Most Recent Blogs

The Problem with Collecting, Processing, and Analyzing More Security Data

Posted: September 21, 2017   /   By: Jon Oltsik   /   Tags: Cybersecurity, SIEM, TAXII, STIX, Splunk, SOAPA, CIM

GettyImages-639649350.jpgSecurity teams collect a heck of a lot of data today. ESG research indicates that 38% of organizations collect, process, and analyze more than 10 terabytes of data as part of security operations each month. What types of data? The research indicates that the biggest data sources include firewall logs, log data from other types of security devices, log data from networking devices, data generated by AV tools, user activity logs, application logs, etc.

Read More

Toward Strategic and Proactive Threat Intelligence Programs

Posted: March 27, 2017   /   By: Jon Oltsik   /   Tags: Cybersecurity, threat intelligence, TAXII, STIX, cyber threat intelligence, ISAC

Threat_Intel.jpgIn 2015, ESG did an in-depth research project on cyber threat intelligence usage at enterprise organizations (i.e., more than 1,000 employees). The goal of this project was to determine how large firms were using threat intelligence, what challenges they faced, how they were addressing these challenges, and what their strategies were moving forward.

  • The research revealed that many threat intelligence programs were relatively immature – 40% of threat intelligence programs had been in place less than 2 years at that time. Cybersecurity professionals were also asked to identify the top objectives for their organization’s threat intelligence program. The top results were as follows:
Read More

Undercurrent RSA Conference Theme: Security Technology Integration

Posted: April 17, 2015   /   By: Jon Oltsik   /   Tags: Network Security, TAXII, STIX, FIDO, vulnerability management

Security_IntegrationJust a few days until the start of the RSA Conference and I expect an even bigger event than last year – more presentations, vendors, cocktail parties, etc. The conference will likely focus on security technologies like endpoint security, cloud, security, threat intelligence, IAM, and others which I described in a recent blog

Read More

Federal Cybersecurity Duplicity

Posted: February 19, 2015   /   By: Jon Oltsik   /   Tags: Cybersecurity, Kaspersky Lab, TAXII, STIX, president obama, cyberwar

As part of a whistle-stop tour of Northern California, President Obama held a White House Summit on Cybersecurity and Consumer Protection at Stanford University last Friday. Much to the delight of the Silicon Valley crowd, the President signed an executive order (right there on stage at Stanford) to promote data sharing about digital threats. The summit also highlighted industry leaders like Apple CEO Tim Cook, and large critical infrastructure organizations like Bank of America and Pacific Gas & Electric Co.

Read More

Anticipating Black Hat

Posted: August 01, 2014   /   By: Jon Oltsik   /   Tags: IBM, Check Point, Palo Alto Networks, Fortinet, Cisco, Data Management & Analytics, Information and Risk Management, Juniper, HP, McAfee, Enterprise Software, Security and Privacy, Crowdstrike, Lockheed Martin, Black Hat, trend micro, RiskIQ, 21CT, Leidos, Norse, CybOX, BitSight, Symantec, RSA, TAXII, ISC8, Blue Coat, STIX, Webroot

RSA 2014 seems like ancient history and the 2015 event isn’t until next April. No worries, however, the industry is set to gather in the Las Vegas heat next week for cocktails, sushi bars, and oh yeah – Black Hat.

Now Black Hat is an interesting blend of constituents consisting of government gumshoes, Sand Hill Rd. Merlot drinking VCs, cybersecurity business wonks, “beautiful mind” academics, and tattooed hackers – my kind of crowd! As such, we aren’t likely to hear much about NIST frameworks, GRC, or CISO strategies. Alternatively, I am looking forward to deep discussions on:

  • Advanced malware tactics. Some of my favorite cybersecurity researchers will be in town to describe what they are seeing “in the wild.” These discussions are extremely informative and scary at the same time. This is where industry analysts like me learn about the latest evasion techniques, man-in-the-browser attacks, and whether mobile malware will really impact enterprise organizations.
  • The anatomy of various security breaches. Breaches at organizations like the New York Times, Nordstrom, Target, and the Wall Street Journal receive lots of media attention, but the actual details of attacks like these are far too technical for business publications or media outlets like CNN and Fox News. These “kill chain” details are exactly what we industry insiders crave as they provide play-by-play commentary about the cybersecurity cat-and-mouse game we live in.
  • Threat intelligence. All of the leading infosec vendors (i.e., Blue Coat, Cisco, Check Point, HP, IBM, Juniper, McAfee, RSA, Symantec, Trend Micro, Webroot, etc.) have been offering threat intelligence for years, yet threat intelligence will be one of the major highlights at Black Hat. Why? Because not all security and/or threat intelligence is created equally. Newer players like BitSight, Crowdstrike, iSight Partners, Norse, RiskIQ, and Vorstack are slicing and dicing threat intelligence and customizing it for specific industries and use cases. Other vendors like Fortinet and Palo Alto Networks are actively sharing threat intelligence and encouraging other security insiders to join. Finally, there is a global hue and cry for intelligence sharing that includes industry standards (i.e. CybOX, STIX, TAXII, etc.) and even pending legislation. All of these things should create an interesting discourse.
  • Big data security analytics. This is an area I follow closely that is changing on a daily basis. It’s also an interesting community of vendors. Some (i.e., 21CT, ISC8, Leidos, Lockheed-Martin, Norse, Palantir, Raytheon, etc.), come from the post 9/11 “total information access” world, while others (Click Security, HP, IBM, Lancope, LogRhythm, RSA, etc.) are firmly rooted in the infosec industry. I look forward to a lively discussion about geeky topics like algorithms, machine learning, and visual analytics.
Read More

Large Organizations Need Open Security Intelligence Standards and Technologies

Posted: November 21, 2013   /   By: Jon Oltsik   /   Tags: Cisco, Information and Risk Management, Security and Privacy, Security, SIEM, trend micro, Norse, Symantec, TAXII, Blue Coat, STIX, security intelligence, CISO, Anti-malware

A few years ago, Trend Micro announced that it would enhance its on-site AV products with cloud-based intelligence it called the “Smart Protection Network” (SPN). I’m not sure if Trend was the first, but it certainly wasn’t the last vendor to embrace this type of architecture. In fact, just about everyone now has a toe in the cloud-based security intelligence pool. For example, Blue Coat promotes its WebPulse security intelligence, Cisco champions its Security Intelligence Operations (SIO), and Symantec trumpets DeepSight. Security intelligence sharing initiatives (like CISPA) are also a big part of the Federal government’s cybersecurity initiatives.

What does cloud-based security intelligence entail? In many cases, it takes advantage of the proverbial “network effect” (sometimes referred to as Metcalfe’s law and attributed to Ethernet inventor Bob Metcalfe). According to Wikipedia: Metcalfe's law states that the value of a telecommunications network is proportional to the square of the number of connected users of the system (n2). Each instance of the vendor’s product acts as a sensor for security intelligence (i.e., malware detection, rogue URL detection, rogue application detection, etc.). The vendor then implements a cloud repository to publish, analyze, and distribute this information to all other customer nodes around the network.

Read More

Posts by Topic

see all