Relevance, collaboration helping threat intelligence shape the IT security response

As the merciless onslaught of data-security attacks continues to claim success after success, organisations are increasingly warming to the promise of threat intelligence in helping prevent, catch, and deal with attacks much more effectively than in the past. Yet with its reliance on large volumes of security information, threat intelligence remains out of the reach of many organisations.

Those who will prove the most effective at delivering on its promise, says one threat-response expert, will be those who are able to systematically gather, analyse and exploit large volumes of threat information – in near real-time – and share their findings with others to bolster a communal defence capable of countering the ever-changing IT security threat.

Managed security service (MSS) providers are in privileged positions when it comes to collecting this information, since they are by definition collecting and analysing information about threats as they happen. For Dell SecureWorks senior distinguished engineer Aaron Hackworth – who heads up the research division within the company's Counter Threat Unit (CTU) – it is this access to large and complex environments that provides a distinct advantage in the constant process of building a threat-intelligence response.

“We have telemetry coming in from lots of different sources and places in the world,” Hackworth explains.

“We get a lot of information about threats as they're starting to emerge. And as we see security trends changing, and we learn what our adversaries are doing, we use that to advise organisations on how to build robust security architectures.”

This advice is not only business-relevant, but it helps organisations focus their resources better than far-reaching compliance efforts in which organisations often undergo tick-the-box exercises rather than seizing real opportunities to redesign security architectures.

While compliance checklists can help focus organisational attention on the areas that need to be addressed, Hackworth says, it is the ability to temper those efforts with relevant information on current threats that helps threat-intelligence investments dramatically improve the response effort.

The CTU team – which includes a strong contingent of Australian security experts that feeds both local and global markets – uses analysis of what averages to be more than 85 billion cyber events per day in order to target deep-dive analysis of particular security issues.

“After a breach has occurred, we do deep forensic investigations of what happened and expand our information with a range of proprietary and open-source tools,” Hackworth explains. “Because we see many of the same adversaries over and over again, we can build threat profiles that describe how the actor behaves. When you've seen what they do in the past, you're likely to see it again.”

The results of these analyses are then fed into the organisational side, with MSS experts using them to adjust their own monitoring and Dell SecureWorks consultants using them to shape their ongoing engagements with the more than 4000 clients the security organisation serves.

Being part of a company as large as Dell has its own advantages, Hackworth adds, since security has become intrinsic to every other aspect of IT consulting and product manufacturing.

Real-world lessons, gleaned from real-world attacks, can therefore be fed deep into the product development cycle to progressively improve the effectiveness of future products as security enablers.

“We have ways to gather whatever technical, strategic or behavioural intelligence is required to get a full picture of what our adversaries are doing,” he says, “and we apply that to our services to reduce the time to detect and the effort to respond to future incidents."

“If you understand what your adversary is doing, or likely to do in an environment, you can mount a much better response.”

The collaborative response

By its very nature, threat intelligence becomes more and more effective based on how much information it is able to accumulate about active threats. This dynamic has led many once-independent security vendors into partnerships, and we are seeing them pool threat information for the common good. This is feeding a culture of collaboration and is now being taken to the highest level.

The strength of this collaboration was recognised at the Australian Cyber Security Centre (ACSC) 2015 Conference, where Hackworth recently presented. At the conference, he found a robust, collaboration-minded group of security experts, who are rapidly moving past the idea that threat response is best treated as a closely-guarded competitive weapon.

Read more: Can funding open source bug bounties save Europe from mass-surveillance?

Australian security experts have “a rational understanding and a very centred approach to cyber security,” Hackworth says. “A lot of the same threats, faced in the US and elsewhere, are also present in Australia.”

“We all understand that we have a common adversary and have common threats that we need to deal with,” he continues. “I don't think anybody can go it alone, and to the maximum extent possible, we should all be collaborating and sharing.”

The very existence of the ACSC has been portrayed as a new beginning for the collaborative spirit, with Australian Attorney-General George Brandis calling for greater collaboration amongst public and private-sector organisations to fight their common enemy.

The promotion of the centre as a point of focus for Australia's security industry represents “a fundamental shift in the way that government wants to partner with business on cyber security,” Brandis said in remarks prepared for the conference.

While improved sharing of threat intelligence will inform a better overall industry response to the changing security threat, the way that intelligence is derived and applied will still benefit from each participating organisation's individual capabilities.

In the case of Dell SecureWorks' CTU, Hackworth believes the flexible and engaged research infrastructure – built around distinct but co-ordinated research, operations, and technology teams – is not only informing the threat-intelligence landscape but is proving remarkably adept at helping the company provide relevant, targeted and effective security guidance for all manner of client organisations.

“It's not just security hypotheticals in a vacuum,” he explains. “It's based on what we actually know from observing the adversary, and monitoring the infrastructure.”

“It's all correlated in our security operations centres and helps us make very context-rich security decisions for our clients. That makes all the difference in the world.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Dell SecureWorks CYBERINSIGHTS SURVEY - Go into the draw to win a GoPro Hero 3 Black Edition or to the equivalent a $500 Visa card voucher.

Start Survey Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags managed security service (MSS)data-securityDell SecureWorksAaron HackworthIT SecuritycollaborationAustralian Cyber Security Centre (ACSC)Security experts

More about Attorney-GeneralCSODellEnex TestLabSecureWorksVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place