In my last threat intelligence blog I discussed my new research on threat intelligence providers. I included a graphic which carved four functional threat intelligence areas: 1) Providers 2) Platforms 3) Enrichment 4) Integration. In December, I will start the next piece of research in the series focusing on Threat Intelligence Platforms (TIPs). This will likely be two reports one focusing on people, process and use cases and the other focusing on the vendor landscape. My presentation at the 2016 SANS Cyber Threat Intelligence Summit will include some perspective on the state of threat intelligence platforms.
I will be looking into the following functional areas. I'm also going to look beyond TIPs to see how traditional analytics platforms like SIEMs are including these capabilities. I also will look into how SIEMs and TIPs should function in the same environment. I will also address the "roll your own platform" phenomenon that is common in technology firms and large financial institutions. Depending on the size and maturity an organization, multiple solutions could be involved in addressing the use cases, I will also break that functionality out.
Analysis (Important: How does TIP improve tradecraft?)
I just published my latest research on threat intelligence: Vendor Landscape: S&R Pros Turn To Cyberthreat Intelligence Providers For Help. This report builds upon The State Of The Cyberthreat Intelligence Market research from June. In the new research, I divide the threat intelligence space into four functional areas: 1) Providers 2) Platforms 3) Enrichment 4) Integration. This research is designed to help readers navigate the crowded threat intelligence provider landscape and maximize limited investment resources. In this report, we looked at 20 vendors providing a range of tactical, operational, and strategic threat intelligence.
When developing threat intelligence capabilities, one of the most important requirements is to collect and develop your own internal intelligence. Nothing will be as relevant to you as intelligence gathered from your own environment, your own intrusions. Before you invest six figures (or more) in 3rd party threat intelligence, make sure you are investing in your internal capabilities. Relevancy is one of the most important characteristics of actionable intelligence; check out "Actionable Intelligence, Meet Terry Tate, Office Linebacker" for more details on the traits of actionable intelligence.
In the report, I use the traditional intelligence cycle as a framework to evaluate threat intelligence providers. The intelligence cycle consists of five phases:
Newly minted Vice President and Principal Analyst, Rick Holland, is one of the most senior analysts on our research team. But for those of you who haven’t had the opportunity to get to know him, Rick started his career as an intelligence analyst in the U.S. Army, and he went on to hold a variety of security engineer, administrator, and strategy positions outside of the military before arriving at Forrester. His research focuses on incident response, threat intelligence, vulnerability management, email and web content security, and virtualization security. Rick regularly speaks at security events including the RSA conference and SANS summits and is frequently quoted in the media. He also guest lectures at his alma mater, the University of Texas at Dallas.
Rick holds a B.S. in business administration with an MIS concentration (cum laude) from the University of Texas at Dallas. Rick is a Certified Information Systems Security Professional (CISSP), a Certified Information Systems Auditor (CISA), and a GIAC Certified Incident Handler (GCIH).
If the RSA Conference was any indicator, threat intelligence has finally joined the ranks of cloud and advanced persistent threat as ambiguous/overused terms that mean many different things to many different people. If you were given a dollar, pound or euro every time you heard "threat intelligence," there is no doubt you could fund your security budget for decades to come. Your biggest challenge would be determining how to invest some of that money into threat intelligence capabilities.
To help Forrester clients navigate the threat intelligence market I have several pieces of research underway. The first report, "The State Of The Cyberthreat Intelligence Market" has just published. In it I discuss the frenzied venture capital and vendor investment in the threat intelligence space. I also provide guidance on how security and risk professionals should navigate the marketing hype to make the best investment of their limited resources. I am currently writing the second report "Market Overview: Threat Intelligence Providers." Here is a snippet from the latest research that illustrates just how much vendor focus we have seen. Since October of 2014:
There have been three acquisitions and eight fundraising rounds.
iSight Partners (Critical Intelligence) and Lookingglass (Cloudshield) have each raised funds and made an acquisition.
Of the acquisitions, only one company publicly disclosed the acquisition amount: $40 million (Proofpoint.)
The eight fundraising rounds raised a total of $102.5 million dollars.
