Saturday, August 20, 2016

By the numbers


What's the graphic? VirusTotal detections over a 24 hour period, ranked by the number of times each engine detected a submission.

Why should you care?

I read the Wall Street Journal every morning. Most mornings (depending on time) I also read USA  Today and a bunch of security news.  USA Today isn't as much on my required reading as the WSJ, primarily because much of USA Today's news comes from the Associated Press, and that many of the other papers available use the same news services. The WSJ also uses some of them, but as well, provides their own reporting. There is a small overlap in reporting but I've got to read two papers, plus my security reading to feel like I have enough information.

The same holds true with cyber intelligence.

We're partnered with Anomoli, and we like them --for the most part, but one thing struck me yesterday as we were looking at their marketplace.  We were dropped in the middle of the app marketplace pack, our logo sat next very close to one antivirus vendor that we'd recently tested our indicators against, and I thought it odd.

Why? Because when tested, they detected only 14% of our indicators of compromise! You read that right... 14%!

You see, we've been testing our finished intel against some of the AV and endpoint companies, and here's what we found.. Their words not ours:
  • We tested 3000 lines with a global AV vendor over two weeks during the holidays last year. They detected only 18% of our feed.
  • In June, we tested a sample of data that was almost two years old with another company --a California based AV and Endpoint company.. In this two year old sample, they detected only 7% of what we'd provided them.
  • And when they didn't believe our stuff was real, we pulled fresh information, straight off the wire and tried it again. They detected 14%.
In previous tests, we were compared to two network security companies using our network based indicators (snort rules, IP's, etc.) with the same results.

Why? Many 'intelligence' companies buy data from aggregation companies --who dump a bunch data together in a blob in EC2 and resell it over and over and over --and many of the companies that you buy from today use the same data.  Most of it comes directly from open sources on the internet --rarely tailored for the actual customer who's buying in.  For many of the lower detection products shown in the graphic, they SHARE the same indicator information.  It's a cheap way to make a product --great for revenues, bad for the buyer.  You might as well go buy your security tools at Bob's Discount Furniture. You'll have better luck with a hardwood door on your datacenter than you would by relying on those old reused indicators!

We're a bit different. We have an information sharing group who, for the most part can do the analysis on their own.. They just want our raw data.  But for others, we take  their security requirements, go find sources of information that would give us the answers, collect the data, answer the questions in the form of intelligence (futures thinking) or analysis (post-incident), and feed it back in a useful way --human readable, delimited, JSON, STIX/TAXII. It's called the intelligence cycle, and it's targeted by the company.

In all three tests, the companies were given information that we directly observed or pulled from our own collections/analysis.  The results were provided by them, to us, in a decision process to figure out of they should OEM our indicators in their reputation lists.  In both cases, the companies didn't purchase our stuff because they had such a low detection rate! HELLO?!

If you're receiving our Cyber Indications and Warning Reporting in the Red Sky portal, you'll never see the companies at the bottom of the list show up in the top five.  And now you know why... they aggregate data instead of hunting for it smartly and analyzing it before sending it out... and I don't mean data science. I mean good old fashion QA.

The upside?  You can be protected from the other 84% that they didn't see.  If you don't want to buy it from us (starts at $40/month), there are several companies use our intel to protect their customers.. Wapack Labs is built-into Solutionary, AT&T's MSSP, Arbor, FlowTraq, E&Y, and Morphick. We're also available for purchase through Anomali, ThreatQuotient and ThreatConnect. 

Look, friends don't let friends by junk. Give us a shout. Let me show you how we're different.

Want to get a feel for what we write about? Have a look at the Wapack Labs blog. Every technical report shown in the blog has indicators that were derived by us for a customer. We share them out so others may benefit. 

OK folks. I've got a Sleep Number bed to return. My back is killing me.
It's not going to take itself apart!
Have a great weekend!
Jeff