Security Intelligence = Table Stakes

Smart security practitioners know they can no longer rely on their vendors to provide the intelligence they need to deal with today's attacks

Mike Rothman, Analyst & President, Securosis

September 25, 2012

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Evidently you can't be a player in the security market without some kind of security "intelligence," which is a fancy term for research. Two or three threat reports hit my inbox every week, many coming from vendors I've never heard of. If I wanted to read all of the reports issued each week, I wouldn't have time for anything else. Clearly the hype around intelligence is reaching a fever pitch, but isn't this more repackaged marketing hyperbole? Hasn't every security vendor had a research capability forever? Why is this any different?

To be clear, at surface level, it's not any different. Security research has been a mainstay since the AV vendors fielded teams of interns sitting in closets somewhere building signatures for the samples they got from the Wild List. A different but similar set of security researchers emerged when IDS devices needed to be fed with current signatures. But ultimately these first generation of researchers were all about keeping the signature databases up to date.

Obviously signatures aren't the way to detect much of anything nowadays. But that aspect of research (analyzing bad crap) hasn't changed that much, though the scale clearly has. Now a research team needs fancy big data engines, racks and racks of spindles, and hundreds of millions of sensors out there to stay on top of the bad stuff. That's a bit tongue in cheek, since the data analysis tools used by today's researchers are necessarily bigger because they have to deal with A LOT more data. This data needs to be normalized and correlated to see the patterns. So from that perspective security research continues to evolve.

The real difference between security research and security intelligence is the intel aspect. This was a concept I first learned over a decade ago when the research team at TruSecure had folks that actually penetrated hacker networks. They even trained a dude to speak Russian, so he could figure out what they were going to attack next. Guys like Brian Krebs now do this every day, but amazingly enough that was pretty novel back then. Of course, spy craft is maybe the third oldest profession, so the concept isn't new, but this practice hasn't always been commonplace in computer security.

Now every vendor has folks that troll around carder forums. They try to buy malware and subscribe to the DDoSaaS (yes, you can buy a denial of service attack as a service) offerings to track the tactics. They crowd-source attacks and try to shorten the window between when interesting malware shows up and when it's detected. They write up long reports to prove how smart they are. And they don't share anything interesting: That stuff they keep for themselves (and presumably their customers). Don't get me started on the "value" of intelligence as a reason to hoard it.

This is all good and well for the vendors, and it's even better for PR flacks and beat reporters who have an endless stream of uninteresting findings to drive page views. But targeted organizations out there need to take it one step further. The leading edge (dare I say "lean forward") practitioners are building their own security intel functions. Sure, they buy data from the vendors. But they take that data and apply it to their environment. These folks study their adversaries. They profile them and they learn their tactics. These folks realize they are in a battle. Maybe it's against a nation state, organized crime, or maybe even their competitors. And they are taking proactive steps to try to figure out what's coming. They no longer rely on the age old security tactic of reacting to what's already happened.

In fact, I believe we'll see a much bigger demand for security intelligence data moving forward which ultimately will change the perceived value of security products/services. Right now, the intelligence makes the product/service better. It's not something organizations buy as a stand-alone. Over time, as we see the increasing commoditization of inspection and policy enforcement, the value of vendors bring will be more about the knowledge they provide and less about their hardware or software agents.

A possibly unfortunate side effect will be furthering the gap between the security haves and have-nots. Putting more organizations below Wendy's security poverty line. But that's life. The rich get richer and the rest have their IP sold to the highest bidder.

So you have a choice. Do you continue to invest in stuff that doesn't work, or do you think a bit about the inflection Rich Mogull describes?

As always, the choice is not yours, it remains with your executives. Now is the time to start helping them understand why an internal security intelligence capability is table stakes in today's environment.

Mike Rothman is president of Securosis and author of The Pragmatic CSO

About the Author

Mike Rothman

Analyst & President, Securosis

Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and compliance. Mike is one of the most sought after speakers and commentators in the security business and brings a deep background in information security. After 20 years in and around security, he's one of the guys who "knows where the bodies are buried" in the space.

Starting his career as a programmer and a networking consultant, Mike joined META Group in 1993 and spearheaded META's initial foray into information security research. Mike left META in 1998 to found SHYM Technology, a pioneer in the PKI software market, and then held VP Marketing roles at CipherTrust and TruSecure - providing experience in marketing, business development, and channel operations for both product and services companies.

After getting fed up with vendor life, he started Security Incite in 2006 to provide the voice of reason in an over-hyped yet underwhelming security industry. After taking a short detour as Senior VP, Strategy and CMO at eIQnetworks to chase shiny objects in security and compliance management, Mike joins Securosis with a rejuvenated cynicism about the state of security and what it takes to survive as a security professional.Mike published "The Pragmatic CSO" in 2007 to introduce technically oriented security professionals to the nuances of what is required to be a senior security professional. He also possesses a very expensive engineering degree in Operations Research and Industrial Engineering from Cornell University. His folks are overjoyed that he uses literally zero percent of his education on a daily basis.

He can be reached at [email protected]. Follow him on Twitter @securityincite

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights