Saturday, April 14, 2012

Weekly status: Fusion Report five: "Subian" identified, named by Red Sky

Red Sky analysts posted Fusion Report 12-005 to the portal this week. FR12-005 details analysis of a previously unknown (by AV vendors) variant of Poison Ivy. Red Sky analysts have dubbed this version “Suibian”. The malware and TTPs associated with its use have been completely analyzed and posted to the membership for their inclusion in their own defense in depth. This is a great find!

Beyond that, here's a status for the end of the week:

  • Yesterday we added a new member to the mix. This company is a Global 200 (a $45 billion global financial). Their team is going to bring great value to the rest of the membership.
  • This week we assisted an external information sharing and analysis center understand a targeted attack by providing triage reporting and analysis. 
  • We held our first Threat Day. I won't rehash the day, as I blogged it previously, but it was a small, very smart group. It was a GREAT day... and happy hour at the Ritz prior to was fun too!
  • We've partnered with a new data source company, giving Red Sky two of the three pillar analytic capabilities that I've wished to integrate. I'm meeting with two companies next week for the third.
I keep getting questions about "Whats the difference between Red Sky and an ISAC?" One of them is bullet four. I believe that it's better to have smart people feeding us the right information rather than a feed of a lot of information. Think of Red Sky as a crowd sourced CIRT (without fly-away incident response teams), with both organic analysts and peer reviewed, trusted crowd sourcing inside the membership. Soon I hope to have automated 'tipping and queuing' offering warning services when a company shows up with unexpected peering, turns up in a blog entry somewhere, or data mining shows patterns of impending trouble. It's paying off. This week I was asked to present to DHS and one other analytic/sharing organization to help them with their own information sharing capabilities. I've been doing that a lot lately. I'm glad to help. I hope it does.

More next week.
Cheers!
Jeff

No comments: