Relevance, collaboration helping threat intelligence shape the IT security response
- 04 May, 2015 09:33
As the merciless onslaught of data-security attacks continues to claim success after success, organisations are increasingly warming to the promise of threat intelligence in helping prevent, catch, and deal with attacks much more effectively than in the past. Yet with its reliance on large volumes of security information, threat intelligence remains out of the reach of many organisations.
Those who will prove the most effective at delivering on its promise, says one threat-response expert, will be those who are able to systematically gather, analyse and exploit large volumes of threat information – in near real-time – and share their findings with others to bolster a communal defence capable of countering the ever-changing IT security threat.
Managed security service (MSS) providers are in privileged positions when it comes to collecting this information, since they are by definition collecting and analysing information about threats as they happen. For Dell SecureWorks senior distinguished engineer Aaron Hackworth – who heads up the research division within the company's Counter Threat Unit (CTU) – it is this access to large and complex environments that provides a distinct advantage in the constant process of building a threat-intelligence response.
“We have telemetry coming in from lots of different sources and places in the world,” Hackworth explains.
“We get a lot of information about threats as they're starting to emerge. And as we see security trends changing, and we learn what our adversaries are doing, we use that to advise organisations on how to build robust security architectures.”
This advice is not only business-relevant, but it helps organisations focus their resources better than far-reaching compliance efforts in which organisations often undergo tick-the-box exercises rather than seizing real opportunities to redesign security architectures.
While compliance checklists can help focus organisational attention on the areas that need to be addressed, Hackworth says, it is the ability to temper those efforts with relevant information on current threats that helps threat-intelligence investments dramatically improve the response effort.
The CTU team – which includes a strong contingent of Australian security experts that feeds both local and global markets – uses analysis of what averages to be more than 85 billion cyber events per day in order to target deep-dive analysis of particular security issues.
“After a breach has occurred, we do deep forensic investigations of what happened and expand our information with a range of proprietary and open-source tools,” Hackworth explains. “Because we see many of the same adversaries over and over again, we can build threat profiles that describe how the actor behaves. When you've seen what they do in the past, you're likely to see it again.”
The results of these analyses are then fed into the organisational side, with MSS experts using them to adjust their own monitoring and Dell SecureWorks consultants using them to shape their ongoing engagements with the more than 4000 clients the security organisation serves.
Being part of a company as large as Dell has its own advantages, Hackworth adds, since security has become intrinsic to every other aspect of IT consulting and product manufacturing.
Real-world lessons, gleaned from real-world attacks, can therefore be fed deep into the product development cycle to progressively improve the effectiveness of future products as security enablers.
“We have ways to gather whatever technical, strategic or behavioural intelligence is required to get a full picture of what our adversaries are doing,” he says, “and we apply that to our services to reduce the time to detect and the effort to respond to future incidents."
“If you understand what your adversary is doing, or likely to do in an environment, you can mount a much better response.”
The collaborative response
By its very nature, threat intelligence becomes more and more effective based on how much information it is able to accumulate about active threats. This dynamic has led many once-independent security vendors into partnerships, and we are seeing them pool threat information for the common good. This is feeding a culture of collaboration and is now being taken to the highest level.
The strength of this collaboration was recognised at the Australian Cyber Security Centre (ACSC) 2015 Conference, where Hackworth recently presented. At the conference, he found a robust, collaboration-minded group of security experts, who are rapidly moving past the idea that threat response is best treated as a closely-guarded competitive weapon.
Australian security experts have “a rational understanding and a very centred approach to cyber security,” Hackworth says. “A lot of the same threats, faced in the US and elsewhere, are also present in Australia.”
“We all understand that we have a common adversary and have common threats that we need to deal with,” he continues. “I don't think anybody can go it alone, and to the maximum extent possible, we should all be collaborating and sharing.”
The very existence of the ACSC has been portrayed as a new beginning for the collaborative spirit, with Australian Attorney-General George Brandis calling for greater collaboration amongst public and private-sector organisations to fight their common enemy.
The promotion of the centre as a point of focus for Australia's security industry represents “a fundamental shift in the way that government wants to partner with business on cyber security,” Brandis said in remarks prepared for the conference.
While improved sharing of threat intelligence will inform a better overall industry response to the changing security threat, the way that intelligence is derived and applied will still benefit from each participating organisation's individual capabilities.
In the case of Dell SecureWorks' CTU, Hackworth believes the flexible and engaged research infrastructure – built around distinct but co-ordinated research, operations, and technology teams – is not only informing the threat-intelligence landscape but is proving remarkably adept at helping the company provide relevant, targeted and effective security guidance for all manner of client organisations.
“It's not just security hypotheticals in a vacuum,” he explains. “It's based on what we actually know from observing the adversary, and monitoring the infrastructure.”
“It's all correlated in our security operations centres and helps us make very context-rich security decisions for our clients. That makes all the difference in the world.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Dell SecureWorks CYBERINSIGHTS SURVEY - Go into the draw to win a GoPro Hero 3 Black Edition or to the equivalent a $500 Visa card voucher.