We have even seen law enforcement documents on threat actors. In August, Mr. Su Bin, a Chinese national, was indicted for the theft of Boeing’s trade secrets. The criminal complaint regarding Su Bin’s activities became public in June and offers a fascinating perspective into espionage as a service.
The sharing of threat intelligence is a hot topic these days. When I do conference speeches, I typically ask how many organizations see value in sharing, and most in the room will raise their hand. Next, I ask how many organizations are actually sharing threat intelligence, and roughly 25% to 30% in the room raises their hand. When our 2014 Security Survey data comes in, I will have some empirical data to quote, but anecdotally, there seems to be more interest than action when it comes to sharing. I wrote about some of the challenges around sharing in “Four Best Practices To Maximize The Value Of Using And Sharing Threat Intelligence.” Trust is at the epicenter of sharing and just like in "Meet the Parents," you have to be in the circle of trust. You can enable sharing, but automating trust does take time.
We recently published part 1 of a new series designed to help organizations build resiliency against targeted attacks. In the spirit of Maslow, we designed our Targeted-Attack Hierarchy Of Needs. One factor that significantly drove the tone and direction of this research was Forrester client inquiries and consulting. Many organizations were looking for a malware sandbox to check off their targeted attack/advanced persistent threat/advanced threat protection/insert buzzword needs. Malware analysis has a role in enterprise defense, but focusing exclusively on it is a myopic approach to addressing the problem.
Part 1 of the research is designed to help organizations broaden their perspective and lay the foundation for a resilient security program. Part 2 (currently writing at a non George R.R. Martin pace) will move beyond the basics and address strategies for detecting and responding to advanced adversaries. Here is a preview of the research and the six needs we identified:
We are now less than two weeks away from our annual sojourn to the RSA security conference. RSAC is a great time for learning, meeting and making friends. (Please hold cynical remarks; RSAC is what you make of it.) As the date grows near and my excitement grows, I am preparing my mind and patience for the ubiquitous silver bullet marketing that is predestined to appear.
One of these silver bullets will be the term "actionable intelligence." You will be surrounded by actionable intelligence. You will bask in the glory of actionable intelligence. In fact, the Moscone expo floor will have so much actionable intelligence per capita you will leave the conference feeling like the threat landscape challenge has been solved. Achievement unlocked, check that off the list. Woot!
Well not so fast. I frequently talk to vendors that espouse the greatness of their actionable intelligence. Whenever I hear the term actionable intelligence I want to introduce them to Terry Tate, Office Linebacker. Terry Tate first appeared in a 2003 Reebok Super Bowl commercial.
The hype surrounding threat intelligence has continued to build since I wrote the blog "My Threat Intel Can Beat Up Your Threat Intel” in mid-2012. S&R pros are responding to both the hope and promise of threat intelligence. According to our Forrsights survey data, 75% of security decision-makers report that establishing or improving threat intelligence capabilities is a top priority for their organization.
One of the most significant challenges in leveraging threat intelligence is operationalizing it. Today, there are two broad categories of organizations that leverage threat intelligence. I’ll use an analogy to describe them. The US television show “Sons of Anarchy” follows the lives of an outlaw motorcycle club. The Sons of Anarchy refer to themselves as “1%ers”: They have the power, resources, and means to accomplish anything they desire. This is in contrast with the 99% who are merely motorcycle enthusiasts without these capabilities. Some of these early adopters include financial services, technology, and manufacturing companies.
On Monday the Wall Street Journal ran a story on hacking back titled, “Support Grows to Let Cybertheft Victims Hack Back.” The article describes a growing desire to permit the private sector to retaliate against attackers. Being proactive is one thing, but the notion of enterprises retaliating against attackers is ludicrous. I honestly cannot understand why this topic is still in the public discourse. I thought debating this was so 2012. Legality is an issue, but so is the ability of companies to successfully conduct these types of operations without blowback.
The article explains, “… companies that experience cybertheft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information." I hate to be the bearer of bad news, but for most organizations, once the data has left your environment the chances of you retrieving it are very slim. Your data has left the building and it isn’t going to “re-spawn.” If you couldn’t prevent exfiltration of this data in the first place, what would make you think that you could prevent the subsequent exploitation of it?