Security Automation is Here —The Time is Now: 60% of respondents think manual processes are holding back security effectiveness

There was a time when automation was a dirty word in security. Now, it is a necessity. A new Enterprise Strategy Group (ESG) survey, sponsored by McAfee and other technology vendors, shows that 3 out of 5 organizations see manual processes as holding them back from better organizational effectiveness when it comes to security analytics and operations. My rule of thumb is: The third time you do the same thing, automate it. That doesn’t mean automating actions like wiping a system or rebooting, but it does mean you get the machines to do the easy work. Automation can mean setting a policy, defining an alarm or quarantine based on a trigger, defining a correlation rule to make the same review decision you had been doing and then setting an alarm or creating a watchlist, or using a script to package and forward data. Any of these approaches is easily implemented with today’s technology.

A case in point – the  findings also show that the #1 priority for automation and/or orchestration is integrating external threat intelligence with internal security data collection and analysis. That capability is entirely automated today with the McAfee Enterprise Security Manager. You can consume IOCs and mine your database to see if they are already part of your environment, generating alarms for any matches, and also set a watch in case these IOCs enter your infrastructure in the future. The watchlist can also implement an action you define – from simple alarm to active quarantine. Check out this video to see for yourself.

ESG Research, Cybersecurity Analytics and Operations Survey, April 2017.

The post Security Automation is Here —The Time is Now: 60% of respondents think manual processes are holding back security effectiveness appeared first on McAfee Blogs.

Improve Protection Against Cyberattacks Through Shared Threat Intelligence

At the RSA Conference 2016 in San Francisco, Chris Young, GM and SVP of Intel Security, said that one of the best ways to improve response time to attacks and overall awareness of attacks and adversaries is through the timely sharing of threat intelligence. He also talked about Intel Security’s responsibility as a leading security vendor to set an example for the industry by pushing the boundaries of threat intelligence sharing.

We believe that by sharing threat intelligence, we can shift the balance of power away from the adversaries and back to us, the defenders. By crowdsourcing threat data and leveraging collaborative analytics, we can “connect the dots” to form better pictures of the attacks and adversaries that surround our customers. Collectively, we can deliver better protection.

Leading by example, Intel Security partnered with other leading cybersecurity solution providers in 2014 to form the Cyber Threat Alliance (CTA). CTA members share threat information, raising our situational awareness about advanced threats, including the motivations, tactics, and the actors behind them. Once shared, CTA members can automatically deploy prevention controls to stop the identified threats. Based on collaborative research, we also published a joint threat research report late last year around our collective analysis of the CryptoWall Version 3 campaign.

Intel Security is also helping drive the development of voluntary standards for those who wish to establish threat intelligence sharing organizations. We lead several committees within the Information Sharing and Analysis Organization (ISAO) Standards Organization, established through a US Presidential order in 2015. The ISAO SO’s objective is to encourage threat information sharing within the private sector and between the private sector and government.

To gain a better understanding of threat intelligence sharing and Intel Security’s leadership in driving its development, we recently created a web page that educates and shows how we use threat intelligence sharing to better protect our customers. You can visit the page here.

The post Improve Protection Against Cyberattacks Through Shared Threat Intelligence appeared first on McAfee.

When It Comes To Cyberthreat Intelligence, Sharing Is Caring

This blog was originally posted at Dark Reading on March 31.

Shared cyberthreat intelligence will soon be a critical component of security operations, enabling organizations to better protect their digital assets and respond more quickly to emerging threats.

On March 17, the US Department of Homeland Security announced the deployment of the Automated Indicator Sharing (AIS) system, which allows the exchange of cyberthreat intelligence among private and public organizations. Increasing the breadth and speed of information sharing will reduce the number of security compromises, enabling all types of organizations to better defend themselves against emerging threats.
There is almost unanimous agreement among security professionals that cyberthreat information is valuable to their organizations. However, as we dig deeper into the attitudes and implementation barriers to sharing that information, we find myths and significant reticence.

First, let’s define cyberthreat intelligence and dispel a significant myth. Cyberthreat intelligence comprises details and metadata about suspicious and malicious activity, including attack vectors, weaknesses that are being exploited, and mitigation or containment actions. It does not contain any personally identifiable information, even when sharing a file’s reputation.

