Saturday, October 10, 2015


IOCs are easy.  Any number of folks can feed you IOCs all day long.  You can't swing a dead cat
without hitting an vendor who aggregates hundreds of thousands of them from open sources every day and calls themselves an intelligence shop.  I'm not saying they don't do some of their own work but literally, within minutes, crank up an EC2 instance, write a few pieces of code, and viola --IOCs in a container. Add a search engine, a way to push them out, and all of the sudden you've got yourself
a security feed.

Everybody needs them right?

IOCs are a mandatory piece of the information security landscape. UTMs and IPSs are the largest segment of the security business right now. And what do you feed them? IOCs.

So what's my point?

IOCs are great. You can buy tons of them from any number of sources on any given day. Here's the rub --how many can your UTM or IPS handle? a million? 10 million? 500 million?  When IOCs change, sometimes minute by minute, can you pump these things into your systems in a never ending stream of real time feeds? Would you even want to? It's becoming just silly. It's like the little Dutch boy who keeps sticking his finger in the dike hoping to make the water stop coming through.. he doesn't have enough fingers!  And worse, as an intel provider, some customers like to measure effectiveness of their provider(s) on IOC volume! And while that works great for some companies, remember, they too must spend time to ensure that the IOCs that they pump into their systems are in fact, the ones that will most likely result in a dropped bad inbound or outbound connection.

How does an organization make sense of it all? With context. And here's the thing.. anyone who knows me has heard me say this hundreds of times --What's old is new again. What the heck does that mean? It means this... every risk management process, as far back as I can remember, measures risk based on information brought in that tells the practitioner what the risk is, why that risk is important and where it should be prioritized in the stack. The most important risk gets mitigated, minimized, or transferred first. It's that simple. The next important happens next, and so on.

How do we know which IOCs get pushed to our security tools first? By understanding which of those IOCS are attached to the wolf closest to your sled. And how do you know that? By reading context, by receiving a heads-up when something important happens, and by having someone else in your neighborhood watch (Red Sky Alliance or others) tell you what's happening.

So here's the bottom line folks... companies who have their oh sh*t moment --that moment when they realize they've got a problem; start out as voracious consumers of IOCs... they'll eat anything; and then they find out that they need help qualifying them. The false positives are overwhelming. As they become a bit more mature, they learn to qualify them before they get pumped into their systems. At some point, they get really good at qualifying them and they learn to grow their own --they become intelligence producers; a bit higher on the maturity scale. 

So where do you get context? Where's the easy button?

Red Sky Alliance and Wapack Labs

Skip some of those steps and learn lessons from others who've had their oh sh*t moment before you. Wapack Labs produces intelligence, context, IOCS, snort, and yara rules --every piece of work is tied to a primary sourced piece of analysis, and grown from there.  Red Sky Alliance is the place where you get answers from others --privately.

Need more? Use an MSSP? Ask us. We've partnered with a couple of great MSSPs. They handle the 24x7 monitoring, the 15 minute SLAs, triage --all of the wonderful things you'd expect from them. At the same time, we get to watch the glass, monitoring for targeted threats to your company, performing what we call 'second level analysis', and feeding that second level analysis back to the MSSP to allow them to provide you with an individualized security offering.  MSSPs are not intelligence organizations but when they partner with Wapack Labs, you get the best of both worlds.  Your MSSP not a partner? Tell them to reach out. We'll hook'em up.

Gotta jet.. Early day. Kids' hiking today with school.

So until next time,
Have a great Columbus Day weekend!
I'll be back in the saddle on Tuesday!

Tuesday, October 06, 2015

Back in the Saddle Again

I am back from four days of upland game hunting and brook trout fly fishing in Western Colorado.  We shot plenty of game birds that we plan to cook and serve to our friends.  We carefully released all of the Brookies for other anglers’ enjoyment.   I watched wild turkeys eat crab apples from the tree top and mule deer does and fawns visit the pond for water.  No one talked business or politics.  The weather was beautiful and the company was great.  The most amazing thing about the experience was that there were no TV’s, newspapers, Internet or cell service for the entire trip.
Upon my return to my desk this morning, I spent a couple of hours catching-up on emails and returning calls.  And now it is as if I had not left at all.  I scanned my news groups and saw that one of the companies that I had an outstanding proposal for services suffered a major breach.  It took law enforcement to inform the company of their loss of nearly 5 million customer records.  I am a soft sell guy and I hope that our company’s value proposition can help close a sale without me becoming a pest.  Since this is a financial company, I can imagine the lawyers are circling, just like foxes circling a wounded game bird that can no longer fly.
I contacted the company today and asked if it would be a good time for us to provide a threat briefing about what know about that type of intrusion and hopefully a review of our outstanding proposal.  I was told that the information security team was too busy to consider an hour long GoToMeeting session.  I was also told that the company had plenty of information security feeds and my proposal was no longer a priority.   I paused and replied, “Maybe they are not receiving the right subscription feed?”  I have not heard back from my reply, I may never hear back…
I speak with Information Security Officers from government departments/agencies, organizations and companies every week.  Most of the time, another salesman has already sold a contract and I have the opportunity to contact them at a later date.  Well, that is sales.  As a decision maker, are you receiving what you want, do you really understand what you need to combat today’s cyber criminals? We track the cyber criminals, their tools and their associations.  Since we have been in cyber intelligence information security sharing for over four years we may already have a line on your nightmare.  I am happy to schedule a session where you can ask these questions of some of my team members.  They are not sales persons, only a small group of dedicated professionals who will look out for your best interests.

Please feel free to contact me at or call me on my cell phone at 314-422-8185, it is turned on.