The threat intelligence landscape is an archipelago, and although a few bridges have been built here and there,...
the islands remain largely isolated.
Some security vendors, however, are looking to build bridges by pushing for the emergence of a security ecosystem concept, an API for product integration more or less available to third-party vendors. So far, this has resulted only in piecemeal ties among products -- it remains early in the game for third-party vendors making a move to share real-time data bidirectionally across a universal channel.
At RSA Conference 2015, Intel Security announced a major expansion of its Data Exchange Layer (DXL) security communications fabric that included deeper integration with Intel Security products, such as the McAfee Threat Intelligence Exchange (TIE) platform, a security information-sharing control center that was launched last year.
Cisco introduced its own security information sharing product, Platform Exchange Grid (pxGrid), in 2013. Cisco recently expanded the functions and the list of partner vendors supporting the framework. PxGrid includes an API that integrates with Cisco's Identity Services Engine (ISE), a portal for validating and attesting to network identities. Via pxGrid, security products are able to share threat intelligence with ISE. In this case, though, the security communication is not bidirectional.
While some smaller vendors may rely on larger corporations, such as Cisco and Intel, to pull them along, more established vendors -- especially those battling for the same market share, such as Kaspersky Lab and Symantec -- are unlikely to join. This creates a schism among security vendors, forcing the end user to ultimately choose sides. And choosing a side leads to a certain degree of lock-in.
"'Ecosystem' means that, essentially, you have your solution more sticky," said Guy Mordecai, director of product management at FortScale Security Ltd.
Fortscale, a user-behavior analytics firm based in San Francisco, integrates into most of the large vendors' ecosystems. Fortscale is also one of the few vendors that does so. "If you have an ecosystem and around it you have satellite products that integrate with it: first, you're creating a lot more value for your customers," Mordecai said. "Two, you're making the switching costs a bit higher, because now you have that suite of products that work really well and integrate with one another, or you're now switching into another set of products that are not necessarily working as well together."
What's the upside?
Roger Wood, senior director of product management at Intel Security, called DXL "a brokerage for information" on which message exchanges occur to add context to each product's analysis. Different entities and consumers can subscribe to different feeds from the TIE server, receiving messages via DXL. DXL serves as a nervous system for the immune system that is TIE.
"That's where making sure that DXL is open comes into play," Wood said. "The next stage is to make sure we have a generic reputation provider capability -- so that you can map pretty much any AV product you want."
McAfee's DXL is open to a myriad of third-party vendors, who, according to Wood, can share information across DXL without necessarily going through TIE. This gives DXL a fabric-like quality.
"It's really a security exchange bus," said Sandeep Kumar, principle solution marketing manager at network security firm ForeScout Technologies Inc., based in Campbell, Calif., one of the many companies integrating into the DXL framework. "The concept is: different products can get on this bus and share intelligence that they have with other products that may use that intelligence. It's a provider-subscriber type of model."
Although to use DXL, vendors must become official Intel Security partners. This is also true for Cisco's alternative.
Sandeep Kumarprinciple solution marketing manager, ForeScout
Cisco ISE provides a portal, which confirms that you are who you say you are, in order to access the network. For example, ISE can determine a person's identity, the device he or she is using to access the network, and the operating system and applications that reside on that device.
"With all this stuff combined, I'm able to give you a sort of fingerprint of identity -- and I can assign policy based on that," said Dave D'Aprile, senior product marketing manager for Secure Access and Mobility Group at Cisco. "We started thinking, what if we could take all of this context and then share it out. That was the genesis of the Platform Exchange Grid, or pxGrid, as we like to call it."
PxGrid takes the information that ISE uses for security policy and shares it out to its copious partner vendors. The partner vendors are then able to improve their own capabilities from a network perspective.
For example, a printer is connected to a network. It is marked as a printer. If ISE sees that said printer is suddenly sending hundreds of emails to the company CEO, the behavior lets ISE figure out that this network connection is likely not actually a printer. ISE provides the context of IP address and name -- printer H -- and physical location -- it's on the second floor -- of the printer. The printer can then be quarantined to avoid network spread of the problem.
"You might spend five or six months trying to find a particular IP address in your enterprise, trying to determine, 'where is this thing, I have to stop it, I don't know where it is,'" D'Aprile said. "Adding the context that says: it's Dave's laptop; he's over here in this particular building; we can quarantine him so he's not causing any more harm; and we could go fix him or maybe automatically redirect him to remediate himself [at] a server where he can fix his own laptop. This is all policy you can create and work through these two different solutions. That's an example of how pxGrid integration can really help drive the security piece."
But the partner vendors cannot receive from ISE the information that ISE receives from others. The process, in other words, is not bidirectional.
