When I retold the story at the Gartner conference last week, I spoke of the parallels between what the Intel Officer told me, and what I hear from many, many infosec guys.
Let's try it this way. Last week I heard from a guy that he'd been approached by one of the new (newer than us) threat intelligence shops. Apparently they claimed that they had over 28 million indicators, and the numbers are growing daily. So let me ask you... the company has been in business for about a year.
Do you really think they've analyzed 28 million indicators?
In less than a year in business?
I'm throwing yellow card!
We use open source data like many other threat intelligence shops. But we can't verify sources or validate the analysis. Don't get me wrong, there are a few that we do consider high confidence, but... only a few. In those cases, we either know well, or work with the analysts. In most cases, we consider open source intelligence low confidence and use it only as situational awareness, or to pivot off of high confidence data derived from things we know.
In fact, of the last 700,000 open source indicators we've collected, we cleaned out nearly 550,000 duplicates! Add to that, some of these companies are using it as authoritative. One of the big data vendors we demo'd creates indices. And when we saw the data that they were using on the screen during the demo, we realized that they had the same typos in the indicators that we had! They'd collected it from the same open source that we did! The difference is, we consider it low confidence information and collect it only for situational awareness. This other company calls it high confidence and uses it like a report card.
Threat Intelligence vendors are becoming ubiquitous. You can't swing a dead cat without hitting one, and the Gartner exhibition floor was no different. And sadly, the marketing message is seemingly becoming much louder than the actual message --posters everywhere, every banner, every speaker.. they all know and sell cyber threat intelligence. Sadly, many still don't know the actual value, or what it means. Which is more important to have 28,000,000 indicators of compromise that have been harvested from virtually deployed honeypots (this is the anti-virus model!)? Or, would you rather have ten solid IPS rules that'll stop and drop outbound remote control channels in companies similar to yours? How many of those 28,000,000 indicators are you willing to roll up into your UTM, firewall, IPS and/or SEIM? Damn. I wouldn't want your job!
The better question isn't "how many indicators to you have?" it should be something like this...
- "My company manufactures widgets. How do other widget companies protect themselves?
- "What IOCs are most effective?"
- "Who is trying to do this to us, and what do they want?"
- ...and finally (my favorite)... "If you have so much data, how much do you already know about my company?"
These are the questions you should be asking of your threat intelligence vendor. Not "how many indicators do you have?"
Before I go, I'm going to quote another friend... he's currently the CTO at one of the Aerospace companies. He was the head of Incident Response and Forensics when we worked together:
There are three things that every company needs to protect themselves from.. in this order:
- Protect yourself from those things targeting your own company first.
- Protect yourself from those things targeting your industry second.
- Protect yourself from as much other as possible last.
We do. You just have to ask. Drop me a note and I'll show you.
It's 7:40 and the grass is getting taller by the second. Time to fire up the Kubota!
So until next time,
Have a great weekend!