Next, let’s look at which threat and reputation data people are willing—and unwilling—to share. Intel Security recently surveyed almost 500 security professionals globally and found that about three-quarters of those involved with and knowledgeable about cyberthreat intelligence sharing are willing to pass on information about the behavior of observed malware. Malware details have been shared for a long time, typically with an incumbent vendor or nonaligned security organization. What is surprising is that this figure is not closer to 100%.

Around half of the security professionals surveyed are also willing to share reputation info on URLs, external IP addresses, and security certificates. This increased reluctance to share is typically attributed to company policy or industry regulations and often comes from concerns about legal repercussions from the entities that are identified as being potentially malicious.

Finally, only about one-third are willing to share file reputations, probably due to concerns about accidentally releasing some sensitive or confidential information in the file. Yet cyberthreat intelligence-sharing systems calculate a unique one-way hash to represent the file that is being convicted —this is the only data that leaves the corporate system—and the file cannot be recreated in any way using this value.

Sharing More Valuable Than Secrecy

Increasing support for cyberthreat-intelligence technical standards will help people understand exactly what is and is not included in a threat record and will broaden industry implementations. Although some organizations believe they stand a better chance of identifying and catching bad guys by themselves if they keep the attack details private, more and more realize that the changing nature of attacks makes sharing more valuable than secrecy. Standardization will also make it easier to combine and correlate multiple discrete observations into a larger and more accurate picture of a particular threat.

Catching modern, adaptive attacks is difficult for traditional endpoint and firewall defenses working in isolation because the attacks often mutate every few hours or days, faster than signature updates and scanning tools can keep up. The trend toward targeted attacks is also increasing interest in industry-specific cyberthreat intelligence. Although there are still barriers to overcome before cyberthreat intelligence sharing is widespread, those barriers are falling as successes are publicized and regulations are enacted to provide liability protection. Within a couple of years, shared cyberthreat intelligence will be a critical component of security operations, enabling organizations to better protect their digital assets and respond more quickly to emerging threats.

The post When It Comes To Cyberthreat Intelligence, Sharing Is Caring appeared first on McAfee.

DHS Accelerates Information Sharing Standards Effort; Intel to Chair Working Group

This post first appeared at [email protected] on March 9.

In an effort to accelerate cyber information sharing, and in response to a presidential executive order, the Department of Homeland Security recently announced the formation of the Information Sharing and Analysis Organization (ISAO) Standards Organization. The organization comprises six working groups, and I’ve been appointed chair of the Information Sharing Working Group. For those not familiar with the ISAO effort, it had its genesis in February 2015 as part of President Obama’s Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing,” which directed the DHS to fund the enabling of a nongovernmental organization that would identify a set of voluntary standards and guidelines for the creation, operation, and functioning of cyber sharing and analysis. The intent is to expand the current sector-based model (financial, health, energy, etc.) of Information Sharing and Analysis Centers, enabling the development of innovative types of threat information sharing organizations using standard, consistent interoperable interfaces and data formats. Although this effort is in the very early stages, it is establishing the foundational guidance that will drive the evolving cyber threat intelligence sharing and analysis ecosystem.

Information sharing is crucial because cybersecurity is a shared problem. We must make sure one organization’s detection is a community’s prevention. Most businesses today don’t have cybersecurity as their primary mission. This puts the onus on the private sector to contribute to and use trusted, shared intelligence—ultimately augmenting and enhancing our collective security defenses.

As chair of the Information Sharing Working Group, I hope we can establish the use of standards, procedures, and practices that allow for more interoperability among differing types of sharing organizations. I’d also like to see the guidance we develop become useful not only in the United States but globally. Cyber threats are not simply a US problem; what we develop should be equally useful outside our borders. As such, the working group will be focused on:

  • Developing guidance, procedures, and standards for data from internal and external sources.
  • Analysis of threat, vulnerability, and incident data sharing information within ISAO to its members.
  • Operational architectures and protocols for sharing information.

Both Intel and Intel Security are participating in multiple ways and on multiple working groups. In addition to my chairmanship of the Information Sharing Working Group, company representatives will participate on the core development teams for other working groups of ISAO.

Intel and Intel Security are heavily invested in the development of industry-wide standards that will increase information sharing between and within the public and private sectors while ensuring the appropriate privacy protections are in place. I look forward to chairing this working group. I trust we will make tremendous strides in the development of processes and procedures to further enhance information sharing that will evolve and improve the cyber threat intelligence sharing and analysis ecosystem.

The post DHS Accelerates Information Sharing Standards Effort; Intel to Chair Working Group appeared first on McAfee.