"PxGrid and ISE are completely connected together. Right now, you would have a stand-alone partner … sharing contextual information; ISE would be sharing its contextual information;
"The idea [for the future is] that multiple partners could share information across pxGrid because they've already developed on pxGrid, and then all of that information could correlate to ISE," said Beth Barach, senior product marketing manager at Cisco. "That's not happening today, but that's the ultimate idea of where pxGrid is going. Ideally, since all of our partners are developing on pxGrid to interact with ISE, the goal for the future would be to interact with ISE and each other."
Barach said that she would not describe pxGrid as a message fabric or a bus.
"It's more like an API," Barach explained. "Before the development of pxGrid, we did this sharing functionality with an API. And then, pxGrid was developed to be a more sophisticated API to replace the API that was in place."
Cisco's approach seems to be rather laissez-faire regarding partners sharing with each other. ISE is there and receives info from all partners, and if others are not sharing with each other -- Cisco is not concerned.
"Keep in mind that most of their time and energy has been spent on developing their integrations with ISE -- that's sort of been the first step," Barach said.
SIEM is not enough
Security information and event management (SIEM) systems collect information from other products to get a bird's eye view of the environment. If there is an instance of phishing with malware or a suspicious URL, that data is passed along to the SIEM system.
"A SIEM aggregates that information into a single dashboard," said Scott Gainey, vice president of product marketing, industry & programs, at network security vendor Palo Alto Networks, based in Santa Clara, Calif. "If I see some particular alerts within my firewalls, and I see something on my endpoint devices and my core network -- I see the context and I can deduce that there is something serious going on and warrants taking a deeper look."
SIEM systems require analysis to ensure that the information coming through is read and acted upon if hazardous. Anton Chuvakin, research vice president at IT analyst firm Gartner Inc., based in Stamford, Conn., is a big proponent of SIEM -- but he is concerned that enterprises are dismissive of the technology because they are not utilizing it properly. Most of the trouble with SIEM, according to Chuvakin, is how people use it -- or rather, don't use it. Chuvakin stressed that SIEM is not an autopilot product that enterprises can "set and forget," and instead requires attention from security managers.
"People want to have a product that magically tells them what matters for them, and in many cases, that's actually an impossible goal," Chuvakin said. "It's almost like a microwave that cooks dishes that you like. You bought it out of the box and it cooks things you like right way -- how would it know?"
The idea behind DXL and pxGrid is that information gathering and subsequent reaction to it can be automated. An IT professional is not required to sift through massive quantities of alerts and false alarms.
In attempts to rush an integration process, vendors add code upon lines of code to integrate their systems. Too many add-ons may slow down the network, Palo Alto Networks' Gainey said, making it run less efficiently.
"If you actually start to turn on some of that security functionality, that 20 Gbps drops down to 5 Gbps second," Gainey said. "You lose all that performance capability. Now as a security professional you're completely at odds with your networking team, and you'll say 'Go turn that stuff off because you're totally bringing down my network.'"
Kenneth Schneider, Symantec's vice president of technology strategy, disagreed on the network impact of such product integration. Symantec last year unveiled Synapse, a security communication service designed to correlate security information between endpoints, email systems and gateways. Symantec said it worked with many next-generation firewall (NGFW) players to solve the problem of after-the-fact malware disposal to reduce impact on the network.
"For these kinds of interactions there's not actually a huge amount of data moving around," Schneider said. "If you think about it, that NGFW is sitting taking a lot of data, but then it essentially grabs a piece of malware, analyzes it and gets additional questions about that. In this particular integration we're talking about, there's not really that much network impact. It's analyzed information that's flowing around more than raw data."
The combination of the ISE or TIE systems with endpoint, network, cloud and other products allows for quick response. The combination of SIEM systems with ISE or TIE allows not only finding and alerting information, but also sending out a solution to the threat. The goal, Cisco's D'Aprile said, is to hopefully drive faster remediation and reduce time to attribution, "which is really key if you think about it."
D'Aprile says pxGrid is intended to be an open standard. "We've opened it up on the IETF," he said. It is available for people to look at and use."
ISE is an open API that people can use to essentially communicate with Intel Security access control products. But they obviously must become a partner and use pxGrid, according to D'Aprile, begging the question of how open the standard really is.
Vendors are free to reach out to Intel Security to join the Security Innovation Alliance (SIA). And the group made some efforts for this to be a bidirectional effort, recruiting the likes of ForeScout and Fortscale. About 170 partners integrated in with various aspects of the Intel Security technologies, according to Intel Security's Wood. DXL is one of the capabilities that said partnership provides.
Anton Chuvakinresearch vice president at Gartner
"We are looking to open up more broadly over time," Wood said. "One of the things that Intel loves to do is to make standards out of things, so we are evaluating how we might go about doing that. It would be great to have it completely open."
