Saturday, October 10, 2015


IOCs are easy.  Any number of folks can feed you IOCs all day long.  You can't swing a dead cat
without hitting an vendor who aggregates hundreds of thousands of them from open sources every day and calls themselves an intelligence shop.  I'm not saying they don't do some of their own work but literally, within minutes, crank up an EC2 instance, write a few pieces of code, and viola --IOCs in a container. Add a search engine, a way to push them out, and all of the sudden you've got yourself
a security feed.

Everybody needs them right?

IOCs are a mandatory piece of the information security landscape. UTMs and IPSs are the largest segment of the security business right now. And what do you feed them? IOCs.

So what's my point?

IOCs are great. You can buy tons of them from any number of sources on any given day. Here's the rub --how many can your UTM or IPS handle? a million? 10 million? 500 million?  When IOCs change, sometimes minute by minute, can you pump these things into your systems in a never ending stream of real time feeds? Would you even want to? It's becoming just silly. It's like the little Dutch boy who keeps sticking his finger in the dike hoping to make the water stop coming through.. he doesn't have enough fingers!  And worse, as an intel provider, some customers like to measure effectiveness of their provider(s) on IOC volume! And while that works great for some companies, remember, they too must spend time to ensure that the IOCs that they pump into their systems are in fact, the ones that will most likely result in a dropped bad inbound or outbound connection.

How does an organization make sense of it all? With context. And here's the thing.. anyone who knows me has heard me say this hundreds of times --What's old is new again. What the heck does that mean? It means this... every risk management process, as far back as I can remember, measures risk based on information brought in that tells the practitioner what the risk is, why that risk is important and where it should be prioritized in the stack. The most important risk gets mitigated, minimized, or transferred first. It's that simple. The next important happens next, and so on.

How do we know which IOCs get pushed to our security tools first? By understanding which of those IOCS are attached to the wolf closest to your sled. And how do you know that? By reading context, by receiving a heads-up when something important happens, and by having someone else in your neighborhood watch (Red Sky Alliance or others) tell you what's happening.

So here's the bottom line folks... companies who have their oh sh*t moment --that moment when they realize they've got a problem; start out as voracious consumers of IOCs... they'll eat anything; and then they find out that they need help qualifying them. The false positives are overwhelming. As they become a bit more mature, they learn to qualify them before they get pumped into their systems. At some point, they get really good at qualifying them and they learn to grow their own --they become intelligence producers; a bit higher on the maturity scale. 

So where do you get context? Where's the easy button?

Red Sky Alliance and Wapack Labs

Skip some of those steps and learn lessons from others who've had their oh sh*t moment before you. Wapack Labs produces intelligence, context, IOCS, snort, and yara rules --every piece of work is tied to a primary sourced piece of analysis, and grown from there.  Red Sky Alliance is the place where you get answers from others --privately.

Need more? Use an MSSP? Ask us. We've partnered with a couple of great MSSPs. They handle the 24x7 monitoring, the 15 minute SLAs, triage --all of the wonderful things you'd expect from them. At the same time, we get to watch the glass, monitoring for targeted threats to your company, performing what we call 'second level analysis', and feeding that second level analysis back to the MSSP to allow them to provide you with an individualized security offering.  MSSPs are not intelligence organizations but when they partner with Wapack Labs, you get the best of both worlds.  Your MSSP not a partner? Tell them to reach out. We'll hook'em up.

Gotta jet.. Early day. Kids' hiking today with school.

So until next time,
Have a great Columbus Day weekend!
I'll be back in the saddle on Tuesday!

Post a Comment