Conventional network defense tools such as intrusion detection systems and anti-virus focus on the vulnerability component of risk, with incident response falling squarely in the “reactive” camp—protective steps are taken only after an incident has taken place. But new advances in threat intelligence and correlation are looking to support a more rapid response and predictive defense.
According to the 2014 IBM (News - Alert) Cyber Index, organizations globally deal with an average of 91 million potential security events every year, creating vast volumes of data that need to be stored and analyzed. Larger enterprises typically have anywhere from 90 million to 2 billion security incidents per day. Ideally, companies need a way to uncover those advanced persistent threats that may typically remain undetected in their networks over long periods of time, stealthily pilfering critical data.
“You can’t just hire [human] analysts for that [volume] of data—you’d need a small city,” said Caleb Barlow, vice president of IBM Security Q1 Labs, in an interview at RSA 2015. “So enterprises are caught in the tactical problem, and the question becomes, how do I get to the strategic stuff? If you have a system that can get that number down to maybe 200 actuals that forensics can go investigate, that is a huge value-add.”
To accomplish that, a correlation engine that takes threat intelligence, data behavior per user and the ability to detect anomalous incidents—like if a PC suddenly starts communicating with a server in Russia—can help move security to a more responsive place, so that companies can, for instance, respond quickly to quarantine a potentially compromised user by sealing off the routers.
Kevin Epstein, vice president of advanced security and governance at Proofpoint (News - Alert), noted that traditional defenses don’t provide context.
“Most of the defenses we see are reactive, and can tell you the equivalent of, ‘someone threw a brick through the window,’” he said in an interview. “You may know what kind of brick it is, but do you know if it was thrown by a vandal, or if it’s the work of a gang trying to distract you in order to steal the keys and come back later to rob you blind? You have to be able to correlate data.”
IBM is working on the issue; it announced earlier this month that it has brought its QRadar platform for threat intelligence to the cloud, available in a software-as-a-service (SaaS (News - Alert)) model, with optional IBM Security Managed Services. The idea is to help organizations determine if security-related events are simple anomalies or potential threats. Enterprises can use the platform to correlate security event data with threat information from 500+ supported data sources for devices, systems and applications. It goes along with 1,500 pre-defined reports for use cases such as compliance, vulnerability management and security incident response.
Crucially, the integration of QRadar with IBM’s just-launched cloud-based X-Force Exchange gives security teams access to historical and real-time threat intelligence. In order to provide predictive analytics, actionable, open threat intelligence is a necessary piece of the puzzle.
IBM is monitoring as many as 70 million endpoints at any given time—and has now thrown open the doors to more than two decades worth of cyber-threat intelligence gleaned from that monitoring.
The IBM X-Force Exchange offers open access to common indicators like IP addresses, domain names, URLs, registry settings, email addresses, HTTP user agents, file hashes and file names. There is depth of information associated with each of these, such as the historical context, as well as the pivoting between them to allow for the real understanding of how they relate to each other in order to gain insights on tactics and techniques. To make it easier to use, the interface is modeled off of social media.
“You can think of the X-Force Exchange as a Pinterest for security analysts, allowing them to build collections of data and engage with others,” the company said. “Currently, security analysts often use Word documents or spreadsheets to do this type of work. IBM is bringing them a digital platform for better organizing intelligence.”
For example, providing additional context on an indicator that has been brought to a user’s attention, whether from a security tool or another user, helps the user make a decision on how to further use that information. Extending this to action naturally leads to programmatic access and application programming interface integration, which helps organizations make better and quicker decisions.
AlienVault (News - Alert) is another company that has looked to social media to advance threat intelligence. It has announced the beta release of Open Threat Exchange (OTX) 2.0, a social media platform for the security community to share threat intelligence for collaborative cyber-defense.
OTX is a crowd-sourced threat intelligence-sharing system, with members so far contributing 1 million threat indicators per day. This second iteration represents a big shift from the traditional contribution-based model for sharing threat intelligence, and the company said that it hopes that building OTX 2.0 on a foundation of a social networking architecture will allow the OTX community—which has 26,000 participants—to actively discuss, explore, validate and share the latest threat data, trends, techniques and research.
With the beta release of OTX 2.0, users can import and export indicators of compromise for security tools via an open API, as well as collaborate with researchers and other members of the security community. Users can also create or subscribe to an existing “Pulse (News - Alert),” an analysis of a particular threat that provides a summary of the impact, as well as get a view into the software targeted and related indicators of compromise used to detect threats.
“When we first released Open Threat Exchange, our goal was to deliver an open threat intelligence-sharing network that put effective security measures within the reach of all organizations,” said Barmak Meftah, president and CEO of AlienVault. “As others in the industry have developed threat intelligence offerings that support that vision, our goal for OTX 2.0 is to move the needle on how threat intelligence data is shared, making it more collaborative and engaging in order to build a stronger security community working in unison to stop cyber-attacks.”