This is an emerging area of information security. However, it is a very important one because it likely, in one form or another, will shape the future of how we protect our enterprises in an era where the perimeter is disappearing and the adversary is becoming ever more clever and powerful. One may be tempted to wonder why we took so long to absorb the reality of how vital it was to understand what the adversary is planning in advance of the plan's execution. The answer - though not the solution - is pretty simple: lack of technology and apparent lack of need.
Starting with the apparent lack of need: Until the past couple of years, it seemed that simply watching the trend of malware technology was enough. The advent of advanced persistent threats (APTs) brought on the realization that there needs more to cyber defense than reversing malware. It was not until practitioners became painfully aware that the adversary was evolving rapidly into something they'd never seen before: a professional cyber war fighting force. That didn't mean that the bad actors all were preparing to wage cyber war on other nations. But what it did mean was that the adversary was beginning to think in different terms about malicious cyberactivity.
Some of these new ways of approaching a cyberattack included significant planning, reconnaissance and preparing the battlefield. That meant, in simple terms, that the attacker would determine a target, learn about the target at a fairly deep level, and then slowly and patiently penetrate the target, sometimes without taking any immediate action. The concept of lateral movement through an enterprise became commonplace when, up to that time, nobody had any idea what was going on once the attacker penetrated. Mandiant and the APT-1 investigation was an eye-opener for many security pros. It showed that a new approach to cyber conflict was afoot.
It became immediately obvious that a new defense mode was necessary if defenders would hope to accomplish the task of protecting the enterprise. That required that defenders understood a lot about the adversary in addition to the attacker's TTPs. However, one of the problems in that regard was that it was pretty easy for the bad guys to hide in plain view. The quantity of packets and message streams on the internet at any one time is beyond prodigious. It truly does meet the definition of Big Data, and that means that special analytics are necessary to address the velocity, variability, volume and veracity of more than a fire hose of data.
Also, useful tools needed to be constantly adapting to changes in the adversary's behavior. Since the changes often could be capricious, machine learning was a must-have. Then there was the challenge of all of these data simply generating more - but different - data in nearly equal quantities. Tools needed to, put simply, find as many needles as necessary (how many is that?), in a huge (how huge?) stack of needles posed a really big challenge. It was clear that just being a really good software engineer was nowhere near enough.
The result, for those companies that have made inroads into this new market area, was a mix of intelligence pros - many from military and intelligence organizations in countries around the world - and experienced security software developers. While there are not a lot of players in this new arena yet, we are convinced that there will be and the companies in this month's Group Test review may well be among the leaders. That posed a problem for us as to how we should select and evaluate the participants. All of the vendors this month are predominantly cloud-based - though some also have on-premises versions - and their tools all are next generation. That means that they can work with Big Data and have advanced algorithmic analysis and machine learning. That's a big order.
At the end of the day, you'll find that these vendors tend to take different approaches to getting the job done. So, as we have seen before, you may want to consider more than a single tool for your SOC analysts. Here in the SC Labs we use nearly a dozen tools that are a mix of the types of tools you'll see this month - simple analytic tools, tools that seek both closed and open source intelligence, and visualization tools. We've combined these with a honeypot, deception network and sinkhole.
You may not want - or need - to go to that depth but you should evaluate carefully how you will use your threat and intelligence tools and where they fit in your security stack. Actionability is the key. It's not enough to know. You have to be able to take action and that means that you might need to have an active link between your intel tools and your security stack. Also, these tools are expensive, so be sure that you analyze your requirements and shop wisely.
Specifications for threat and intelligence analysis tools ●=yes ○=no
| Product | Anomali | CounterTack | Cyjax | CrowdStrike | SurfWatch Labs |
| Covers the Dark Web (closed source intelligence) | ○ | ○ | ● | ● | ● |
| Live analysts in | ○ | ○ | ● | ● | ● |
| Focus on threat analysis | ● | ● | ● | ● | ● |
| Focus on threat | ● | ● | ● | ● | ● |
| Integrates with SIEM | ● | ● | ● | ● | ● |
| Integrates with IDS/IPS | ● | ○ | ● | ● | ○ |
| Integrates via API | ● | ○ | ● | ● | ○ |
| API | ● | ● | ● | ● | ● |
| Accepts open source (free) threat feeds | ● | ● | ● | ○ | ○ |
| if so, how many are | 123 |
| 3 |
|
|
| Accepts commercial (paid) threat freeds | ● | ● | ● | ○ | ● |
| If so, how many are | 26 | Unlimited | 2 |
|
|
| Ability to customize | ○ | ● | ● | ● | ● |
| Consumes/generates STIX files | ● | Can integrate | ● | ○ | ● |
