Fig 1: A look at the Jigsaw Security Threat Feed
What makes our threat intelligence different than our competitors?
One of the main advantages that Jigsaw Security brings to the threat intelligence arena is that our threat intelligence is derived in house through automation and leveraging big data to eliminate false positives. Most companies selling threat intelligence data are simply aggregating intelligence information. Jigsaw Security does the same thing but we take it a step farther in that we validate the data before publication. This validation also ensures that once a threat has been resolved, that Jigsaw Security removes the information from our system to once again allow access to the resources that were being leveraged to spread malware. We know that companies are getting breached and that threat actors are using other's domains, IP addresses and servers to carry out these attacks. Below I'll give a real world example.
The UPS Incident
In 2014 I reported to a large health care organization that several UPS messages we had received were infected with malware and attacking the organization. Without asking for permission I blocked the affected domains. At the time I did not realize that the domain was associated with shipping notifications. Two days later I was contacted to ask why I had blocked the addresses of the UPS related domains. I told management that I blocked them because we had been cleaning several workstations that were infected from the sources. The reason management was upset was because procurement was not receiving shipping notifications from UPS and were not happy about not being able to track packages and orders within the enterprise. Management made the executive decision to unblock the IP addresses of the offenders and shipping notifications then were received and everybody was happy, except security. We knew that unblocking this activity would result in additional infections and that is exactly what happened.
None of the other threat intelligence providers had detected anything wrong with UPS but I stood by my platforms assessment that they were in fact breached. 10 days later a news story hit CNet confirming that they were in fact breached and that my actions were the correct action.  See link to story below.
The next thing that happened was that management wanted to know how I had detected that they were breached and why Fireeye, iDefense, Recorded Future and Crowdstrike had nothing to indicate that there was ever a problem. I replied back that our big data system has observed 3 different indications that the activity was malicious.
Those IP addresses were sending thousands of connection attempts over the course of a day which was not normal based on trending data in our big data logging platform at the time.
The messages received from those IP addresses contained malware that was not detected by our mail server protection at the time (note: They were not using Jigsaw FirstWatch but a competitors mail protection service)
The malware was listed in VirusTotal and MALWR as recent (indicating that it may be unknown to anti-virus programs which it was).
These three indicators allowed me to make a command decision to implement that blocking which protected the organization from farther harm until we were told to remove the blocks so the shipping notifications could get through.
As a side note, we contacted UPS to alert them to the issue and it took them 10 days to verify what we already had discovered.
Jigsaw Security utilizes big data to look at the entirety of the issue. Utilization of linear regression models, statistical anomaly detection, reference data from third parties such as VirusTotal, MALWR, blogs, websites and other material that allow cross referencing of threat intelligence data, pastebin, FaceBook Threat Exchange, DHS AIS and other data to determine if something truly is a threat. By using many data sources and a scoring model, we are able to detect theats before they show up in Anti-Virus (which only covers about 92% of the threats on average and no targeted custom use malware activity at all). The problem is that companies are relying on anti-virus to find threats when targeted malware attacks will always be missed but the meta-data associated with the activity cannot be ignored which in this case was the number of email recipients, number of connection attempts from the IPs, the fact that malware was not detected but was present in external systems. These attributes allow an analyst to make an informed decision.
Jigsaw Security has created the only fully automated ingestion platform for reference data specifically targeted for cyber security analyst. Our platform utilizes proven data models to find threats that other products miss. Most of these other products are based on signatures but we support several methods of detection.
Methods of Detection
Linear Regression Models
Heuristic Detection of Malware and Network Activity
Ingest and Cross Referencing with external data (this is huge because it gives us visibility into what others are seeing)
Cross Referencing with IDS/IPS and Firewall logs to validate that the threat made it into the network
DNS monitoring for suspicious lookups, non existent domains
Suspicious HTTP and SSH activity (backdoor callbacks)
Classified Data Boundary Monitoring
DNS resource exhaustion
and several other methods of detection in the FirstWatch appliance.
While working on this post we took a look at several competitors who will remain nameless and found some alarming things that let us know they are not doing their job. Here are the problems we found.
Domain names in their feeds do not resolve (so they are no longer a threat)
They never expire data on a time basis (very old data)
They are IOC based which makes their signature files HUGE and unusable on some hardware with limited memory and processing
They have no retention of historical data to cross reference
They roll off their logs and cannot look back in time
Indicators for known good domains (such as Google and Microsoft) were present in their feeds
Data only works with certain hardware, FirstWatch and our threat intelligence is provided in CSV, JSON, CEF and other common formats so we work with all hardware allowing the customer to leverage their existing investments in security devices and system
Too many alerts in their monitoring software to find the real threats (clutter)
Major Benefits of the Jigsaw Security MSP Model
In providing services we realize that security goes beyond just the cyber security aspect. For the purposes of this post we are only focusing on the cyber security protect benefits of the Jigsaw Security FirstWatch sensor products. We do include our security model at the end of this article for your reference.
Proven technology that is in use by the Military and NATO to protect their networks
Open Standards so we work with any manufacturers products even proprietary systems
Each customer can manage their own data without it leaving their network but benefiting from the analyst at Jigsaw Security that provide threat detection information
Big Data analytic platform reduces and mostly eliminates issues with false positives
Over 480 sources of data so we have the same data as our competition and 44% more data than they have, plus since we continually monitor the threats, our data is relevant and most importantly verified to be still a threat
Fully automated solution saves your security teams tons of time, they can concentrate on incidents instead of managing systems to detect problems
Our pricing model is typically 60% less than other vendors but you get more
These are some of the major benefits and there are other reason we stand out from our competitors.
Why we have problems selling our solution to MSP's
One of the biggest money makers for managed security providers has always been incident response. When there is an outbreak, our competitors rush to the clients and charge them large sums of money to clean up the infections. Our solution disrupts those threats so the bottom line is that we prevent infections which takes money out of service based MSP's. This is one of the reasons that the industry is failing their customers.
We believe that we should be paid for the good things we do which is to prevent infections. We shouldn't be rewarding MSP's for their failures when you have an infection but rather paying them for the success when they prevent an infection. It makes no sense to reward the managed security provider for their failure to protect their clients yet as an industry that is exactly what happens and it's wrong. You need to work with a company that you can count on to protect you, not profit off of their own failures which they are comfortable with because thats where they make 70% of their profit.
In short we treat our customers as we would wish to be treated and provide a service that is effective in preventing most infections. We would expect no less from the services we purchase from our vendors and neither should you. If you want to actually reduce the workload in cyber security issues then we are your solution.
About Jigsaw Security
Jigsaw Security has been providing security services in th private and public sectors since 2007. Our company has an investigative background and started providing cyber security related software and hardware back in 2014. For more information please visit our portfolio page to see how we prevent attacks and why we should be your choice for managed security services. If you are a managed security provider that wants to actually make a difference and protect your customers, reach out to us to find out how you can use our technologies to monitor your customer networks.
UPS Store hacked, possibly compromising user data - https://www.cnet.com/news/the-ups-store-is-hacked-user-data-possibly-compromised/
UPS Reveals Data Breach - https://www.bankinfosecurity.com/ups-reveals-data-breach-a-7217
United Parcel Service Confirms Security Breach - https://bits.blogs.nytimes.com/2014/08/20/ups-investigating-possible-security-breach/