I predict that 2015 will go down in history as the year of the Threat Intelligence Platform (TIP). We’ve seen the security ecosystem evolve from all-in-one systems to point solutions to a bi-directionally integrated fabric knitting these silos together. This year that will extend into community-based, big security data digesting TIP systems. TIP is in its infancy. Just a year ago, Gartner analyst Anton Chuvakin lamented that he couldn’t characterise the new category without breaching non-disclosure agreements. But he credited Facebook with breaking the TIP ice, characterising the new genre of point solutions as comprising three high-level parts: threat feeds, big data analytics and real-time response.
One area where TIP breaks new ground is its focus on community data sharing, and the concomitant requirement to ensure that threat indicators are standardised and exchangeable between various tools and systems. Many advanced persistent threat (APT) vendors can report information about indicators of compromise (IOC) but that data isn’t easily used outside of the product generating the information. Sure, you can send everything to a SIEM and hope your rules work as expected, but with the increasing number of advanced persistent threats mutating at an alarming rate and evolving attack methods, it’s a never-ending cat and mouse game. The TIP vendors are working to deepen the utility of threat data interchange.
But TIP is not in the best position to knit together all data exchange across disparate point solutions and enable real-time response. If we take a look at the tools commonly deployed in the security ecosystem, we find firewalls, next-gen antivirus, spam filters, data loss prevention (DLP) solutions, network access control (NAC) systems, disk encryption, etc. All of these systems perform specific functions that could be augmented if they could learn from other tools or share what they know with other tools. Continuous monitoring and mitigation systems are already positioned to enable all of these security components to talk to one another, expand where they can gather and exchange information and automate the response to threats, one of the key challenges facing IT security.
The community-based approach of TIP can add enormously to an integrated security ecosystem. This form of information sharing can be effectively illustrated with a financial services use case. Many large banks contend with the same risks and threats, and will typically deploy similar tools to reduce that risk and thwart the threats and strengthen their security posture. While the risk and threat is similar in nature, a specific attack can be different but have common indicators. If Bank A gets attacked the methods, signatures and meta-data about that attack can easily be shared with Bank B to help stave off similar future attacks, and Bank B can then reciprocate to other banks in the future.
Applying big data analytics to massive volumes of collected data to ferret out the threats is another area of innovation for TIP. It has been difficult to draw conclusions based on the information attackers leave, as many systems that could potentially use this data cannot effectively handle the vast amounts generated. We’ve seen many threat intelligence vendors emerge in 2014, all trying to figure out how to collect high volumes of data from different sources, fuse it, cut through the white noise, draw effective conclusions and then plug that insight into the systems that matter to large enterprises.
In 2015, we will likely see enterprises begin vetting these vendors. Though the technology and approaches to data exchange are not novel, the overall “secret sauce” that differentiates one vendor from another will be the defining factor for which solution will be adopted versus those that will fail. In the end an essential ingredient of the secret TIP sauce will make these lists manageable and relevant, add crowd-sourced data to the mix and ultimately make the TIP a valuable source of reliable threat indicator data.
As with other technology of the year products, the viability of any innovative TIP system or service will be dependent on a common language and broad set of integrations. I expect to see the deployment of TIP used in conjunction with an internal security platform that can already integrate disparate security solutions, make intelligent decisions, automate and accelerate responses and apply that intelligence in the form of “what to block,” and how to block it, and automatically carry it out.
A real example: Imagine sending all of your proxy, APT, firewall and intrusion prevention system (IPS) logs through a bi-directional security fabric to a threat intelligence platform that mixes in their existing crowd sourced data, adds the secret sauce, boils mountains of inputs down to real risks and generates a feed of threat agents that is sent back to the security fabric which automatically blocks threats in real-time throughout the network at different levels of the infrastructure.
It’s no secret that the attacks we are seeing are becoming increasingly sophisticated, and while TIP is no panacea, it will hopefully allow enterprises to minimise the impact the malicious user has on corporate networks. While no one has a crystal ball to peer in and see what 2015’s landscape will look like, one thing is for sure: hackers are becoming more sophisticated and in order to stave off data breaches, we need to be aggregating and sharing information. As the sportscasters say, the best offence is a great defence. And TIP is the latest page of the playbook.