The purpose of threat intelligence, says Webroot's CMO, is to immediately block cyberthreats through your network and endpoints, and to predict where attacks originate.
"Threat intelligence is useless to most organizations if all it does is generate more alerts," said Webroot CMO David Duncan is a recent Q&A. "Threat intelligence has to detect threats in real time," and its "sole purpose should be to accurately detect and proactively block any threat that is coming across the network, or directly on to an endpoint."
Duncan added that "even more important is that threat intelligence be capable of predicting the origin of the next set of attacks on your enterprise."
Founded in 1997, Colorado-based Webroot in 2012 shifted to a cloud-based threat intelligence solution to provide cybersecuity for endpoint devices. According to Duncan, Webroot's proprietary BrightCloud architecture "is a massive threat intelligence cloud that protects over 30 million users worldwide using the latest information about a variety of threat sources, including malicious websites, URLs, IPs, and applications."
In addition to what threat intelligence needs to do for an enterprise, in this Q&A Duncan discussed how more IoT devices will increase the cyberthreat attack surface, the need to conduct threat intelligence in real time, elements of a robust financial security ecosystem, and key takeaways from Webroot's recent sponsored Cyber Threat Intelligence Report (PDF), which was independently researched by the Ponemon Institute.
TechRepublic: What does threat intelligence need to accomplish for an enterprise in the current cyberthreat environment?
David Duncan: Threat intelligence is useless to most organizations if all it does is generate more alerts. Enterprises are awash with alerts and log files. Filtering and finding the real threats from the low risk threats is a key organizational pain point. But the heart of the issue is that threats have gotten through the defenses. This is because many organizations rely on out-of-date published blacklists of bad websites, URLs, and IPs. Threats like these change daily. Over 90% of phishing attacks generated from websites are up and down in under 24 hours. By the time a list is published, the attack has moved to a different website, rendering the list obsolete.
Threat intelligence has to detect threats in real time, or as close as possible. Its sole purpose should be to accurately detect and proactively block any threat that is coming across the network, or directly on to an endpoint. It also has to be able to detect and proactively block all of the main sources of threats without any gaps in what it can detect and deliver that intelligence to network protection devices, SIEM [Security Information and Event Management], and endpoints in best-case real time (milliseconds or seconds) or in near real time (within a few minutes).
Even more important is that threat intelligence be capable of predicting the origin of the next set of attacks on your enterprise. The suspicious IPs, URLs, applications, etc. that touch your network today may be scouts in a cyberattack strategy designed to pinpoint vulnerabilities and exploit them tomorrow. Threat intelligence needs to proactively detect this behavior and automatically update the threat list (e.g., IPs, URLs, apps, files, etc.) with potential future attack sources. Cyberattacks are proliferating at such a high rate that only real-time threat intelligence from a collective or shared model that communicates new threats to devices and proactively blocks them will result in better cybersecurity and fewer alerts for IT security staff to sift through.
TechRepublic: What are the most important trends in your competitive space over the next year?
David Duncan: The most important trend is that over 20 billion new internet-connected devices are expected to come online in the next few years. This will dramatically increase the attack surface vector for cybercriminals. Combating this will require better and more accurate threat intelligence that predicts, detects, and prevents cyberattacks across all types of devices — business, consumer, industrial, etc.
Sharing threat information collectively so that all users and all devices understand the latest threats is essential. Collective threat intelligence disseminates threat data across millions of users and devices so that when any one device encounters a threat, the information about that threat is shared with all other users and devices through a common cloud-based detection network.
Delivering cyberthreat information in near real time is also essential. Having the knowledge about threats is useless if you can't deliver it to users and devices quickly. The traditional antivirus model of writing signatures and deploying those en masse to devices is the cybersecurity equivalent of the Model T versus the Tesla.
The vast majority of cyberattacks infiltrate and exfiltrate data in the amount of time it takes between your nightly system scans or nightly signature file updates. By eliminating the old model of signatures, which downloads and stores threat data on each device, we can simplify and dramatically improve the speed by which threat information is shared using cloud-based collective threat intelligence.
Devices that encounter new or unknown file types and processes merely need to ask a cloud threat intelligence platform if that file or process has ever been seen before and if it is a threat. If it is benign, let it operate. If malicious, quarantine it. If brand new and determined malicious, share the information via the cloud so that any other user/device that encounters the threat can block it on sight.
