How many vendor phone calls do you dodge every day? One of the most consistent calls that I receive is from
vendors selling the latest, greatest “Threat Intelligence” product. If you are not familiar with threat
intelligence, it is the aggregation of suspicious or known malicious information
from multiple sources around the world.
This information is then used to warn subscribers of the impending
threats. It is a way for a subscriber of
a particular service to achieve “actionable intelligence” about an impending
threat. Sounds neat!
However, I have heard at least one brave webcaster declare
that threat intelligence is a steaming pile of dung. This is a bold statement
in a world that seems over-run with constant news of cyber-attacks and an even
louder tocsin by the public about the urgency to stop it.In a recent meeting with a threat intelligence provider, I
too am starting to hold my nose when I am given the pitch about threat
intelligence.Most of the threat intelligence vendors will proudly speak
of information sharing, that is, when they see a pattern of malicious traffic
forming against one of their clients, they will share that information amongst
the threat intelligence feed to their other clients.
We are all aware by now of the unprecedented DDoS attack
against Brian Krebs In mid- September. This
attack was the largest DDoS ever witnessed on the internet; traffic clocked at
620Gbps was aimed at Brian Krebs’ server. We all felt threatened that such an attack could be so
easily carried out by using all of the unsecured IoT devices out there. We were all equally shocked at Akamai’s
initial response to dump Brian, yet we understood the difficult business decision
that they had to make to protect their paying customers.
So, why am I all of a sudden holding my nose about threat
intelligence? A vendor was demonstrating
their “superior threat intelligence product” and part of their presentation
included a boastful commentary about how they saw the attack against Krebs
forming before it took place. Their excellent intelligence gathering
capabilities allowed them to see the attack against Akamai in formation.
Allow that to sink in for a moment.
Here are some questions for that vendor: Are you actually
boasting that you stood idly by when you witnessed the formation of the
greatest attack to date against the entire internet?
And this model you are selling derives its power from
information sharing?
The incongruence of ideology here is somewhat baffling. Sort of like boasting about your superior
powers in space defense, yet when an asteroid, capable of an extinction-level
event is heading towards the planet, you chose to stand by because it will not
impact your country. What is the logical
or ethical sense of that?
I understand business decisions, and how sharing with a
competitor is generally considered a poor business decision, but if threat
intelligence companies won’t share their information with another intelligence
company in the greater interest of the preservation of the internet, why should
they expect anyone to subscribe to their sharing and intelligence service? Threat intelligence sharing should start at the top.
Guest Author: Art Logan
No comments:
Post a Comment