The Problem with Collecting, Processing, and Analyzing More Security Data

Security teams collect a heck of a lot of data today. ESG research indicates that 38% of organizations collect, process, and analyze more than 10 terabytes of data as part of security operations each month. What types of data? The research indicates that the biggest data sources include firewall logs, log data from other types of security devices, log data from networking devices, data generated by AV tools, user activity logs, application logs, etc.

Topics: Cybersecurity Data Management SIEM TAXII STIX Splunk SOAPA CIM

Toward Strategic and Proactive Threat Intelligence Programs

In 2015, ESG did an in-depth research project on cyber threat intelligence usage at enterprise organizations (i.e., more than 1,000 employees). The goal of this project was to determine how large firms were using threat intelligence, what challenges they faced, how they were addressing these challenges, and what their strategies were moving forward.

  • The research revealed that many threat intelligence programs were relatively immature – 40% of threat intelligence programs had been in place less than 2 years at that time. Cybersecurity professionals were also asked to identify the top objectives for their organization’s threat intelligence program. The top results were as follows:
Topics: Cybersecurity threat intelligence TAXII STIX cyber threat intelligence ISAC

Undercurrent RSA Conference Theme: Security Technology Integration

Just a few days until the start of the RSA Conference and I expect an even bigger event than last year – more presentations, vendors, cocktail parties, etc. The conference will likely focus on security technologies like endpoint security, cloud, security, threat intelligence, IAM, and others which I described in a recent blog

Topics: Network Security TAXII STIX FIDO vulnerability management

Federal Cybersecurity Duplicity

As part of a whistle-stop tour of Northern California, President Obama held a White House Summit on Cybersecurity and Consumer Protection at Stanford University last Friday. Much to the delight of the Silicon Valley crowd, the President signed an executive order (right there on stage at Stanford) to promote data sharing about digital threats. The summit also highlighted industry leaders like Apple CEO Tim Cook, and large critical infrastructure organizations like Bank of America and Pacific Gas & Electric Co.

Topics: Cybersecurity Kaspersky Lab TAXII STIX president obama cyberwar

Anticipating Black Hat

RSA 2014 seems like ancient history and the 2015 event isn’t until next April. No worries, however, the industry is set to gather in the Las Vegas heat next week for cocktails, sushi bars, and oh yeah – Black Hat.

Now Black Hat is an interesting blend of constituents consisting of government gumshoes, Sand Hill Rd. Merlot drinking VCs, cybersecurity business wonks, “beautiful mind” academics, and tattooed hackers – my kind of crowd! As such, we aren’t likely to hear much about NIST frameworks, GRC, or CISO strategies. Alternatively, I am looking forward to deep discussions on:

  • Advanced malware tactics. Some of my favorite cybersecurity researchers will be in town to describe what they are seeing “in the wild.” These discussions are extremely informative and scary at the same time. This is where industry analysts like me learn about the latest evasion techniques, man-in-the-browser attacks, and whether mobile malware will really impact enterprise organizations.
  • The anatomy of various security breaches. Breaches at organizations like the New York Times, Nordstrom, Target, and the Wall Street Journal receive lots of media attention, but the actual details of attacks like these are far too technical for business publications or media outlets like CNN and Fox News. These “kill chain” details are exactly what we industry insiders crave as they provide play-by-play commentary about the cybersecurity cat-and-mouse game we live in.
  • Threat intelligence. All of the leading infosec vendors (i.e., Blue Coat, Cisco, Check Point, HP, IBM, Juniper, McAfee, RSA, Symantec, Trend Micro, Webroot, etc.) have been offering threat intelligence for years, yet threat intelligence will be one of the major highlights at Black Hat. Why? Because not all security and/or threat intelligence is created equally. Newer players like BitSight, Crowdstrike, iSight Partners, Norse, RiskIQ, and Vorstack are slicing and dicing threat intelligence and customizing it for specific industries and use cases. Other vendors like Fortinet and Palo Alto Networks are actively sharing threat intelligence and encouraging other security insiders to join. Finally, there is a global hue and cry for intelligence sharing that includes industry standards (i.e. CybOX, STIX, TAXII, etc.) and even pending legislation. All of these things should create an interesting discourse.
  • Big data security analytics. This is an area I follow closely that is changing on a daily basis. It’s also an interesting community of vendors. Some (i.e., 21CT, ISC8, Leidos, Lockheed-Martin, Norse, Palantir, Raytheon, etc.), come from the post 9/11 “total information access” world, while others (Click Security, HP, IBM, Lancope, LogRhythm, RSA, etc.) are firmly rooted in the infosec industry. I look forward to a lively discussion about geeky topics like algorithms, machine learning, and visual analytics.
Topics: IBM Check Point Palo Alto Networks Fortinet Cisco Data Management & Analytics Information and Risk Management Juniper HP McAfee Enterprise Software Security and Privacy Crowdstrike Lockheed Martin Black Hat trend micro RiskIQ 21CT Leidos Norse CybOX BitSight Symantec RSA TAXII ISC8 Blue Coat STIX Webroot

Large Organizations Need Open Security Intelligence Standards and Technologies

A few years ago, Trend Micro announced that it would enhance its on-site AV products with cloud-based intelligence it called the “Smart Protection Network” (SPN). I’m not sure if Trend was the first, but it certainly wasn’t the last vendor to embrace this type of architecture. In fact, just about everyone now has a toe in the cloud-based security intelligence pool. For example, Blue Coat promotes its WebPulse security intelligence, Cisco champions its Security Intelligence Operations (SIO), and Symantec trumpets DeepSight. Security intelligence sharing initiatives (like CISPA) are also a big part of the Federal government’s cybersecurity initiatives.

What does cloud-based security intelligence entail? In many cases, it takes advantage of the proverbial “network effect” (sometimes referred to as Metcalfe’s law and attributed to Ethernet inventor Bob Metcalfe). According to Wikipedia: Metcalfe's law states that the value of a telecommunications network is proportional to the square of the number of connected users of the system (n2). Each instance of the vendor’s product acts as a sensor for security intelligence (i.e., malware detection, rogue URL detection, rogue application detection, etc.). The vendor then implements a cloud repository to publish, analyze, and distribute this information to all other customer nodes around the network.

Topics: Cisco Information and Risk Management Security and Privacy Security SIEM trend micro Norse Symantec TAXII Blue Coat STIX security intelligence CISO Anti-malware