Today I had the pleasure to address the 10th Annual West Coast Information Security Conference on the topic of threat intelligence. In the past, security professionals in law-abiding companies may have felt very alone and not privy to threat intelligence. There was nowhere to turn for affordable, accurate and up-to-date threat information.
It’s one of the ways defenders against attacks have been at a distinct disadvantage. Criminal attackers have a community – they have long shared information quite successfully to facilitate their exploits. I’d cite the many hacker forums with detailed “how-to” information, DDoS for hire, and marketplaces for purchasing malware and stolen credit card information as proof. Couple this with the “attacker’s advantage” of choosing where, when and how to launch attacks, and it is no surprise that collaborative hackers appear to be winning against respected brand companies, despite their generous spending on security protection tools.
Generally speaking, companies being attacked – and that could be any company of any size, anywhere – aren’t well coordinated and are not able to leverage information from others who have been attacked in a similar way. They are alone and disconnected. The recent exploits against retailers only came together in the press – there was evidently very little threat sharing or collaboration among retailers before the successful exploit, as the retailers fell like dominoes. The vast majority of businesses generally are forced to protect and defend themselves in isolation from other businesses and the “lessons learned” by their peers.
There is some threat sharing on the defender side, for those who can afford it, and can find it in their industry. The CISOs of large financial institutions share threat information across their closed community, for example – but it’s not done in a broad, comprehensive way. What is needed is affordable “threat sharing for the rest of us” – a way to benefit from a broader view across the diverse threat landscape than the limited perspective we get from looking only at the threats coming into our own organizations.
At the most basic level, there’s no “Neighborhood Watch” available in IT. In the real world, neighbors can work together to better secure their homes, families, and streets by looking out for each other, sharing information, and putting criminals on notice that targeting single victims will not be tolerated.
At AlienVault, we’re providing a sort of Neighborhood Watch for digital neighborhoods on the Internet. In the digital world, it’s not as easy as looking out your window, or posting a sign on the corner. You don’t have the visibility and way to share and collaborate without some help. Most organizations – especially those who are in the mid-market - don’t have the security infrastructure with thousands of global collection points or a team of security researchers to analyze it all.
We noticed this problem a few years ago. To help fix the problem, AlienVault created the crowd-sourced Open Threat Exchange. Since the launch of OTX two years ago, we have seen substantial growth in participation with more than 8,000 contributing sites across 140 countries—and that’s just from our customer and open source user base. In addition, we provide analysis and insights on the data we gather and remediation advice from our AlienVault Labs security researchers.
Through a new OTX Partner Program, announced earlier this week, OTX will become even richer through the contributions of threat sharing partners Cegeka, GoGrid, Netflow Logic, Onsight, Risk I/O and ThreatStop, and conversely, their offerings will be enriched through access to the world’s largest crowd-sourced and collaborative threat exchange.
In addition, the integration of AlienVault’s OTX into Spiceworks IT management platform has already helped IT professionals simplify how they identify and mitigate threats on their networks. In fact, Spiceworks users in nearly 10,000 companies received over 1.4 million threat alerts in January 2014, only one month after the new capabilities were introduced. Within OTX, you can see a summary, including associated blacklists, associated domains and perpetrator (if known.) You can then drill down to threat details and see information and recommendations about the malicious activity.
AlienVault OTX provides real-time threat data not only to thousands of companies and government institutions, but also to a rapidly growing community of the world’s premier providers of security products and services. As the custodian of OTX, AlienVault openly shares its threat data repository to qualified partner members at no cost.
AlienVault is providing a way for you to share in threat intelligence with a community of other practitioners and researchers. There’s no reason you have to face the bad guys alone – join the OTX community and help us all make a difference. It’s simple, AlienVault is taking this step in the spirit of openness and collaboration – we are prepared to continue to offer free services and tools to anyone – you don’t have to be an AlienVault customer or even an OSSIM user to benefit from OTX.