The Ethics and Politics of Threat Intelligence Strategies
Alberto Yepez and Barmak Meftah participate in a panel, “Ethics and Politics of Threat Intelligence Strategies.”
Alberto Yepez: Thank you Maria, I really appreciate it. It’s always great to be here and exchanging ideas, and now we have a pretty interesting topic that is top of mind - Ethics and Politics. They often don’t go together, but okay, let’s talk about that and threat intelligence strategies. The market, I want to tell you it’s growing. You know, it was pegged to be in the 200 million around 1999, it’s almost $1 billion now according to one of the analysts that we deal with, and everyone, including government - not only the US government but, you know, the World Economic Forum - everybody’s talking about “How do we share information?” But in this particular panel, what we want to talk about is threat intelligence and “How do we share that information, and how do we make this work more secure?” So you mentioned open… you’re open source, you’re open context, Barmak, you announced the Open Threat Exchange way back last year at the RSA conference. How has it grown, how is it different? Does it give you what people recommend and they need?
Barmak Meftah: Yeah, I mean I think there’s 2 threads and we’ve got to be pretty careful not to intertwine those 2 together. One is opening up a network to anybody that wants to contribute that threat data, and for us to scrub it to ensure that it’s good data. The other one is context, and I think we all agree that context is good. I don’t think anybody would argue that context is bad. Then the question is “Do we assert context on behalf of the customer, or let the customer assert customer on behalf of what they need themselves?” So our principle around Open Threat Exchange, which we launched about 18 months ago - we’re up to about 11,000 collection points around 170 countries - is we’d like everybody to submit and we’d like to scrub to make sure there’s nothing bad in there, but we would like to expose a query interface so that any customer, whether it be in a SOC or other places, could then get the data that is relevant, contextually fitting to what they need at that point in time.
Alberto Yepez: What’s different? And you just talked or it was said on your presentation about the chk 2.23 about trying to share, and maybe you’re coming from a bottoms-up point of view rather than a tops-down. So any views, insights?
Barmak Meftah: Yeah, you know, I actually came top-down and bottom-up in my past experiences. In fact the company me and Jacob shared, Fortify, that got acquired by HP is probably the epitome of top-down and selling sort of to the C-level and then having the end-users use it. And the Kumbaya, chk 2.55 was talking about notwithstanding around open source. There is some truth to having the technical people and the end-users of anything, whether it be a product, whether it be threat data, hell, whether it be a tchotchke or a sunglass, you know, appreciate it first, and then evangelize the need for something upwards in the organization. And it’s something as vendors we’ve avoided partly because it’s hard to monetize again, right. Our instinct is to go sell top and then force the use of either a product or threat data or what have you down to the rank and fall in an organization. And I guess the genesis of open source is the antithesis to that. The genesis of open source is “Let the folks that will ultimately benefit out of a product the most, namely the end-users of the product, appreciate the value of something, and then evangelize the need for something upwards”, certainly holds through with threat data and threat intelligence because the folks that are running security operation centers, the folks that are on the frontlines of these attacks should ultimately inherently see the value.
Alberto Yepez: And the code of ethics you were talking about…
Barmak Meftah: I think the code of ethics boils down to the same thing, which is the more closed we keep these systems, the more rules we impose upon them, we’re going back to what we’ve been doing for 30 years. I mean, we’re tired of it. I don’t know how many more years we can go with “Well the financial community has such certain, specific requirements and context and smarts or what have you that we should close that on one isolated platform, and then the isolated platform, the other isolated platform.” Meanwhile, the attackers are out there reaping the benefits of that isolation because the less we communicate amongst ourselves in our peer groups or across all industries, the more opportunity we’re going to give the attacker to find the white space and be able to attack us that way.
Alberto Yepez: Crowdsourcing, we keep on hearing that term, and sometimes now it’s become a buzzword. It’s an interesting approach to sharing intelligence and all of that, but what is the good, the bad and the ugly of crowdsourcing in these environments?
Barmak Meftah: Think about it for a second. The adversary would have access to the data if you had a customer list of 2 or more. So the only way to make sure the adversary doesn’t have access data is if you’re just one person. As soon as it becomes 2, they’ll inevitably get it because you can’t trust the other guy told the adversary opened it up. And the key to crowdsourcing is an open and horizontal approach to sharing your threat data and let the consumer query for what they’re interested in. So if I’m a financial services company and I’m interested in the automotive industry and I want to query against it, I think there’s a lot of intelligence and there’s a lot of insight to be learned by how the automotive industry is getting breached. I think a lot of these breaches other than fraud, which is very industry-specific, are actually fairly horizontal, and opening it up, I think, is extremely good for the community.
The experiment has been run. So the experiment of a closed network that is vendor-specific and/or industry-specific only for the select elite on top of the industry, we’ve ran that experiment for 30 years yet we’re getting breached. It’s time for a new approach, it’s time to crowdsource and open up that network and offer it to every company, not just a select few.
Alberto Yepez: Well thank you very much, give the panel a round of applause. Thank you. Thanks chk 6.49. That was excellent.