Wood explained that the transition to becoming fully open is slow because it is important for Intel Security to make sure the transition is secure for the end user -- after all, security is what the company is all about.
"Being based on a message bus technology, we don't have to do a full API-type integration like in the past a lot of integrations have been done -- the [problem is] where anyone who wants to integrate has to integrate with everybody else," Wood said. "That's where having the Data Exchange Layer be open means that that third-party vendor can integrate into DXL and subscribe to TIE. They'll get the DXL development kit through our partner program and then incorporate that into their product so that they can be listening on the appropriate channels."
Setting a standard
Industry standards are hard to set. But ultimately, a single security communication standard does not have to favor any individual vendor. Cisco, for example, does not have to concede to Intel Security in order to use a common security ecosystem or threat intelligence exchange.
"In my humble opinion, there should be a lot more talk about open standards, APIs and cybersecurity middleware at RSA," Jon Oltsik, security analyst at The Enterprise Strategy Group (ESG), based in Milford, Mass., wrote in a blog following RSA Conference. "An industry-wide cooperative effort in these areas would benefit everyone -- especially cybersecurity vendors' customers."
Earlier in the millennium, there were efforts to establish an enterprise service bus (ESB) as a standard messaging bus via which various applications could communicate. The ESB efforts fell through, as the industry failed to recognize a single definition for what an ESB was.
Many a vendor agrees that a common form of sharing would best suit the end user and improve enterprise security. But no vendor wants to negotiate with their competitors to establish one, or even to precisely define one. This appears to be the ESB problem all over again.
Meanwhile, small vendors are making connections where they can. Fortscale offers integration with Cisco, Splunk Inc. and McAfee. ForeScout offers integration with Splunk, McAfee and Palo Alto. RSA integrates with McAfee, Palo Alto and Cisco. Gigamon Inc. and Citrix both integrate with Palo Alto, Cisco and Splunk. IXIA is the only vendor that integrates with all four big names. There are plenty that share two of the above. So, in choosing one large vendor product, the consumer is left to a sea of smaller vendor products to integrate with.
Open standards: Why not?
"The malware guys are always trying to innovate to get ahead of us, and we're always hopefully no more than one step behind trying to keep up -- so having shared data would absolutely benefit everybody," said Mark Bermingham, director of global B2B marketing at Kaspersky. "The only issue is everybody is in this market to make money. All the vendors would have to be able to monetize effectively in their own portfolios to make sure that they're truly going to grow."
Beyond financial disincentives, there's the problem of keeping a shared message bus locked down and trustworthy. "As the command and control structure that can literally change the behavior of every computer in the organization in 50 milliseconds -- and as a highly trusted security backbone -- we want to make sure that the management infrastructure, the traffic controls, the authentication capabilities, the revocation capabilities [and] everything to do with securing that infrastructure is very well embedded and nailed down," Wood explained, "so that our customers have full trust that they have control over their instance, regardless of which and how many vendors they plug into it."
Furthermore, a standard channel creates an architecture that malicious actors can learn to avoid. In other words, a threat intelligence exchange platform that is truly open can be accessed by malicious actors, who can then use that knowledge to beat the system.
"Here's the big problem with standards," Bermingham said. "Standards are great to develop to, [although] -- and we see this with some of the standards that are in place today -- not only can vendors like Kaspersky architect to them, but the guys who author malware can just as readily access them and learn how to navigate around them.
"So having a published set of standards -- while interesting and potentially useful -- is also somewhat dangerous," Bermingham said, "because the nature of them being standard means they're publically available, and the bad guys are always looking for routes around malware detection capabilities."
Will the circle be unbroken?
For the most part, security vendors seem to be excited by the prospect of sharing information across a threat intelligence exchange and integrating -- at least partially -- products through the virtual tubes and wires of something like a message bus. It's the contagious hesitancy -- the "fear of missing out" on proprietary products -- that leads to this prisoner's dilemma in security vendors.
"As that old security saying goes, 'the cybersecurity chain is only as strong as its weakest link,'" ESG's Oltsik wrote. "Unfortunately, enterprise security hasn't resembled a chain in the past, but rather an assortment of incongruent metal rings. Given today's threat landscape, connecting the links has become even more important than the best-of-breed capabilities of individual security tools alone."
And while every vendor, even the vendors who find fault with a universal standard, seems to think sharing information is the best way to secure their customers -- so far, the intent has not led to a definitive solution.
"If we put this together more eloquently as an industry, customers would certainly benefit," Bermingham said. "But it's challenging to do so, because it would imply that companies that have been competitors for 15 and 20 years would need to all of a sudden decide that this is a good thing to do. It would be nirvana."
Cisco's Martin Roesch says security information sharing and visibility platforms
Learn more about the basics of threat intelligence services in the enterprise