From: NetworkWorld
Enterprises want choices, integration, and specific types of data feeds. Will vendors acquiesce?
By joltsik
A few years ago, Trend Micro announced that it would enhance its on-site AV products with cloud-based intelligence it called the “Smart Protection Network” (SPN). I’m not sure if Trend was the first, but it certainly wasn’t the last vendor to embrace this type of architecture. In fact, just about everyone now has a toe in the cloud-based security intelligence pool. For example, Blue Coat promotes its WebPulse security intelligence, Cisco champions its Security Intelligence Operations (SIO), and Symantec trumpets DeepSight. Security intelligence sharing initiatives (like CISPA) are also a big part of the Federal government’s cybersecurity initiatives.
What does cloud-based security intelligence entail? In many cases, it takes advantage of the proverbial “network effect” (sometimes referred to as Metcalfe’s law and attributed to Ethernet inventor Bob Metcalfe). According to Wikipedia: Metcalfe’s law states that the value of a telecommunications network is proportional to the square of the number of connected users of the system (n2). Each instance of the vendor’s product acts as a sensor for security intelligence (i.e. malware detection, rogue URL detection, rogue application detection, etc.). The vendor then implements a cloud repository, to publish, analyze, and distribute this information to all other customer nodes around the network.
In theory, everyone benefits from the “network effect” while each vendor adds its own secret sauce in the forms of things like automated analysis, reputation data, and global honeynets, to increase its security intelligence value.
This type of security intelligence sharing is a very good thing because it:
1. Increases the number of collectors in the intelligence network.
2. Provides for real-time (or near real-time) intelligence sharing
3. Can be used as input for hardening security controls and supplementing internal security intelligence.
Good stuff, but I see some imminent downside. First, it won’t be long until enterprises have to manage security intelligence feeds all over the place from AV vendors, web threat management gateways, advanced malware vendors, networking vendors, SIEM vendors, etc. Of course, a lot of this intelligence will be redundant and some vendors will provide better and timelier intelligence than others. Some vendors will also have intelligence that is a better fit for certain geographies or industries. Additionally, there are a number of emerging security intelligence vendors that specialize in advanced security intelligence alone. I recently met with a firm named Norse that exemplifies this business focus. This potpourri of data will likely present a series of challenges as security professionals try to manage, compare, integrate, and act upon a growing avalanche of security intelligence feeds from an assortment of sources.
So this brings up a fundamental question: Should security intelligence be baked into products or should enterprise organizations have an opportunity to choose and integrate the security intelligence that offers the best data, intelligence, and integration capabilities for their particular industry, compliance, risk management, and threat detection/response needs?
Leave a Reply