Have you been hit? CyberDefenses can help.

Selling Canned Snake Oil

CyberDefenses - CDI Logo

“Pew Pew” maps. You know, those world maps with arcing lines traveling from city to city, country to country going “pew pew”. They definitely look impressive (and is pretty to watch). A little wanting on the effectiveness scale, but they distract in a way pretty pictures always do. How about a massive volume of structured and unstructured data? Oops! Meant to use its shorter nom de guerre of “Big Data”. Equally, shall we go tongue in cheek and say “enormously” impressive? Informing you that you already have the answer, if you could just sort and find it in that mountain of data you already own is a masterful sales technique, especially when you soar in with just the right tool to solve that task! Let’s do another. How about AI? Automated and intelligent prediction, prevention and protection or so the slogan seems to run. AI is heralded to solve everything. It is supposed to predict and prevent attacks, as well as, cut down on the amount of alerts, resources and expenses required to run a comprehensive security solution. No humans necessary. Just sign and send the check. Of course, it can’t be denied that “The Cloud” is likely the most beautiful of the lot. Don’t have the resources to put in place, setup and run what you want to buy? No problem! We’ll do it for you in a remote way in “the cloud” on our infrastructure. We’ll do those pesky things that you find annoying and difficult. What is it? Well, it’s a bit of a trendy term for a network of servers; ones that usually run applications or deliver a service. If you’ve got a smart phone, you are already leveraging the cloud. In fact, if you are using anything modern these days, you are likely “in the cloud” already. After all, it makes sense, right? No need to buy hardware that needs maintenance and degrades over time — just leverage the cloud and get only what you need (and use). Great for scaling up or down as needed.

Do you know why I’m lumping these together? Well, it’s a bit more than to be sarcastic. Each of these in some way is supposed to revolutionize threat intelligence, explode people’s minds, and be the solution that solved the problem. To a certain extent each has succeeded in that ambition, though none to the level of solving the problem. Big Data as a concept is wonderful and great. The idea that the massive pile of data companies were already collecting could be sorted, sifted and the important bits seen is very attractive. Take a few minutes to look over McAfee’s Needle in a Datastack report and you’ll get a sense of how that turned out. Companies still struggle to make sense out of the data they vacuum up as a normal fact of business. While the report is a few years old (2013), it has aged well as the problem hasn’t gotten any better. Worse, in fact, as the information that was sucked up is tough to protect as evidenced by the large volume of breaches and loss of data control in the news. It’s also very dangerous for a lot of reasons you are free to explore via this excellent article.

Let’s turn this tunnel we are digging back towards threat intelligence. Just to be clear, threat intelligence has rather come to mean threat data, threat information and threat intelligence. They are different things but tend to be blurred together. It is rather straightforward. Data becomes information when you connect it together and information infused with the proper context becomes intelligence. You might say data > information > intelligence.

The promulgation of security tools sold by companies has led to more and more ways to store one widget of data or another in a fashion that wasn’t possible previously. If the data point isn’t new it’s chopped, sliced or diced in some fashion that makes it seem so, which means we are storing more data than ever. Data related to us internally, externally and interactions between us and our clients/customers. In fact, it has become so common we have collected more data in the last 5 years than we have in all the rest of our recorded history. Another astonishing fact to tack on to that is that 90% of all the data in the world has been generated in the last two years. It can be extremely enticing to go down that path with threat intelligence. I’ve been at more than one location where the definition of threat intelligence in that enterprise was to pull down and aggregate any source of threat data known to humankind. Some tried to make sense out of it, but most worked diligently to shove it into whatever tool they owned until it reached capacity. Beyond the horrifying implications of the fundamental misunderstanding of threat intelligence usage, it just doesn’t work to achieve the objective of security. Large volumes of threat data will not solve the issue of (lack of) security. That like owning every object that has the word “gun” in it — from the candy/cardboard/plastic versions to the real-deal hardcore ones — just in individual pieces all in a giant bucket. Does this make (let’s call that the objective) your home more secure? Even if you cobbled together a gun it might be partly made of plastic, partly hard candy bound with rubber bands to metal chamber and a chocolate trigger. Its bewildering to expect it to work.

On the topics of lots of data and bewildering, I tackled Big Data prior to The Cloud for a particular reason. They suffer from similar problems. If it is even remotely possible, people have a harder time understanding cloud and cloud-related concepts more than Big Data. The seductive simplicity and efficiency of using cloud-based technologies leads to collecting more data than ever. It’s a natural lead into Big Data.

Don’t believe me?

Take a look at your personal life for example. How much data do you store in your iCloud, Dropbox, Google Drive, OneDrive, Amazon Drive, etc. so you have ready access to it? In Evernote? Github? Connected to your phone, tablet, computer and wristwatch or other fun device strapped to your body or hip? It’s an easy bet to win that the amount of diversity of data stored exceeds anything you could have ever contemplated 10 years ago, 5 years ago or maybe even last year. Equally important, it becomes too easy to forget that ultimately using cloud storage puts your data in someone else’s hands. If you don’t care about that, then no big deal. If you do have sensitive data that you are concerned about and would like to keep from prying eyes, it’s probably smart to store that somewhere else.

Cloud has probably had the smallest impact on threat intelligence out of any of the others. While it facilitated the growth of data and data collection, its true impact was providing portability and accessibility to threat intelligence. In that respect, it explosively succeeded. In other ways, its impact is negligible.

AI. The dream of using AI with threat intelligence was to help stem the tide, the tsunami of data. People were overwhelmed with the velocity, volume and variety of data streaming through their enterprise. The approach considered the solution to the problem a technological one, versus one of training and experience. The core concept was that AI could help identify the issues and find the small things that snowballed into big ones—the traces in the millions of log files that hinted at an adversary’s footprints or find the problem in the mountain of data entries.

Is it working?

About the author

Monty St John

Monty St John has been in the security world for more than two decades. When he is not responding to incidents he teaches classes in Threat Intelligence, Incident Response and Digital Forensics. Monty is a frequent contributor to community and industry events, presenting at BSides D.C., BSides Austin, Charm, Derbycon and several others. He lives in Austin, Texas and is a security trainer for CyberDefenses, Inc. based out of Round Rock, Texas.

Contact CyberDefenses today to learn how we can help your company’s cybersecurity needs.