TechRepublic: Based on customer experience, what are the most important variables in building a healthy financial security ecosystem?
David Duncan: Our financial services and eCommerce security solutions are designed to help banks and providers protect customers from online fraud. The challenges these organizations face are immense. Unsurprisingly, banking and eCommerce are the primary targets of advanced, targeted, sophisticated cybercriminals. According to the Webroot 2015 Threat Brief (PDF), more than 80 percent of the companies impersonated were financial institutions. Top phishing targets included PayPal, Wells Fargo, Bank of America, and Chase Bank.
A healthy financial security ecosystem is one that allows customers to connect from the device of their choice without fear of credential compromise and fraud, without impeding the inherent conveniences of online and mobile banking. Fostering this type of environment involves preventing customers from being redirected to fraudulent websites and detecting and blocking phishing sites in real-time; protection against Man-in-the-Middle and Man-in-the-Browser attacks, keylogging, etc.; and detecting and removing all types of malicious software, including Trojans, viruses, worms, rootkits, and others.
TechRepublic: What key things did your management team at Webroot learn from your recent Cyber Threat Intelligence report?
David Duncan: According to our Cyber Threat Intelligence Report (PDF), we identified reasons that companies consider cyber threat intelligence to be the backbone of a strong security posture. The goal of the report was to determine how companies were incorporating threat intelligence into their IT security strategies, and what security system methods were found to be most effective.
Some of our biggest takeaways are as follows:
- Investments in threat intelligence will continue to increase to supplement traditional security methods. On average, organizations that were adopting threat intelligence reported uncovering 35 cyberattacks that had previously eluded traditional defenses.
- Real-time reputation intelligence is an effective way to detect and respond to malicious IPs the moment they appear within the corporate infrastructure, according to 60 percent of respondents.
- Monitoring the reputation scores of IPs, URLs, files, and mobile apps that are related to an unknown object is an effective way to predict whether they pose a security risk, according to 53 percent of respondents.
- Continual, real-time monitoring and tracking of changes in IPs, URLs, files, and mobile apps is essential to decreasing security incidents, according to 54 percent of respondents.
Additionally, the Webroot 2015 Threat Brief (PDF) revealed that during 2014, Webroot encountered tens of millions of instances of malware and potentially unwanted applications (PUAs), monitored billions of IP addresses and URLs, analyzed millions of new and updated mobile apps for malicious behavior, and studied major malware trends based on data from millions of endpoints. With that, we made a series of conclusions on issues including IP, malware, URLs, phishing, and mobile apps. Webroot data clearly shows that threats have no boundaries. They are global and can be highly unpredictable due to their dynamic nature.
TechRepublic: What could your BrightCloud threat intelligence platform do for my company, if I were a Webroot enterprise customer?
David Duncan: Simply put, you'd see dramatic reductions in your infection rates. BrightCloud Threat Intelligence can proactively and predictively detect and block the threats that are hitting your network today and that will be targeting you tomorrow. It does this automatically, without throwing off massive reams of log data for your security analysts to pore over.
Secondly, your users will be a lot happier. Our intelligent endpoint security solution, Webroot SecureAnywhere Business Endpoint Protection, is incredibly small and lightweight. It is only 700k in size, uses minimal CPU and memory. Your organization's users won't be bothered by false positives and security nanny-grams that result in higher internal IT support costs. Their devices will receive intelligence about new threats from BrightCloud solutions in seconds, not days. And, if a threat were to get through, Webroot SecureAnywhere Business Endpoint Protection is the only cybersecurity on the market that can automatically roll back damage from an infection, restoring the device to an uninfected state without reimaging.
Companies can integrate BrightCloud Threat Intelligence directly into their currently deployed network firewall and SIEM technologies. BrightCloud for Next Generation Firewall (NGFW) and BrightCloud for SIEM, supports integration with security solutions from Palo Alto Networks, Splunk, LogRhythm, and other platforms.
- Latest President Obama-requested cyberthreat intelligence agency may be overkill
- Data breaches may cost less than the security to prevent them
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web
- Death threat, FBI complaint greet launch of intelligence community database (ZDNet)
- Security and Privacy: New Challenges (ZDNet/TechRepublic special feature)
- Enterprise encryption: Trends, strategic needs, and best practices (Tech Pro Research)
Note: TechRepublic, ZDNet, and Tech Pro Research are CBS Interactive properties.