Threat intelligence, detection and visibility: A CISO weighs inDate: Nov 04, 2013
Could the moment at which a threat is detected already be too late to achieve a swift, full recovery of information and systems? According to Jay Leek, senior vice president and chief information security officer at The Blackstone Group LP, being notified of a security compromise via a vendor or tool might give security professionals "warm fuzzies," but it's unreasonable to assume that all threats are being identified.
Rather than focus on threat detection planning, Leek suggests that chief information security officers (CISOs) increase visibility across their environments with advanced threat intelligence to provide an accurate record of what is occurring on networks, applications and hosts at a particular point in time.
Watch this video interview, filmed at the 2013 ISSA International Conference in Nashville, Tenn., or read the transcript below to learn more about detection, visibility and threat intelligence -- complete with a The Hunt for Red October, full-speed-ahead reference.
How is visibility different from detecting something?
Jay Leek: Detection is basically us responding or reacting to something that somebody else thought was important. I'm sure that whatever technology you may have, whether it be in IDS (intrusion detection systems) or some other type of security monitoring or even host-based monitoring-type technology that's focused on detection, it's only as good as the information that that particular vendor or that particular technology has at that point in time. I'm sure that at that point in time, it gives you warm fuzzies, not necessarily to get alerts and all that kind of stuff, right? But the reality is there are many things that are present in the world, and perhaps in our environments, that are actually really important but nobody knows about it, right? So visibility is essentially giving us more of a record of what's happening in our environment that we can then go back and we ask about.
I'll give you another example, though, of visibility that expands outside of the security organizations' typical type of tools. Visibility would also be visibility of what's happening on my network. So let's take the example of SolarWinds. SolarWinds is a network monitoring tool that is used by the networking team to understand if links go up, or if links get filled up, or different kinds of things [that] may happen on the network that the network team should respond to. They're IT or network IT-type incidents, typically.
Let's say you have an office in Shanghai and you have an office in Hong Kong, then you have a MPLS [multiprotocol label switching] link between the two, and it's 2 a.m. when that MPLS link fills up and becomes completely saturated. What's going on? Maybe it's nothing; perhaps it's something. That's visibility into what's happening in your network, and I can tell you, I'm getting a lot of interesting information from SolarWinds for these exact types of use cases. Being able to repurpose that into your information risk and security program provides you visibility that you wouldn't be able to have in any other type of way.
What does a CISO need to invest in to increase visibility to recognize or find a threat?
Leek: I think visibility probably doesn't even really resonate with a lot of CISOs. But often, I think if visibility does resonate or if detection does resonate, we typically are thinking about it solely from a network perspective.
We want to know what's happening on our network, and I think that we need to be getting more visibility into not just what's happening in our network, but what's happening in our applications and what's happening on our host. Our hosts are often not on our network. My iPhone in my pocket right now is on a 3G network. It is not on my company's network, yet I'm getting mail on my iPhone.
More on security threats
Webcast: Cybersecurity controls for online threats
Plan for threats with a security roadmap
This is not something that's been completely tackled. It's definitely an area of improvement that we need to make in the industry, but there are a lot of new innovative types of technologies in place to help us get better visibility in what's happening all the way down to the host level. For instance, if I get a security monitoring alert through my malware detection or through my IDS [intrusion detection system], whatever type of solution I have on the network, that might be a true positive. The reality of it is, though, I might be fully patched to that particular host. I need to be able to have immediate visibility into the host level to say, 'Not only did I see a true positive in the environment, but it got through your proxy, it got through your firewall, I saw a file write on your host, I see a process take off on your host [and kick off] another process, and I saw a network callback take place.' I need that whole kill chain, essentially. So having that kind of visibility, down to the host level, is something that I think a lot of us are missing today.
In your ISSA International Conference session, you talk about intelligence in responding to threats. What do you mean by that?
Leek: I mean intelligence is not just about a vulnerability feat. Intelligence is understanding who the adversary is, how they respond and how they act whenever they're attacking you -- and it can dramatically change how you respond to these attacks.
I think back to an example, to the movie The Hunt for Red October. For those who've seen this, there was a period in the movie where the Russians fired a submarine missile at [a U.S. vessel], and they didn't have any way to fight back, and they couldn't outrun it, so what did they do? They turned 180 degrees and they went full steam ahead, straight at the missile that was fired at them. Why did they do that? Well, they did that because they knew that the Russians did not arm those missiles until it was so many thousands of meters away from the submarine, so when the missile hit the submarine, it didn't explode, and everybody was happy.
Well, that was done through military intelligence, because they knew the techniques, tactics and the procedure of the operation the Russians had at that point in time. Having that kind of understanding about your adversary also can change the way that you respond in the environment. It can save your organization a lot of money, or it can prevent something much bigger from happening.
Let us know what you think of this video, email firstname.lastname@example.org.