What is in a name?
A lot, actually. A rose by any other name would certainly smell just as sweet. But if I sold you a dozen dandelions, calling them roses, as the perfect Valentine’s Day gift for your sweetheart, neither of you would be none too pleased, would you?
It makes me think of the early days of extreme sports. Remember? The term represented athletes who were constantly pushing themselves and the sports they loved beyond limits that anyone could have imagined. “Extreme” was a mindset. It was a culture. Then, companies latched on to the term to make their products seem edgy and exciting. Eventually it got to the point when the world was introduced to “extreme” snack chips… And “extreme” lost all meaning.
It’s no different in the security world. If you ever visit the vendor areas of the big security shows, you know it’s the same with terms like “threat intelligence” and “artificial intelligence (AI).” As overused and misused as the terms may be, they are important concepts in information security, so let’s attach some real meaning to these terms.
Data -> Information -> Intelligence
Let’s be clear. Data is not the same as intelligence. Data is information in its raw form, and intelligence is the distillation of information to conclusions that mean something to me.
Consider a single IP address. What can it tell you about an actor’s motive, intent, etc.? “Nothing” is the short answer. But, you can add geolocation data to learn where that IP’s traffic is originating. Firewall data will show you to which port(s) that host is trying to connect. You get the idea. You’re enriching the data into a form of information upon which analysis can begin. And for this information to become intelligence, you need context.
For instance, what if you have no business interests in the country where the IP is located? And you know that the IP address belongs to a newly-created domain, which can be an indicator of a new malware command and control infrastructure. Add that you had detected a recent email spamming campaign containing malicious attachments targeting your executives. And you know that there has been an increase in conversation in a particular underground chat room about your organization. These add up to something from which you want to make sure you’re currently defending. That’s threat intelligence.
The trick is to get to the meat of the problem amidst an overwhelming amount of useless data. So, let’s talk about AI.
There’s no shortage of data out there. A 2016 estimate found that 90% of the world’s data was created in the previous two years. Think about this: our researchers receive about 2TB of information for analysis every day. That includes nearly two million malware samples and up to 600 billion (with a “b”) emails. Every. Day.
It’s clear that analysis must be automated with AI and machine learning to cut through the noise, to identify the low-hanging fruit, and to pass the real tricky stuff to human analysts. (We have over 250 individuals globally with language skills in about 100 languages, collectively. Just saying.) But not all AI is created equal. And with so many security companies claiming to use AI, how can you tell if one AI implementation is most likely to protect you better? Might I suggest reviewing the results of the Fake News Challenge, a competition created to foster development of AI to detect fake news stories?
The Cisco Talos AI team entered the Fake News Challenge, and we’re proud to say, took first place ahead of university and other researchers whose life work is AI. That’s saying something! This is the quality of automated analysis that helps us derive pertinent threat intelligence from massive data sets to feed back into our products. Also, AI helps us keep our data current and relevant, and reduces bloat. For instance, the IP and domain reputation data we keep within Cisco Umbrella is continuously analyzed with several different algorithms to ensure that our intelligence is as effective as it can be to protect our customers.
TL;DR: What’s in it for you?
We believe we can protect our customers better than anyone else. The output and experience of our threat, malware, and vulnerability research, of our automated email, network, and web monitoring, our cloud, DNS, and behavioral analytics, and of our talented incident responders, consultants, and hundreds of skilled analysts, all ends up in our technology and services that protect our customers.
Our threat intelligence and research output is also fed back to the open-source security community through Snort IDPS, ClamAV antivirus, utilities such MBRFilter, and many more. We all face the same threats and we’re all better off if we’re collaborating. (I’ll write about our open source contributions in a future blog post.)