Intelligence in security products is sort of misleading. What companies mostly sell are feeds which contain very little intelligence value. In order to have true companies intelligence value, companies must be able to see where their data is going. In many cases, once information leaves the network border that information is gone forever. Companies today do not track data after it leaves their perimeter, but they should. In order to track the location of data companies must enforce methods that allow their data to actually be tracked which we don't cover in this article.
Feeds are not intelligence
One of the main issues we see in dealing with customers is that when we ask them about cyber intelligence they point to a service that they purchase such as Crowdstrike or Norton Anti-Virus. These services are surely collecting intelligence but NOT on the companies in which they run. They collect intelligence based on malware but not focused malware attacks on their customers. There are several companies that do track intelligence on their customers with Recorded Future coming to mind but the best intelligence that you can gather is based on what is happening in your network, not what is being observed on the Internet.
Threat feeds have their place in making it more costly for attackers to attack the masses, but that's about it. True intelligence is gathered from asking yourself who, what, when, where and how did this attacker get through my defenses, and then doing something to prevent it. This type of intelligence is known as situational awareness.
Then there's the type of intelligence that gives you a heads up or tips you of to a potential problem (such as when your end users passwords begin showing up and are traded in hacking forums). The next logical step is to determine how the attackers obtained such sensitive information. Most companies are not prepared to answer these questions themselves and the products most vendors supply do not do anything to answer the most important questions needing to be answered by intelligence vendors or the customer themselves.
Catching threat actors planning an attack on your organization is true intelligence and very valuable giving your security teams precious time to prepare for the impending attack. Most companies are so focused on cyber security that they forget the intelligence value and have nothing in place themselves to find these situations that prove to be most challenging from a response perspective.
Jigsaw Security Analytic Platform
The Jigsaw Security Analytic Platform aims to be an intelligence product. By collecting information of intelligence value into a single system, you can find threat actors targeting your environment. We have had many cases whereas we have told customers and future customers that they were compromised even before we even had access to their networks by looking at our intelligence based data. Intelligence takes many forms to include chat logs, forum post, paste sites, social media and many other open source locations.
By combining many sources of data, we start to gather important insight into intelligence instead of catching infections after the fact. We look at external data that has the potential to do harm instead of paying incident response teams for services when THEY have failed to protect us. With Jigsaw Security's solutions, you pay us when we prevent infections, not when you get infected and need clean up. The clean up should be free, you shouldn't have to pay the threat actor and your managed security provider, in short that's extortion and it's a shame that it happens twice.
Why Intelligence Matters
Companies do not typically have intelligence within their security teams. Because of this, many attacks that could have been prevented are successful and then companies have to deal with the PR blitz that follows. Intelligence is the key to preventing attacks by informing your security teams of issues that are predictable. We need to get closer to the threat actors and IOC's don't do anything to make that possible.
In 2018, Jigsaw Security is changing the way we look at threats. We do not think it's fair to our customers that you should have to pay to clean up after an infection in which your managed security provider failed to stop the threat. As an industry we need to do better and we can do this with intelligence and the application of intelligence into the security landscape.
Jigsaw Security believes that security goes beyond cyber. If you want to truly provide security services you have to do more than just prevent network based threats. The Jigsaw Threat Mitigation Model does just that.