Why am I talking about boxing? Because so, I'm afraid, like Duran, are many of our network defenders are feeling beaten down.
I talked with two companies this week who both seemed to have been flat out exhausted. In both cases, the sheer volume of data simply overwhelmed them. In both cases, they've resolved to the fact that intelligence (more intelligence) simply isn't going to help their situation --and in both cases, they've given in to the fact that they are being successfully breached on a regular basis. And more? They're being compromised multiple times per day. Even more, the idea that the sheer flood of data has turned these otherwise really smart guys into folks who've thrown in the towel is turning into a story that I'm hearing more and more.
So what's the next step? More big data? More feeds? No. The companies are suffering from information overload with no real means of prioritizing their efforts. And with new supply chain regulations in effect, and insider threat regulations coming into reality quickly, the simple fact is this... CSOs and CISOs need better information, not more information.
Years ago I blogged about the work required to manage the supply of data from bugtraq. I realize I'm dating myself, and I'm sure I'm not the only one who remembers trying to figure out how to watch every single emerging bug that came out on from the listserv, and I'm certain I'm not the only one who combed through other sources --like USENET messaging and the FIRST emails on a daily basis, but even with that small dataset, on a daily basis, the idea was simply this... bugtraq sometimes cranked out 400+ pieces of vulnerability data daily. An SOC guy would spend about an hour every day simply scanning ever piece of information. Add to that the idea that if a quarter of those were actionable, that SOC, network manager, or heck, even a swarm of techies couldn't keep with the needs of even a small network.
Now think about the amount of data being called 'intelligence' that comes in today.
With dozens of aggregators out there cranking millions of pieces of data, let's face it, there's no way in hell that even the most efficient security team could keep up. One team told me that they collect over a million pieces of new information weekly --and I think that number is probably a little on the light side. Automation helps, but rarely prioritizes actions to be taken by the responsible CISO.
So what's the answer? Better information, not just more information.
Current practice looks like this... buy a vendor get a feed. Every vendor has backend intelligence (if they don't, don't buy it). There are some excellent choices out there. Cisco, Palo Alto, FireEye, Crowdstrike --all great choices. The process (optimized process) looks like this --collect intelligence, compare the intelligence to exposed systems, pathways, etc., and then patch those systems or close the pathways. As more intel comes in, more fixes need to be installed. When you're receiving a million pieces of intelligence per week, the question becomes this... what to fix first?
Sometimes you just know --that system is really important, or the owner of that system is really gonna be pissed if I don't get if fixed. You know from an internal perspective why the most important system may be the most important system, but what about from an external perspective?
The smarter question that intelligence should attempt to answer is not what's that vendor seeing? Rather, what is coming after you?
To answer this question, most companies establish an internal intelligence team. You need someone a bit more specialized in their view. Someone who can focus on prioritizing efforts for you. You need analysis that can take that massive list of data that comes from the aggregation of other's lists or the intel that comes from those truly outstanding vendors, and turn it into a work process that you can actually manage.
This is where Wapack Labs comes in. While many receive general subscription information, Wapack Labs has processes in place to allow companies to understand what's coming after them. We've contracted with organizations to be, or assist internal intelligence teams to ensure that the tsunami of intelligence information is focused on your needs, not the rest of the world.
You've heard this from me before... In a bar fight? Fight the guy in front of you first. Then fight his friends. Don't, worry about all of the other bar fights going on in the world. Someone else is going to take care of them... until they come to your bar.
And when you need help? Compare notes? Red Sky(R) Alliance is the place you ask for help. Jump in, get questions answered from folks who've done it before.
It's been another fantastic week --although a bit slower. Two guys on travel in Vegas --I hope you enjoyed meeting my partner, co-founder, and CFO, Jim McKee. Jim doesn't get out much, but when he does, he shakes hands with anyone who'll take it --and then tells our story. I stayed back, working in the BWI/DC area for a few days. It was actually a nice break from travel. Back to NH next week.
And the team? We've been publishing explanations and mitigations for the rash of SSL activities that have been running around. We also published a report on Netsky (a customer request), an updated version of iRAT, and published Targeteer(R) (DOX) reports on three African guys that we believe to be planting code in networks. If you've ever been victimized by key loggers, you'll want to read that Targeteer(R) report.
Want to know more? Check out the new website or give us a call 844-4-WAPACK.
I'm waiting for the snow in MD --and fly fishing in VA tomorrow when it warms up!
So until next time,
Have a great weekend!