Latest trends in automated threat intelligence-driven network security

Since the earliest days of the Internet both network threats and network defenses have been evolving. In this Help Net Security podcast recorded at RSA Conference 2019, Todd Weller, Chief Strategy Officer at Bandura Cyber, talks about the latest trends in automated threat intelligence-driven network security.

threat intelligence-driven network security

Here’s a transcript of the podcast for your convenience.

We’re here with Todd Weller, CSO of Bandura Cyber. How are you Todd?

I’m great. Fired up for another RSA Conference.

Excellent. We’re here to talk about the latest trends in automated threat intelligence driven-network security. That’s what Bandura Cyber is all about.

Threat intelligence gateway. I would say a couple of key things. One, we’re seeing a broadening of demand for threat intelligence in use by companies of all sizes. It used to be the domain of larger enterprise customers, and pretty much every sophisticated elite security organization is using it. But now, more small and mid-sized enterprises are using it. There was a recent SANS survey where they said 90 percent of folks are or plan to use more threat intelligence. The use is increasing, which is good.

That is good. You’ve a pretty interesting background and you’ve looked at this industry for a lot of years. You have got an interesting take on where we’re going.

I do, because I spent 17 years as a Wall Street analyst, covering cybersecurity, and now I’ve been on the vendor side for the last five years. I’ve a lot of time over target on the security industry and still look at trends like an analyst would. The challenge with security is there is a lot of noise. There’s 50,000 people here, there’s 700 vendors and everybody kind of says the same thing, but the couple trends I think are very important and are consistent is more use of threat intelligence.

The other key is how do we use automation to better scale security operations. We all know that the security staff shortage, everybody says it ad nauseam, but that’s because it’s true, there is definitely an increased focus on automation. Back on the threat intelligence front, one of the trends is: how do you take that from a reactive detection and response paradigm to a more proactive prevention, taking action with threat intelligence to block threats as opposed to waiting until you have to do a detection and response and then do a block.

We know the technology has changed a lot. How are the threat vectors changing?

The threat vectors are interesting. I just came from a breakfast with Rob Doyle, who is a cybersecurity bigwig at the NSA, and he brought some great points. The threat vectors have just increased. We have in our house I don’t know how many Google Homes, Amazon Alexas, they all kind of talk at different times when you say things, everything’s internet-connected and there’s just more vectors. The human is now an easier vector for folks at the same time. Rob Doyle mentioned that the barrier to hacking somebody or attacking somebody has really been reduced. It’s a lot easier with the tools and the automation that’s out there for run of the mill folks to become cyber attackers. The game continues.

No doubt. And how does Bandura Cyber’s take fit into all this?

We’re an emerging category called threat intelligence gateways. If you think about threat intelligence from a market perspective, I’d say there’s kind of three key areas. One, there are providers of threat intelligence. They’re providing threat intelligence feeds, indicators of malicious IP, domains, etc. And there’s a variety of those, there’s commercial providers like Webroot, Symantec, Proofpoint. There’s plenty of open source action there. There are industry sources of threat intelligence from ISACs. And then there are government sources like the DHS Automated Indicator Sharing program.

The next step is what do you do to manage all those threat intelligence feeds. And that’s where a threat intelligence platform fits in. They aggregate the feeds, help you analyze and make the threat intelligence actionable. Those are companies like Anomali, ThreatQuotient, ThreatConnect. We partner with all those companies. Our space comes in as the action piece, the threat intelligence gateway. We sit on the network, in line, in front of a firewall, and we’re purpose- built to consume a huge quantity of these threat intelligence indicators from all of these different sources. And I’m going ask your next question for you because I know what you’re going to ask me.

threat intelligence-driven network security

Why shouldn’t my firewall do that? The issue is, next generation firewalls, take your flavor: Palo Alto, Cisco, Fortinet, they’re all very good companies, they’re very good at what they do, they are very good at working with their own threat intelligence indicators. They have huge installed bases, huge deployments of firewalls and they’re putting their own signatures in there, but they don’t play nicely with third-party threat intelligence. There’s a big limit as far as the amount of third-party indicators you can put into a firewall. That’s for performance reasons. And managing and maintaining threat intelligence in a firewall, with rules and access control is challenging. That’s what the threat intelligence gateway overcomes.

It’s a very interesting play. We see large enterprises, that are real threat intelligence power users, that are looking at the Bandura threat intelligence gateway to take action, to detect and block on the network. And then we have lots of small and mid-sized customers where we’re actually providing them access to lots of threat intelligence, and the ability to manage it, automate it and then take the action piece, but everything we do taking action underpins it with threat intel.

Can you tell me, are there specific verticals that find the threat intelligence gateway really valuable?

For being an emerging space, we have 200 customers today, which is phenomenal, from my perspective. That gives us some good data to look at. About 30 percent of our customers are financial services. That makes a lot of sense, right? Financial tends to lead technology adoption in general. They’re regulated. There’s a lot of security and compliance. They’re actually mandated to use threat intelligence. We see a lot of interest there. But what’s interesting again, it’s not huge banks that we’re dealing with. We’re dealing with midsized, so I’m talking regional banks, credit unions, those types.

We’re also seeing growing interest from healthcare. We have more and more of those types of customers. State local government is a big area of focus. We have a lot of counties, which you wouldn’t think to be security kind of forward-thinking, but there’s a lot of counties and they’re very active with threat intelligence. They’re part of what’s called the MS-ISAC, which is their own industry threat sharing community. They want to consume that threat intel and do something with it. We signed in December a big deal with the large energy company. Those are the verticals we’re focused on, and then kind of tangential to that, we’re really focused on partners like MSSPs, which in some cases you can think of them as actually a vertical.

Yeah for sure. So what’s your take on information sharing? Is it becoming more accepted or are people still really trying to hold onto their data, they don’t want to give it out?

It’s evolution. I would say it’s clearly becoming more important. If you looked at frameworks like NIST Cybersecurity Framework, the use of threat intelligence is becoming more critical. They’re not only using it but being able to share it. If you look at frameworks like HICP, it’s the Health Industry Cyber Practices that just came out, it’s relatively new. It came out from the Department of Health and Human Services in collaboration with Industry, and they’re taking frameworks like NIST, SANS, the Center for Internet Security Top 20 Controls and coming up with best practices. They’re using threat intelligence and ISACs sharing in there. I think you’re seeing more activity, but I think people are consuming threat intelligence more than they’re sharing.

FS-ISAC has 7,000 members today and there’s a lot of things. I think it’s evolution, but people are understanding that you need to get visibility into what’s going on within your industry because attackers do campaigns against industry and you can’t do it alone. We have to collaborate and do it together.

Todd Weller thank you very much for joining us. Do you have anything else to add before you jump back into the RSA fray?

No, this was great. Probably one of the best interviews I’ve ever had. So I appreciate it.

We’re glad to hear it. Thank you very much Todd Weller, Chief Strategy Officer, Bandura Cyber. Have a great day.

Thanks.