Enterprise organizations are actively consuming external threat intelligence, purchasing additional threat intelligence feeds, and sharing internally-derived threat intelligence with small circles of trusted third-parties. Based upon these trends, it certainly seems like the threat intelligence market is well- established but in this case, appearances are far from reality.
In my humble opinion, threat intelligence consumption and sharing is extremely immature today with the market divided by a few haves (i.e. large banks, defense contractors, large IT vendors, intelligence agencies) and a large majority of have-nots – everyone else.
This immaturity is illustrated by some recent ESG research (note: I am an ESG employee). A panel of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) were asked to identify weaknesses associated with their firm’s threat intelligence consumption and sharing programs. The data indicates:
28% of organizations claim that threat intelligence isn’t as timely or as actionable as they need it to be. This may mean that they haven’t found the right threat intelligence feeds or sharing partners.
26% of organizations say that threat intelligence contains too many false positive alerts. This is an indictment of raw threat intelligence and speaks to weaknesses with threat intelligence vetting and quality metrics.
26% of organizations indicate that threat intelligence does not come in a standard format so the cybersecurity staff is required to develop tools or use manual processes to normalize the data. So like other areas of cybersecurity, operational complexity is getting in the way of efficiency.
26% of organizations state that threat intelligence sharing is immature and requires too much manual labor and customization to gain maximum value out of the sharing process. Simply stated, it is just too hard to share threat intelligence in an efficient and scalable way.
Based upon this and lots of other data from the ESG Threat Intelligence research report, the current state of threat intelligence sharing is hamstrung by inaccurate data, immature processes, and operational overhead. Sure, the good people in Washington could pass some type of public/private threat intelligence sharing legislation (i.e. CISPA, CISA, etc.) sometime this year, but new laws won’t do diddly squat to solve these basic problems. As of now, we are light years away from benefitting from the potential of threat intelligence sharing.
Now how can this situation get rectified? Hmm, what may be helpful here is some type of cloud-based organization that knows how to collect, process, analyze, refer, and distribute massive amounts of data. A firm like this can act as a threat intelligence sharing hub, take a leadership and innovative position, and create some type of intuitive yet intelligent threat intelligence sharing portal for the masses.
Enter Facebook and its ThreatExchange platform announced this past February. According to a blog by Mark Hammell, manager of Facebook’s threat infrastructure team (described here by the WSJ), more than 90 organizations are now sharing threat intelligence via ThreatExchange, including Dropbox, PayPal, Microsoft, Yahoo, and other firms financial services, IT, etc.
Now I know that there are numerous threat intelligence sharing platforms competing in this burgeoning but nascent space, but Facebook’s skill set may give it some market advantages:
1. Facebook knows how to collect, process, and categorize massive quantities of data. This is really the foundation of threat intelligence sharing so Facebook could easily offload a lot of the heavy lifting for enterprise organizations. ThreatExchange will only increase its usefulness here when it adopts STIX and TAXII support later this year.
2. Facebook is built on managing dynamic communities of interest. This is important to me since the current threat intelligence sharing model is tightly-coupled around vertical industries – a good start but the same cyber adversaries attacking big banks are hacking into other industries as well. Given today’s threat landscape we need a more flexible approach designed for ad-hoc peer-to-peer threat intelligence sharing relationships based upon real-time changes associated with threats in-the-wild and software vulnerabilities.
3. Facebook algorithms are designed to see patterns related to data consumption, user behavior, and changes within the data itself. This is critical as we need to supplement the basic manual exchange of threat intelligence data with artificial intelligence that detects anomalous behaviors that typical security analysts and forensic investigators miss.
Now I admit that given Facebook’s track record on privacy, I am as skeptical as anyone about Facebook’s direct participation in threat intelligence sharing. To succeed, Facebook must convince the cybersecurity community that ThreatExchange is a different use case for the company’s infrastructure and that its threat intelligence sharing platform aligns Facebook’s technical chops with a (legal) commitment to confidentiality, privacy, and trust.
Given its history and business model, it would be easy to dismiss ThreatExchange but I suggest that the cybersecurity community maintain an open mind. If you really think about what’s needed to achieve the potential benefits of threat intelligence sharing, Facebook’s infrastructure and expertise fits hand-in-glove.
Ten years ago, no one ever imagined that a retailer like Amazon would reinvent how computing is done. If Facebook marries its technology prowess with a true cybersecurity commitment, it could achieve a similar leadership position by reinventing threat intelligence sharing. If this happens, everyone could benefit.