services engagements in security monitoring, security management, red teams, penetration testing, OSINT, forensics, and application security.
In my last threat intelligence blog I discussed my new research on threat intelligence providers. I included a graphic which carved four functional threat intelligence areas: 1) Providers 2) Platforms 3) Enrichment 4) Integration. In December, I will start the next piece of research in the series focusing on Threat Intelligence Platforms (TIPs). This will likely be two reports one focusing on people, process and use cases and the other focusing on the vendor landscape. My presentation at the 2016 SANS Cyber Threat Intelligence Summit will include some perspective on the state of threat intelligence platforms.
I will be looking into the following functional areas. I'm also going to look beyond TIPs to see how traditional analytics platforms like SIEMs are including these capabilities. I also will look into how SIEMs and TIPs should function in the same environment. I will also address the "roll your own platform" phenomenon that is common in technology firms and large financial institutions. Depending on the size and maturity an organization, multiple solutions could be involved in addressing the use cases, I will also break that functionality out.
Analysis (Important: How does TIP improve tradecraft?)
I just published my latest research on threat intelligence: Vendor Landscape: S&R Pros Turn To Cyberthreat Intelligence Providers For Help. This report builds upon The State Of The Cyberthreat Intelligence Market research from June. In the new research, I divide the threat intelligence space into four functional areas: 1) Providers 2) Platforms 3) Enrichment 4) Integration. This research is designed to help readers navigate the crowded threat intelligence provider landscape and maximize limited investment resources. In this report, we looked at 20 vendors providing a range of tactical, operational, and strategic threat intelligence.
When developing threat intelligence capabilities, one of the most important requirements is to collect and develop your own internal intelligence. Nothing will be as relevant to you as intelligence gathered from your own environment, your own intrusions. Before you invest six figures (or more) in 3rd party threat intelligence, make sure you are investing in your internal capabilities. Relevancy is one of the most important characteristics of actionable intelligence; check out "Actionable Intelligence, Meet Terry Tate, Office Linebacker" for more details on the traits of actionable intelligence.
In the report, I use the traditional intelligence cycle as a framework to evaluate threat intelligence providers. The intelligence cycle consists of five phases:
If the RSA Conference was any indicator, threat intelligence has finally joined the ranks of cloud and advanced persistent threat as ambiguous/overused terms that mean many different things to many different people. If you were given a dollar, pound or euro every time you heard "threat intelligence," there is no doubt you could fund your security budget for decades to come. Your biggest challenge would be determining how to invest some of that money into threat intelligence capabilities.
To help Forrester clients navigate the threat intelligence market I have several pieces of research underway. The first report, "The State Of The Cyberthreat Intelligence Market" has just published. In it I discuss the frenzied venture capital and vendor investment in the threat intelligence space. I also provide guidance on how security and risk professionals should navigate the marketing hype to make the best investment of their limited resources. I am currently writing the second report "Market Overview: Threat Intelligence Providers." Here is a snippet from the latest research that illustrates just how much vendor focus we have seen. Since October of 2014:
There have been three acquisitions and eight fundraising rounds.
iSight Partners (Critical Intelligence) and Lookingglass (Cloudshield) have each raised funds and made an acquisition.
Of the acquisitions, only one company publicly disclosed the acquisition amount: $40 million (Proofpoint.)
The eight fundraising rounds raised a total of $102.5 million dollars.
We have even seen law enforcement documents on threat actors. In August, Mr. Su Bin, a Chinese national, was indicted for the theft of Boeing’s trade secrets. The criminal complaint regarding Su Bin’s activities became public in June and offers a fascinating perspective into espionage as a service.
The sharing of threat intelligence is a hot topic these days. When I do conference speeches, I typically ask how many organizations see value in sharing, and most in the room will raise their hand. Next, I ask how many organizations are actually sharing threat intelligence, and roughly 25% to 30% in the room raises their hand. When our 2014 Security Survey data comes in, I will have some empirical data to quote, but anecdotally, there seems to be more interest than action when it comes to sharing. I wrote about some of the challenges around sharing in “Four Best Practices To Maximize The Value Of Using And Sharing Threat Intelligence.” Trust is at the epicenter of sharing and just like in "Meet the Parents," you have to be in the circle of trust. You can enable sharing, but automating trust does take time.
We recently published part 1 of a new series designed to help organizations build resiliency against targeted attacks. In the spirit of Maslow, we designed our Targeted-Attack Hierarchy Of Needs. One factor that significantly drove the tone and direction of this research was Forrester client inquiries and consulting. Many organizations were looking for a malware sandbox to check off their targeted attack/advanced persistent threat/advanced threat protection/insert buzzword needs. Malware analysis has a role in enterprise defense, but focusing exclusively on it is a myopic approach to addressing the problem.
Part 1 of the research is designed to help organizations broaden their perspective and lay the foundation for a resilient security program. Part 2 (currently writing at a non George R.R. Martin pace) will move beyond the basics and address strategies for detecting and responding to advanced adversaries. Here is a preview of the research and the six needs we identified: