The various breaches and attacks of 2014 has led to more interest into “whodunnit”.
This in turn has led to more interest and development in the concept of threat intelligence. Last year Proofpoint completed the acquisition of NetCitadel to add threat intelligence to its portfolio, whilst I recently met with another new firm offering services, iSIGHT Partners.
Rather than offering products, it offers threat intelligence that its global team of analysts collect and delivers to existing products. The company claimed that this can offer “full context and intent of the most damaging threats, allowing security organisations to respond faster, defend proactively, and invest smarter”.
Talking to CEO John Watters, he said that the first age of security was about deploying a lot of sensing technology in your environment, and aligning it with whatever else you have in your environment, while version 2.0 was about getting insight into the threat environment that you are operating in, and deploying proactive defences against threats as they show up and seeing all of the alerts coming though.
He said: “So if you had 100 alerts coming in today but only time to deal with one, which one matters to me the most? It is about connecting the alerting to the threat context. You see malware and it is connected to this campaign and run by this group trying to achieve this objective, now you know which matters.”
“We add the threat intelligence with methods that they use and understand what they are targeting so that way you can proactively identify what is a threat to your environment that will help you protect your environment.”
He said that iSIGHT links all three areas and delivers the machine-readable puzzles to services, and can work with anything that a machine can read and integrate into your technology infrastructure.
“What is different now is people talk about the groups, the adversaries, as ten years ago it was about the attack method,” he said. “So going back 10-15 years ago, all those viruses were code-based and then it become about infrastructure and business networks. Now it is linking back to APT1 and targeting, so the ecosystem started with ‘security on the edge’, how do you do security from outside of your environment to manage risk to your environment?”
He said that it is a case of who rather than what, as businesses need to understand attribution to the level of motiviation and capability, and who you are up against so you know if it is a risk to your organisation. “We deliver the threat context and method and actor behind it, and we say it is someone severe, you focus on that one,” he said.
A common point of reference is the Target attack, and Watters said that if a business who doesn’t run a point of sale system got an alert on POS malware, then it doesn’t matter to you. “A Government user of ours said they get about a billion alerts a day, they said using the API they can reduce it to 1,000 a day,” he said.
“They have a big team so can handle ten a day, and I ask which ten, and they said using alerts and our intelligence matches and going through the top ten risks to the organisation, that is what they work on that day.”
Watters said that the common “happy place” is in linking threat alerts to indicators, and in a world of connected devices and Internet of Things, there are so many infection points that there is no way to protect everything so you have to shift to protect against threats to your environment, so it is important to identify what is a threat to you.
I asked him if he saw a time when iSIGHT Partners moved into the product space with their intelligence built in? He said the current position is technology agnostic and coupled with technologies and services, if it made the decision to build its own technology stack, then that would depend on the state of the market.
He explained that intelligence gathering is not about monitoring customers’ traffic, but with a new API, it is beginning to have the ability to take feeds from them where alerts are pushed and intelligence delivered back.
“Community-driven protection is about immunising after it has happened, we are the opposite – we work in the supply chain as the adversary creates the ability and creates tools and standing up infrastructure before it has been implemented and that is where 60-80 per cent of indicators come from, as it has not been used yet,” he said.
“The other guys are chasing yesterday’s problem while we are trying to get ahead of tomorrow’s threat.” Watters said that really it sees 200 threat actors, as no-one is tracking one billion bad guys, but there is a recognition that people cannot keep doing the same thing over and over and expect results. “Technology alone has failed popele and they realise they need more and most want to know what is going on,” he said.
The company recently appointed Rob Pollard (formerly at Endace Europe and Arbor Networks) as general manager for EMEA, driving expansion across the region. The company CEO talks sense, why focus on every threat when only one is applicable to you? Perhaps greater threat intelligence is a key trend for 2015, and if so this company is moving into the European market at the correct time.
John Watters, CEO of iSIGHT Partners, was talking to Dan Raywood