A large number of companies have been categorized as being in the “threat intelligence” space in recent years.
This comes with a blessing and a curse, as while more knowledge is preferred to none, the sector has come under fire for the demands required to work with the added data. One company that has carved out a niche within threat intelligence is Anomali, formerly ThreatStream.
The company will mark three years in business in 2016 and its core proposition is on threat intelligence being provided for security tools, specifically security incident and event management (SIEM). Founder and CEO Hugh Njemanze came from that sector, working with ArcSight prior to its acquisition by HP, and he told Infosecurity that it was threat intelligence feed vendors focused on delivering the actual threat information, while it identified that many users operate next generation firewalls and point product, but he said that no-one was doing direct integration, and it saw an opportunity for enterprises to collaborate on security threats among each other.
“So if a group of banks want to collaborate from a legal standpoint, it looks like sharing information, so they need a set of tools that are structured to share security information rather than business information,” he said. “Especially within verticals where the business stands to benefit. Over 300 healthcare orgs signed up for our platform within a few days of the Anthem breach: when something happens then they pay attention to something it should have been doing all along.”
He explained that threat intelligence is about identifying the IP addresses used for malicious activity, and building a catalog for external anonymous traffic and knowing what you can do about it.
“You can think of it as indicators of compromise as when you have traffic going through your network, you have internal traffic and you have a lot of context but you don’t really know much else, such as the role or person accessing you,” he said. “It could be a list of URLs used for phishing, or websites used as watering holes. So it is a list of ‘knowns’.”
Njemanze likened it to the Department of Homeland Security no-fly list: which are the IP addresses you should be scared of? “We integrate into the tools and within minutes after a threat is identified, you are notified and live and protecting your network,” he said.
“More threat intelligence is interesting, but not useful until you add it to your technology to utilize it. No-one cares about five million domains associated with malware, but businesses want a higher level context of the adversary and their motivations.”
One criticism of threat intelligence is that it creates more work for the business, and Njemanze agreed saying that the process in a lot of companies is: get the email; do research into a bunch of different portals; craft an email to SOC team and say ‘go look for these domains’; and then they get a report back to the CEO for the all clear. This is a manual process and doing this with direct integration was more practical.
This week, ThreatStream rebranded as ‘Anomali’ to show a difference from its product of the same name. It also launched the Harmony Breach Analytics for mid-to-large enterprises, and the Anomali Threat Analysis Reports Service for small to medium sized businesses.
Mark Seward, vice president of marketing at Anomali, said that it identified a huge problem and a sub-problem in the marketplace as the increasing number of active indicators of compromise provided by threat intelligence organizations around the world, and it has collected enough threat intelligence to provide over 75 million indicators of compromise in in our library and threat intelligence data was growing at 39% a month.
Seward said: “This caused a lot of companies to ask how valuable threat intelligence is, and as well as tracking threat intelligence for SIEM and collecting security relevant data and Active Directory data, all the data is pushed into the SIEM and creates the correlation between the data and along comes a raft of data that the SOC teams push into an overburden system."
“What you need to do is pull out five indicators of compromise and go into the SIEM and have what is relevant to your organization. Harmony can strip out data and compare it to our library and return it to you to allow you to process it in a normal way. It correlates the 75 million indicators of compromise against the indicators inside your log data, and returns to you what is relevant and ongoing data in that fashion.” Harmony will be available in mid-April.
Also launched this week is the Anomali Threat Analysis Report service for SMBs, where there is no SIEM or way to process threat intelligence data. “It is a kind of in-cloud SIEM, but we don’t call it SIEM as we don’t do workflows,” Seward said. “They can run so it knows the bare minimum of the breach and communicates with the IP address that is owned by a known bad actor and links in a report for the indicators of compromise and when they click on it, they get a dashboard about what sort of campaign this is a part of.
“Someone told me ‘most companies are selling to the top 1% who have a SOC, threat intelligence and SIEM, and people on staff’, so we thought it was better to sell to the 99% and this will help with the security posture of everyone.”
Finally, the rebrand is a big step, and Seward said that as it has a product called ThreatStream and now two more products, Anomali seemed to be the best umbrella and it resonated well with customers.
“We’re not moving out of the threat intelligence space, we just think it is a relevant critical buying process and eventually threat intelligence platforms will be judged not on curating data, but on what works for the business,” Seward said.