Cloud-based threat intelligence, predictive threat detection and advanced security event management have become hot topics in the past few years. Though marketing names and specific features differ by vendor, the core function of detection products is to leverage global threat and attack data to provide a view into attacks as they happen -- and even, in some cases, before they happen.
Determining whether or not cloud-based threat intelligence services make financial sense for your company requires a cost/benefit analysis and input from stakeholders.
By aggregating data from sources around the world, these vendors purport that they are able to identify even hard-to-detect attacks: those that are highly complex, targeted, persistent and/or "low and slow." On paper, the services look appealing but, in practice, how well do they actually perform? Are they worth the money that customers are spending for them? That's what we'll discuss in this tip.
What is a global threat intelligence service?
The most important factor that dictates the success of any service of this type is the data: The more data there is, the better the results available. Vendors get data in two main ways: as feeds from their customer base and by observing and monitoring activity on the Internet. Capturing data is the (relatively) easy part. The tricky part is sifting through the extraordinary volume of information to find suspect patterns and anomalous activity indicative of an attack or other suspicious security incident.
Traffic pattern anomalies are one indicator of attack. For example, if a vendor sees a spike of inbound traffic to a server or cluster of servers in Belarus, the security operations center (SOC) engineers can investigate to see if the traffic is related to something legitimate, such as a fast-moving phish response, or an explosion of command-and-control traffic from already-deployed remote-control tools. Alternatively, the service provider may use proprietary heuristics or preconfigured rules and advanced correlation techniques to automatically parse the activity to determine whether it is suspicious.
Attacks aren't always so easy to detect, however. The so-called "low-and-slow" application attacks and distributed attacks through graphics files and Flash applications are harder to identify. Cloud intelligence can help here, too. Because the vendors are monitoring reports from both their customer base and total Internet activity, they are in a position to see targeted malicious activity to a customer or set of customers that may not be moving fast enough to look anomalous across all Internet traffic.
Some vendors also provide reputational awareness as part of their service. If a site is brand new or has been associated with fraud in the past, it will have a lower "reputation" value compared to a site that has been online for years with no associated fraud. Requests to sites with a low reputational ranking can be automatically blocked while traffic to trusted sites is passed through without interference.
Most cloud threat intelligence service vendors regularly release free cybercrime reports. Potential customers can read these to get an idea of the kind of threats the vendor is detecting and also gain insight into their overall approach to the threat intelligence detection space.
From the editor: More on threat intelligence
Security Think Tank: The intelligence-led approach to security
The need for better information security intelligence
Are the services worth the investment?
This question is a little trickier to address. Each company must first look at what it is hoping to accomplish with the use of cloud-based threat intelligence services, then determine the quality of the data and, finally, weigh the overall investment.
Below are eight important questions to answer when evaluating the value of cloud-based threat intelligence services:
- What business problem are we trying to solve with this service?
- What kind of data is the provider collecting?
- How is the provider disseminating that data to its customer base?
- Will we be able to leverage that data rapidly to block, prevent or slow down attacks?
- Are there alternatives that meet the same business need? (Example: information sharing communities)
- Do we have the in-house staff and expertise to perform the same threat intelligence functions?
- What is the vendor's track record with finding and preventing threat activity?
- Do we need these kinds of services for partner agreements, regulatory requirements or other compliance initiatives?
Determining whether cloud-based threat intelligence services make financial sense for your company will require a cost/benefit analysis and input from stakeholders on executive, audit and risk management teams. Efficacy and approaches among the vendors vary, but gathering attack intelligence from both a broad customer base and Internet traffic patterns around the globe provides a unique view into threat activity that cannot be replicated using internal traffic alone. As attacks grow ever more complex and sophisticated, having an intelligence tool like a cloud-based threat intelligence service will, for many organizations, make good threat prevention sense.
About the author
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
This was first published in December 2012