Check Point plots to disrupt threat intelligence market with new IntelliStore feeds

Is crowdsourcing for cash the next security gold?

Security giant Check Point has launched a pioneering new market for real-time security threats it hopes will offer a way for smaller third-party security firms to embed their intelligence on cyberattacks and malware attacks directly into the real-time filtering applied by the company's security products.

Called ThreatCloud IntelliStore, the idea behind the initiative is a logical next step for the ThreatCloud threat sharing system announced two years ago. That aggregated attack intelligence from Check Point's own customers as a way of offering herd immunity; Intellistore takes the same principle but extends it to a cottage industry of small security firms that gather often very high-quality intelligence on attacks in their respective niches.

The problem is that nobody gets to hear about this intelligence unless they happen to be a customer of that firm, leaving much of this important data stranded inside threat systems where each accumulates a small part of a much larger attack puzzle.

The technology behind IntelliStore has the potential to be disruptive for the security industry on a number of levels although at the company's annual CPX show in Barcelona this week the firm's management was keen to set more modest goals.

A major theme is simply the admission that acquiring broad intelligence on cyberattacks, especially targeted campaigns, is now almost impossible for even the largest players in the security industry, Check Point included. IntelliStore offers a standardised and automated mechanism for small firms to improve Check Point's own intelligence as part of a common pool.

Check Point lined up the first tranche of partners for the launch, including iSIGHT Partners, CrowdStrike, IID, NetClean, PhishLabs, SenseCy, and ThreatGrid, some of which are better known than others but all of which specialise in documenting different types of security threat.

Currently, nobody else has a market like this so Check Point has stolen a lead for the time being if - and only if - it can hold good on the second disruption promised by IntelliStore, namely that adding third-party attack intelligence actually makes the firm's security systems better at spotting threats.

Exactly how this happens depends on the type of feed being supplied. Some generate researched data on complex threats and targeted attacks, others simply a fingerprint of a specifc type of attack, for instance, a phishing campaign. Check Point takes this data and adds it to the filtering it applies on its security gateways, on paper at least boosting their security effectiveness.

There is, of course, another disruptive effect in play here which has as much to do with the security industry as the protection sold to customers. Currently, the industry is incredibly fragmented, not only in the multiplying layers of technology it offers but the the firms themselves. Many stay small because they can't find new customers rapidly enough to grow beyond their niche of expertise.

IntelliStore could offer a way out. Each security partner sets a price for the intelligence they are feeding to Check Point (which Techworld understands will be competitive), which in turn offers this to its large customer base. If a customer decides it wants a subset of the third-party protection on offer, the partner gets revenue it would otherwise not get and Check Point gets a cut too.

What nobody, including Check Point, knows is what appetite there is for this kind of service let alone how Check Point's customers will get a sense of what they have bought by licensing extra threat intelligence from one or more of the parties. How do they see the benefit?

"You see it in the logs, you see all the events that were blocked," said Check Point founder and CEO, Gil Schwed during a series of briefings at the CPX show.

It might be more user-friendly if subscribers received some kind of report although you suspect that Check Point's typical large enterprise customer actually enjoys paying people to peer a log files for a living. Not everyone will necessarily be that log-centric.

Partners remain upbeat about the potential. A good example of this is iSIGHT Partners, a small US boutique specialising in selling threat feed data to Fortune 100 firms on a daily basis.

"It's a way to get to a market we can't reach direct. There is an ease-of-use component to this because it takes away the pain for the customer. It is turning our intelligence into actionable intelligence," said iSIGHT's SVP products and technology, Sean Catlett.

That's perhaps the biggest disruption of all; feeding intelligence through ThreatCloud potentially solves the bane of this industry which is that large organisations are overwhelmed with news of threats they can't easily or cheaply translate into protection. They are aware of threats but don't have the resources to do much about it.

For another IntelliStore partner, Swedish firm NetClean, the technology is simply a means to find more customers and spread its brand. The company is highly-regarded for its technology used to 'fingerprint' images of child abuse for use in police investigations, but admits that it is never going to be a mainstream system for most organisations. However, if those same organisations can apply digital fingerprints to the files passing in and out of Check Point's gateways without having to do anything, it believes it could be on to a winner.

"We like to see ourselves as having something that everyone should have. This should be as natural as antivirus," said CEO, Christian Berg. "By riding on the Check Point ecosystem it's going to be easier for the customer to get our technology."

Is child porn really a big deal in most firms? According to Berg, around 2 in 1,000 employees is using a company PC to look at child sexual abuse images, sometimes moved around on USB sticks as a way of circumventing filtering security.

In the end, this remains Check Point's project, part of a larger attempt to project one of the largest pure security firms in the industry as an open platform and not simply another company that puts security software inside expensive boxes. It calls this 'Software Defined Protection'.

"Intelligence is becoming important but the ability to translate it into actions almost doesn't exist today. That is what intellistor is trying to create. They [customers] can translate IntelliStor into prevention."

"IntelliStore is a good way to start the market. It gives us a big edge because Check Point is the first and so far the only vendor that provides this," he said. Will Check Point's rivals legitimise the idea with threats markets of their own?

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancesecurityhardware systemsData Centreintel

More about Check Point Software Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place