What is open threat intelligence and what is driving it?
In this podcast recorded at RSA Conference 2020, Todd Weller, Chief Strategy Officer at Bandura Cyber, discusses the modern threat intelligence landscape and the company’s platform.
The Bandura Cyber Threat Intelligence Protection Platform:
- Aggregates IP and domain threat intelligence from multiple sources including leading commercial providers, open source, government, and industry sources.
- Integrates IP and domain threat intelligence from any source in real time including from Threat Intelligence Providers & Platforms (TIPs), SIEMs, SOARs, endpoint, and network security solutions.
- Acts on IP and domain threat intelligence proactively filtering network traffic in real-time at near line speed.
Here’s a transcript of the podcast for your convenience.
We are here today with Todd Weller, Chief Strategy Officer of Bandura Cyber. First question for the podcast, Todd, what is open threat intelligence and what is driving it?
It’s a great question. Let’s start with the latter point, what’s driving it. What we’re seeing is all organizations of all sizes and sophistications are increasing their use of threat intelligence. And what’s driving them to do that is the threat intelligence you get in your existing security controls alone is insufficient. And the reason that is, is that threat intel tends to be proprietary, driven by the vendor, driven by their threat intelligence team, further fueled by what they see within their customer bases. And what organizations are finding is they need a broader view of threat intelligence. It’s got to span multiple commercial sources, open source industry, and government. That’s really what is driving this movement, a desire to have a broader and more open view of threat intelligence.
The first question, what is open threat intel? That’s a great question. I actually googled it, coming in, and what you find is a lot of the results are open source threat intelligence, and they’re not exactly the same, but there are some similarities between those concepts. If I summed it up from a characteristic perspective, open, right? It’s not controlled by any one entity. There’s a community approach, anybody can contribute. And that ties importantly into a big team of collective cyber defense. We can’t do things alone.
The second would be flexible. It’s threat intelligence that can easily change. You can use the threat intelligence you want. And then I think the third characteristic of open threat intelligence is it’s portable. This threat intel is easy to move, it’s easy to integrate into your environment anywhere you choose.
That’s a really interesting distinction. I think the next question that leads out of that is why is threat intelligence hard to integrate into existing security controls?
There are two key factors there. It starts with the fundamental point that many of those solutions are closed, as I mentioned, so there’s an inherent bias. The value that those solutions provide is their ability to detect and block threats. And again, they do this through their own proprietary threat intelligence, so that powers their core value proposition. There’s really not an incentive to share that or to be open. There’s also not an incentive to really want to incorporate others’ threat intelligence into your solution. That’s the first factor.
The second factor, I would say, is technology limitations. Again, those solutions are built to do a certain thing. We tend to play or get more exposure on the network security side of the fence. And if you look at next generation firewalls, for example, they’re architected to be a firewall and today they’re doing much more than being a firewall. They’re doing intrusion prevention. They’re doing deep packet inspection and other areas of URL. They’re doing sandboxing and you add on increasing encrypted traffic on top of that. They’re doing a lot already that’s putting a lot of burden on the resources of that solution.
There are just significant limitations as a result of that. Many next generation firewalls simply limit the capacity of third-party threat intelligence that you can put into it. Another kind of factor we’ve seen, even if you take away the capacity limitations, policy management in lot of cases for next generation firewalls is cumbersome. That’s another kind of a limitation there.
Todd, going back to open threat intelligence, how would you say the industry is responding to open threat intelligence as a movement?
I’ve seen two fronts there, two responses. First has been a few years back. You saw some of the vendors band together with what is called the Cyber Threat Alliance, which continues to persist today. I think Palo Alto was a key founding member there, Palo Alto Networks, Symantec, and I’m sure there’s others. The goal there was to be able to share threat indicators back and forth.
I think that’s had limited success. Frankly, we don’t hear a lot about Cyber Threat Alliance and actually preparing for this, I was like, does it still exist in all honesty? And again, it goes back to those vendors all trying to provide protection solutions that’s fueled by their own threat intelligence. While it’s nice to say on paper, these big companies are going to share, there tends to be a lack of incentives to do so.
I think you’ve also seen vendors, specific vendors, make moves to try to enable the integration of third-party threat intelligence, to try to make their systems more open. There are some examples of that I would highlight. Palo Alto Networks has an open source project called MineMeld, which will aggregate threat intelligence from multiple sources, they’re helping to automate that.
I think McAfee has been pretty progressive with what they call their DXL, which is a way to tie together not only the whole McAfee portfolio of solutions, but also to make it easy for third-party solutions like ours to integrate in. And then the other dimension you’d have here is the security orchestration, automated response (SOAR) players. They’re trying to facilitate that movement of threat Intel between disparate systems.
The challenge with that approach gets back to, again, the limitations of the controls themselves. So, if we take, not to pick on Palo Alto Networks, but they are the market leading firewall provider, right? And they have made moves to do this aggregation of third-party threat Intel. It doesn’t get over the fact that you can only put a small number of third-party indicators into a Palo Alto Networks firewall. So, whether that’s being done by MineMeld, or whether it’s done being a SOAR, there’s just a significant limitation.
When it comes down to it, the two biggest issues are theses bias towards proprietary detection, which takes away incentive to open up. And then again, the architectures of those solutions are full, they’re geared to doing what they’re doing.
You mentioned Bandura Cyber being integrated into some of those other products and solutions. Tell us what is Bandura Cyber’s role in the open threat intelligence movement today?
Being open is at the core of everything we do, right? So, we offer what we call the Threat Intelligence Protection Platform. There we aggregate threat intel from multiple sources. We’re partnering with many commercial threat intelligence providers. We’re pulling in open source; we’re pulling in government industry through ISEC, ISAO integrations.
For us, we don’t produce our own threat intelligence today, we’re not dependent on that. We’re partnering, we want customers to be able to use the threat intelligence they want. And so we’re taking a proactive step to aggregate and to deliver threat intel out of the box from leading providers and all those sources. But then we’re also integrating threat intelligence from any source. If you’re a sophisticated customer, and we do see large enterprises spending millions and millions of dollars on threat intelligence feeds from all these sources, and then a lot of those will look at a solution like ThreatQuotient, to aggregate those, the threat intelligence platform.
We’re doing integrations like that. We’re partner with ThreatQuotient, we’re partner with Anomali, we’re partner with Recorded Future, ThreatConnect, SOAR, SIEM systems are going to be important integrations. And then the critical piece is acting on threat intelligence.
We aggregate, we integrate, but then we’re taking that action piece and that’s where I think it becomes very interesting for us. And you can think of us really as an open threat intelligence enforcement platform. So again, we’re going to be able to take action on threat intelligence from any source. We’re not biased to our own threat intelligence and we want to be open and flexible, but it doesn’t mean over time we’re not going to also have some of our own threat intelligence, but it’s not going to take us away from the heart of what we’re about, which is open and flexible threat intelligence. Let the customer use what they want, because cyber is dynamic and great sources of threat intelligence today are going to be very different than what they are tomorrow, and five years from now, and 10 years from now.