Missing the Mark on Cloud-based Intelligence
This week, Juniper Networks announced a new cloud-based threat intelligence service focused on fingerprinting attackers’ individual devices. We’d like to officially welcome Juniper to the cloud-based security intelligence market—a space where Cisco has a proven track record of leadership through Security Intelligence Operations (SIO). Imitation is indeed the sincerest form of flattery, but in Juniper’s case, they entered the market years late and with limited visibility.
Let’s take a closer look at Juniper’s latest offering.
To start, here is what we know for certain: cyber threats take advantage of multiple attack vectors, striking quickly or lurking for days, months and even years inside your network. Not only this, but the Cisco 2013 Annual Security Report showcases how the web is an equal opportunity infector, with cyber threats crossing national, geographic and organizational boundaries as quickly and easily as users can click on a link. Security solutions must understand the attacks and infrastructure they are launched from, with tracking individual hackers doing far less for your defenses than blocking malicious activity being actively distributed over the network.
The Problem of Visibility
When a detective walks onto a crime scene, they don’t just focus on one thing. The only way to understand an event is to look at the entire scene: interview witnesses, check the neighborhood and look into the history of everyone involved; in other words, context—or the “who, what, where and how” information using every available piece of data.
Just as a skilled investigator builds a holistic picture, security solutions are only as reliable as the intelligence they receive, with Juniper’s being limited by the number of “honeypots” across their customer base. In network security, focusing on a single piece of information, a single attack vector, or one delivery mechanism misses the global visibility and context needed to stop advanced attacks. Cisco SIO powers our security solutions, receiving over 100 terabytes of network intelligence across 1.6 million deployed web, email, firewall and IPS devices. We correlate this data from physical, virtual and cloud-based solutions with a world-class threat research team, augmenting all of this with an ecosystem of third-party contributors. Fingerprinting is one small tool you should deploy in your arsenal, even though it has limited utility and perhaps even limited accuracy.
What happens when a fingerprint changes?
Each year, security vendors (ourselves included) expound on the increasing sophistication of attackers. This isn’t just idle talk, with megatrends such as mobility and cloud fundamentally expanding the attack surface. The time for independent fingerprinting without holistic visibility and context ended before it began. Fingerprints are only useful so long as they don’t change, and sophisticated hackers have been mutating their attacks to evade detection as long as security professionals have been trying to stop them. I wouldn’t bet the future of any company on “lazy” or non-skilled individuals. Just as malware has proliferated and evolved, so will ways of masking an attacker’s fingerprints.
Parts of the puzzle
There is one thing we can both agree on: block lists, reputation scores, and signatures aren’t enough to mitigate cyber threats. Instead of focusing on point products and singular detections methods, Cisco’s solutions are powered by Security Intelligence Operations (SIO), providing the industry’s greatest breadth and volume of malware threat intelligence. SIO provides unmatched visibility into the global threat landscape, revealing where threats exist – even when verdicts are uncertain. All of this is done just-in-time from the cloud to your security platforms, maximizing protection while minimizing resource usage across physical, virtual and cloud-based deployment options. Through SIO, our solutions provides near real-time protection, continuously evolving your defenses beyond blacklists and reputation. Combined with our latest acquisition, Cognitive Security, this visibility and footprint has been extended to behavioral analysis with local context.
In the end, you need to identify where illicit activities are taking place. Security solutions should be looking at the overall attack infrastructure from a network perspective, with the context to explain malicious behavior, and ability to block the attack before an organization can be compromised. To bring it home, let’s use the analogy of an apartment building. In this case, you identify an apartment building that harbors unsavory characters with limited security. Even though there may be some good tenants, you have to assume that other apartments could easily be compromised, with the unsavory characters having the ability to quickly spread across the neighborhood. While remediation takes place, it makes sense to block the activity coming out of the entire building, as malicious actors are smart enough to lead you down dark hallways and alleyways to give you the slip. Then, take a step back and look at the postal code and the volumes of information you could infer from the area in general. Dismissing the building and area, which is what attacker fingerprinting does, misses the mark on the value of contextual defense.
When it comes to cloud-based threat intelligence and defense, do you trust the latest vendor to jump on the bandwagon, or do you trust the market leader?