Defining Threat Intelligence at RSA Conference

Posted by Hugh Docherty on Mon, May 4, '15

35,000 people and 500 exhibitors trekked to the RSA_booth_medMoscone Center in San Francisco to learn, share, commiserate, and strategize about the latest challenges and solutions to cyber threats facing companies of all sizes. The 2015 RSA Conference was the biggest yet (compare to 15,000 attendees and 300 exhibitors in 2007) and much of the action happens on the Expo floor which burst out of Moscone South in 2013 and has since squeezed the keynote speakers out of Moscone North. The Expo is crowded with booths of all sizes and vendors of every type. It’s a collage of banners, signs, and collateral and is abuzz with demos, presentations, and evangelists. 

Threat intelligence has been a hot topic in the sector for the past few years and was a major part of the discussion again this year. And like other technologies, it can be a bit confusing for many companies. Knowing how to implement, operationalize, and fully benefit from any solution requires a good plan and better execution. Figuring out which vendor provides the best solution for your team is key to your project’s success.

The concept of threat intelligence is simple enough in that you need to know about an attack in order to prevent it from succeeding. However, there is no gold standard for comparing intelligence providers and no two vendors deliver exactly the same service. Many of our meetings with CISOs and other security professionals included a discussion around this topic.

Searching through the 500 exhibitors for threat intelligence vendors at the RSA Conference results in a variety of solutions ranging from malware research groups to appliance and SIEM vendors. In fact, one SIEM vendor identifies themselves as “the threat intelligence company”. While the SIEM play an important role in the utilization of threat intelligence, deriving and publishing original intelligence is very different.

Malcovery shares important characteristics of actionable threat intelligence on our website which need to be considered as you evaluate vendors for use within your InfoSec operations.  We realize that lots of vendors look and sound alike these days so here are some additional aspects about Malcovery and how we can help you.

  • We focus on phishing and malware campaigns being launched today. We’re not trolling the dark web or social media for discussions or comments that are interesting but are generally not very actionable by most companies.
  • Our analysts confirm each threat by analyzing attachments and payloads before we report it to you. This allows us to maintain a very high-signal service that you can rely on.
  • We do the analysis to connect IP Addresses, URLs, file hashes, and malware families with campaigns, tactics, and trends so your team can focus on the right response and better protection.
  • We provide MRTI, human-readable reports, SaaS tools, and coaching as part of your integrated service.  Machine-readable formats are optimized for your SIEM, firewall, proxy and other security applications in addition to STIX.

Before you sign up for a threat feed or intelligence service, make sure that you know how you are going to use it. Talk through this with your vendor and make sure you understand if you will be able to automate any actions or if you will need to further analyze whatever the vendor provides. What happens if you have additional questions about any of the reports? Will you be able to talk with the threat researcher? How will your vendor help to get you up and running quickly?

Malcovery recently hosted an informative webinar with 451 Research during which we reviewed how you can use threat intelligence to improveyour incident response process. The webinar recording is available on demand. We started in the SOC and transitioned through the analysis phase with the help of a very "animated" CISO.


Topics: RSA Conference, Actionable Intelligence, Protect Your Network

View Webinar Now