Most experts agree that security technologies based upon signature files (DATs) alone can no longer provide adequate security protection. Why? There is simply too much malware volume so it’s harder for the security industry to keep up with the bad guys. Furthermore, polymorphic and metamorphic malware is designed to change its appearance. You can’t match a pattern if the pattern keeps changing.
Yup, signature-based technologies need help and this help often comes in the form of cloud-based security intelligence. Trend Micro was a pioneer in this area when it introduced its Smart Protection Network (SPN) several years ago. As of today, cloud-based security intelligence has become a staple that is used by most security vendors including Blue Coat, Cisco, IBM, McAfee, Symantec, and Webroot. What’s more, security intelligence is used all over the place for threat detection, IP address reputation, URL reputation, malnet research, etc.
On balance, security intelligence ubiquity is a very good thing as it utilizes Bob Metcalf’s “network effect” to expedite data sharing. That said, there are two fundamental problems associated with security intelligence as it stands today:
- Redundancy. Rather than cooperate, security vendors often perform the same tasks (i.e. malware analysis, countermeasure development/test, intelligence sharing, etc.).
- A lack of consistency. Security vendor use different naming conventions, descriptions, formats, and communications for security intelligence proliferation.
We live in a capitalist society so I don’t expect McAfee and Symantec to get together and divvy up the work anytime soon. This means that we’ll have to live with redundancy, but the good news is that we can do something about consistency. To address this, the security community at large should embrace two standards coming from the U.S. Department of Homeland Security (DHS) and Mitre Corporation:
- Structured Threat Information Expression (STIX). As Mitre describes: “STIX is a collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information.The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.”
- Trusted Automated Exchange of Indicator Information (TAXII). “Is the main transport mechanism for cyber threat information represented as STIX. Through the use of TAXII services, organizations can share cyber threat information in a secure and automated manner.”
If everyone adopted STIX and TAXII, all security intelligence would appear in a common language and be easily understood (by humans and security technologies) so it would take less time to turn security intelligence into beneficial action. Additionally, security intelligence from multiple sources would become more synergistic and complementary so the value of intelligence sharing increases. In this way, we could piece together multiple characteristics about threat actors and then enhance security controls and defense-in-depth.
In aggregate, STIX and TAXII could help accelerate security intelligence sharing, improve threat prevention controls, and even automate defenses. We could gain even more benefit if we go beyond STIX and TAXII and include other Mitre standards like Cyber Observable Expressions (CybOX) and the Malware Attribute Enumeration and Characterization (MAEC) language (but I digress).
So what needs to happen to make this happen?
- Users need to get involved. Big organizations with lots of purchasing power should demand that their security vendors support STIX and TAXII. Financial organizations like DTCC and the FS-ISAC are already onboard. Other industry groups and individual firms should follow.
- The industry must join the parade. I was encouraged to hear the Bromium already supports STIX and TAXII and I know others do as well. If one of the enterprise security technology leaders (i.e. Cisco, Check Point, HP, IBM, Juniper, McAfee, Palo Alto, RSA, Symantec, Trend, etc.) became a vocal leader and supporter of STIX and TAXII, others would surely follow.
- STIX and TAXII need to travel abroad. With DHS and Mitre managing the effort, it is not surprising that it appears like a US-centric effort. To overcome this barrier, government agencies and security vendors should champion STIX and TAXII to allies overseas. Additionally, STIX and TAXII should be submitted to an International standards body ASAP. Based upon my discussions with DHS and Mitre, this is in the plans.
Security technology standards have always seemed like a no-brainer. After all, we are talking about improving public safety so everyone stands to benefit. This seems like a stretch however since most security organizations are not exactly Pollyanna. STIX and TAXII seem like a good compromise to me – vendors can still make money while standards support can help improve overall cyber security prevention and analysis. Seems worthwhile to me.