Saturday, June 28, 2014

Red Sky Weekly: Quality over quantity!

I had an Intelligence Officer in the lab in Manchester a couple of weeks ago.. He told me a story. Apparently during his last rotation in-country, one of his big-data feeds didn't give him the granularity needed to accurately choose targets. So he spent most nights doing the analysis himself --deciphering the output, connecting the dots, and picking targets manually.

When I retold the story at the Gartner conference last week, I spoke of the parallels between what the Intel Officer told me, and what I hear from many, many infosec guys.

Let's try it this way. Last week I heard from a guy that he'd been approached by one of the new (newer than us) threat intelligence shops. Apparently they claimed that they had over 28 million indicators, and the numbers are growing daily. So let me ask you... the company has been in business for about a year.

Do you really think they've analyzed 28 million indicators?  

In less than a year in business? 

I'm throwing yellow card!

We use open source data like many other threat intelligence shops. But we can't verify sources or validate the analysis. Don't get me wrong, there are a few that we do consider high confidence, but... only a few. In those cases, we either know well, or work with the analysts. In most cases, we consider open source intelligence low confidence and use it only as situational awareness, or to pivot off of high confidence data derived from things we know.

In fact, of the last 700,000 open source indicators we've collected, we cleaned out nearly 550,000 duplicates! Add to that, some of these companies are using it as authoritative. One of the big data vendors we demo'd creates indices. And when we saw the data that they were using on the screen during the demo, we realized that they had the same typos in the indicators that we had! They'd collected it from the same open source that we did! The difference is, we consider it low confidence information and collect it only for situational awareness. This other company calls it high confidence and uses it like a report card.

Threat Intelligence vendors are becoming ubiquitous. You can't swing a dead cat without hitting one, and the Gartner exhibition floor was no different. And sadly, the marketing message is seemingly becoming much louder than the actual message --posters everywhere, every banner, every speaker.. they all know and sell cyber threat intelligence. Sadly, many still don't know the actual value, or what it means. Which is more important to have 28,000,000 indicators of compromise that have been harvested from virtually deployed honeypots (this is the anti-virus model!)? Or, would you rather have ten solid IPS rules that'll stop and drop outbound remote control channels in companies similar to yours? How many of those 28,000,000 indicators are you willing to roll up into your UTM, firewall, IPS and/or SEIM? Damn. I wouldn't want your job!

The better question isn't "how many indicators to you have?" it should be something like this...


  • "My company manufactures widgets. How do other widget companies protect themselves? 
  • "What IOCs are most effective?"
  • "Who is trying to do this to us, and what do they want?" 
  • ...and finally (my favorite)... "If you have so much data, how much do you already know about my company?"


These are the questions you should be asking of your threat intelligence vendor. Not "how many indicators do you have?" 

Before I go, I'm going to quote another friend... he's currently the CTO at one of the Aerospace companies. He was the head of Incident Response and Forensics when we worked together:

There are three things that every company needs to protect themselves from.. in this order:
  1. Protect yourself from those things targeting your own company first.
  2. Protect yourself from those things targeting your industry second.
  3. Protect yourself from as much other as possible last. 
So when that next big data company stops in to boast about all of the indicators they've collected on their high speed, low drag collection system, ask them, what the hell am I supposed to do with 28,000,000 indicators? Who's going to stay up all night and boil those down to the top ten golden rules that I can implement tomorrow morning?

We do. You just have to ask. Drop me a note and I'll show you.

BT BT

Gartner was awesome as usual. While I don't always agree with the analysts.. in fact often times I don't, the audience is largely CISOs and the vendors are generally really high quality. This was my fourth year, and it did not disappoint. Except for the sales guy who was miffed that I wouldn't spend a my junior analyst's salary to sponsor a booth next year, it was really great seeing some of the new companies, growth of old companies, marriages of great companies, and having so many incredible conversations with CISOs all there trying to look for the same thing --the way forward; an edge on increasing threats; help in dealing with some of the hardest issues CISOs have faced to date. 

On the analytic side, the team is busy or on vacation. It seemed like the right time.. the week before the 4th of July. Even with two guys out this week, we published a couple of reports on the upcoming 'Week of Terror', wrapped some internal R&D, initiated an exciting new partnership (more on that later!), and made a bunch of new friends!

It's 7:40 and the grass is getting taller by the second. Time to fire up the Kubota!

So until next time,
Have a great weekend!
Jeff