Once again, the trifecta of the Fidelis Customer Advisory Board gathering, the AGC Infosecurity Conference and RSA 2014 delivered tremendous insights and validation. The need for speed, which I talked about in my pre-RSA post was a key theme. And after more than 100 hours of conversation with customers, threat researchers, industry colleagues and experts, I am even more certain the only way to minimize the time to threat discovery, containment and remediation is to achieve an optimal combination of technology, knowledge and experience, and threat intelligence.
As I walked the aisles of both the Moscone South and North halls, I found the experience to be a metaphor for what’s going on in the network. There was a lot of noise and promise but also a lack of clarity . I thought the South hall had a better vibe and more energy, and a collection of vendors who are all about innovation. The North hall was more about the “big guys” in cavernous booths, many of whom were talking cybersecurity as a veil over their infrastructure business, rather than a core competency.
However, no matter which hall you were in, everyone’s messages sounded the same, making it virtually impossible for customers to discern what’s real and what isn’t or how each vendor can help them.
Unfortunately, the challenge for customers is far greater than just sifting through the confusing vendor landscape to figure out who meets their needs. For the most part, the disruptive forces were consistent from a year ago – advanced threats, big data, cloud and there was also increasing conversation about the Internet of Things adding complexity to securing this ever expanding attack surface.
What took the RSA 2014 environment from confusing to frenzied was the backdrop presented by the relevance and immediacy of the retailer breaches, the backdoors and privacy issues, potential legislation, and even macroeconomic questions around whether customers outside of the U.S. will shy away from buying technology from American companies. In many cases, it was these topics dominating the conversation in the booths and over drinks and dinner.
One common thread that in our industry to rally around: sharing threat intelligence.
We’ve seen an increasing focus on threat intelligence with more companies offering it than there were a year ago, and the emergence of informal groups acknowledging they have things in common and agreeing to share threat intelligence. Even with this, I believe threat intelligence is truly in its embryonic stage. There are so many questions and opportunities for improvement -- the most significant today being, 1) How can we anonymize threat information so it can be shared more widely across relevant communities – verticals, geographies – to defend against a common enemy?; and 2) How can we improve the fidelity of the feeds?
At the Fidelis Customer Advisory Board meeting, we had overwhelming interest in customers wanting to contribute anonymized threat intelligence information so we can make it actionable on our advanced threat defense platform even more quickly. (In response to this, we are planning to create a virtual community that will enable this, but more on that another day.)
This is good forward progress. But the reality is that no one is satisfied with the threat intelligence available today, primarily because of how noisy networks are and how hard it is to determine what’s real and what isn’t (just like the environment at RSA 2014!). Customers want to know what the 10 most dangerous threats are in their network that they need to hunt down and deal with. They don’t have the ability to hunt and capture 100, and the worst part is they are seeing 1,000 alerts that make the entire process unmanageable.
So as an industry, we have our marching orders: We need to deliver high fidelity, high quality threat intelligence.
We already have analysts aggregating sources of data and coming up with situational awareness about a problem. We need to keep advancing our efforts to fuse that data together and reduce the time it takes to discover valid information in that data. We need to figure out how to factor in classified data that no one can get access to. And we need to do this against a back drop of legislative and privacy issues, in a threat environment that is not standing still, and in a business climate where advancements are outpacing the ability to secure everything. Said another way, in a world in which is it becoming easier, not harder, for an adversary to succeed in having its way with its target.
Is it exciting to be eyeball-deep in cybersecurity? It sure is. Is it scary? It sure is. To-date we’ve primarily dealt with adversaries whose primary goal has been disruption and theft. This has created a critical, global problem. If this turns to destruction, which many are predicting – think making 80,000 cars turn right when the driver wants to turn left ( The Internet of Things)– the criticality of the problem increases exponentially.
It might seem odd as the picture I’ve painted isn’t that encouraging. However I am more optimistic than ever after attending these meetings and shows that the formula is clear…smarter people, better tools and higher fidelity of the threat intelligence are the key to us catching up to the adversary. And I am confident this industry can come together and do it.
I welcome feedback and debate on this perspective.