Social Media, Context and the New Face of Threat Intelligence

By

Conventional network defense tools such as intrusion detection systems and anti-virus focus on the vulnerability component of risk, with incident response falling squarely in the “reactive” camp—protective steps are taken only after an incident has taken place. But new advances in threat intelligence and correlation are looking to support a more rapid response and predictive defense.

According to the 2014 IBM Cyber Index, organizations globally deal with an average of 91 million potential security events every year, creating vast volumes of data that need to be stored and analyzed. Larger enterprises typically have anywhere from 90 million to 2 billion security incidents per day. Ideally, companies need a way to uncover those advanced persistent threats that may typically remain undetected in their networks over long periods of time, stealthily pilfering critical data.

“You can’t just hire [human] analysts for that [volume] of data—you’d need a small city,” said Caleb Barlow, vice president of IBM Security Q1 Labs, in an interview at RSA 2015. “So enterprises are caught in the tactical problem, and the question becomes, how do I get to the strategic stuff? If you have a system that can get that number down to maybe 200 actuals that forensics can go investigate, that is a huge value-add.”

To accomplish that, a correlation engine that takes threat intelligence, data behavior per user and the ability to detect anomalous incidents—like if a PC suddenly starts communicating with a server in Russia—can help move security to a more responsive place, so that companies can, for instance, respond quickly to quarantine a potentially compromised user by sealing off the routers.

Kevin Epstein, vice president of advanced security and governance at Proofpoint, noted that traditional defenses don’t provide context.

“Most of the defenses we see are reactive, and can tell you the equivalent of, ‘someone threw a brick through the window,’” he said in an interview. “You may know what kind of brick it is, but do you know if it was thrown by a vandal, or if it’s the work of a gang trying to distract you in order to steal the keys and come back later to rob you blind? You have to be able to correlate data.”

IBM is working on the issue; it announced earlier this month that it has brought its QRadar platform for threat intelligence to the cloud, available in a software-as-a-service (SaaS) model, with optional IBM Security Managed Services. The idea is to help organizations determine if security-related events are simple anomalies or potential threats. Enterprises can use the platform to correlate security event data with threat information from 500+ supported data sources for devices, systems and applications. It goes along with 1,500 pre-defined reports for use cases such as compliance, vulnerability management and security incident response.

Crucially, the integration of QRadar with IBM’s just-launched cloud-based X-Force Exchange gives security teams access to historical and real-time threat intelligence. In order to provide predictive analytics, actionable, open threat intelligence is a necessary piece of the puzzle.

IBM is monitoring as many as 70 million endpoints at any given time—and has now thrown open the doors to more than two decades worth of cyber-threat intelligence gleaned from that monitoring.

The IBM X-Force Exchange offers open access to common indicators like IP addresses, domain names, URLs, registry settings, email addresses, HTTP user agents, file hashes and file names. There is depth of information associated with each of these, such as the historical context, as well as the pivoting between them to allow for the real understanding of how they relate to each other in order to gain insights on tactics and techniques. To make it easier to use, the interface is modeled off of social media.

Image via Shutterstock

“You can think of the X-Force Exchange as a Pinterest for security analysts, allowing them to build collections of data and engage with others,” the company said. “Currently, security analysts often use Word documents or spreadsheets to do this type of work. IBM is bringing them a digital platform for better organizing intelligence.”

For example, providing additional context on an indicator that has been brought to a user’s attention, whether from a security tool or another user, helps the user make a decision on how to further use that information. Extending this to action naturally leads to programmatic access and application programming interface integration, which helps organizations make better and quicker decisions.

AlienVault is another company that has looked to social media to advance threat intelligence. It has announced the beta release of Open Threat Exchange (OTX) 2.0, a social media platform for the security community to share threat intelligence for collaborative cyber-defense.

OTX is a crowd-sourced threat intelligence-sharing system, with members so far contributing 1 million threat indicators per day. This second iteration represents a big shift from the traditional contribution-based model for sharing threat intelligence, and the company said that it hopes that building OTX 2.0 on a foundation of a social networking architecture will allow the OTX community—which has 26,000 participants—to actively discuss, explore, validate and share the latest threat data, trends, techniques and research.

With the beta release of OTX 2.0, users can import and export indicators of compromise for security tools via an open API, as well as collaborate with researchers and other members of the security community. Users can also create or subscribe to an existing “Pulse,” an analysis of a particular threat that provides a summary of the impact, as well as get a view into the software targeted and related indicators of compromise used to detect threats.

“When we first released Open Threat Exchange, our goal was to deliver an open threat intelligence-sharing network that put effective security measures within the reach of all organizations,” said Barmak Meftah, president and CEO of AlienVault. “As others in the industry have developed threat intelligence offerings that support that vision, our goal for OTX 2.0 is to move the needle on how threat intelligence data is shared, making it more collaborative and engaging in order to build a stronger security community working in unison to stop cyber-attacks.”




Edited by Dominick Sorrentino
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

TechZone360 Contributor

SHARE THIS ARTICLE
Related Articles

How to Protect Your Website From LDAP Injection Attacks

By: Contributing Writer    3/12/2024

Prevent LDAP injection attacks with regular testing, limiting access privileges, sanitizing user input, and applying the proper encoding functions.

Read More

Azure Cost Optimization: 5 Things You Can Do to Save on Azure

By: Contributing Writer    3/7/2024

Azure cost optimization is the process of managing and reducing the overall cost of using Azure. It involves understanding the resources you're using,…

Read More

Massive Meta Apps and Services Outage Impacts Users Worldwide

By: Alex Passett    3/5/2024

Meta's suite of apps and services are experiencing major global outages on Super Tuesday 2024.

Read More

The Role of Technology in Shaping the Future of Affiliate Marketing

By: Contributing Writer    3/5/2024

In the current rapidly growing digital world, affiliate marketing is still one of the most effective ways for businesses to increase their visibility …

Read More

The Steps You Can Take To Improve Customer Service For Your Business

By: Contributing Writer    3/5/2024

When you're in a competitive market, providing exceptional customer service is crucial for the success and growth of your business. Good customer serv…

Read More