Making Threat Intelligence Available to Organizations of All Sizes | AlienVault

Making Threat Intelligence Available to Organizations of All Sizes

In this interview with Dark Reading at Blackhat 2016, Brian Gillooly and Roger Thorton discuss AlienVault's approach to threat intelligence and how it differs from the rest of the security market.

Video Transcript

ROGER: And your threat intelligence approach is a little bit different from the rest of the market.

BRIAN: It really is. Going back to the ethos of the company, when we get up everyday, we go to work for the person in the SOC in a company that doesn't have enough people and enough money, and that is most companies. Then what we do by unifying all the various tools that you need for data with the SIEM and I know it is all together, it saves you the time of deploying all these tools and wiring them all together, but by taking our OTX data and funneling through our security research function, we actually do the tuning of that for you.

ROGER: So you are dumping data.

BRIAN: Back in, yes, and that is what generates the alarms. A lot of the approaches that you see today are made for DoD departments or global banks with a hundred people in a SOC and a security research team. If you have that, awesome, good for you. 90% of the companies in the world don't have that.

ROGER: Or even if you do have that, it is good to have somebody that can help analyze or manage the data for you ahead of time. That is a conversation we have had at this desk over the past couple of days, too, is threat intelligence is fantastic, information sharing is fantastic, but a lot of times it is a fire hose of information, and it is sort of the big data dilemma in the early days of big data, which was, “This was terrific. We now have all this information that will help us understand our products or customers better, but we don't know how to analyze it or if we did analyze it, we don't know what we have.” So the same thing is now happening with threat intelligence and security.

BRIAN: And it is really important to note, you know, IoCs by themselves, that is not the endpoint that they needed to detect threats, right? You have got to look at those understand them, and then understand what detective controls you have, and ultimately you have to tune those controls. Today's threats aren't simple one indicators, you are going to have tons of false positives. So it is an artful exercise to be able to tune all of your detective controls effectively so you catch everything without inundating yourself with noise. There is no way to do that without a research team. All of the advanced techniques, a lot of the vendors talk about machine learning, and these are great tools for a security research team, and if you have got a security research team and you are capable of doing that, then you want data like OTX and others so you can figure out your game plan. If you stretch there and you don't have the budget, then you want something like what we do where the tools themselves are being tuned. So you are just dealing with alarms.
ROGER: And your threat intelligence approach is a little bit different from the rest of the market.

BRIAN: It really is. Going back to the ethos of the company, when we get up everyday, we go to work for the person in the SOC in a company that doesn't have enough people and enough money, and that is most companies. Then what we do by unifying all the various tools that you need for data with the SIEM and I know it is all together, it saves you the time of deploying all these tools and wiring them all together, but by taking our OTX data and funneling through our security research function, we actually do the tuning of that for you.

ROGER: So you are dumping data.

BRIAN: Back in, yes, and that is what generates the alarms. A lot of the approaches that you see today are made for DoD departments or global banks with a hundred people in a SOC and a security research team. If you have that, awesome, good for you. 90% of the companies in the world don't have that.

ROGER: Or even if you do have that, it is good to have somebody that can help analyze or manage the data for you ahead of time. That is a conversation we have had at this desk over the past couple of days, too, is threat intelligence is fantastic, information sharing is fantastic, but a lot of times it is a fire hose of information, and it is sort of the big data dilemma in the early days of big data, which was, “This was terrific. We now have all this information that will help us understand our products or customers better, but we don't know how to analyze it or if we did analyze it, we don't know what we have.” So the same thing is now happening with threat intelligence and security.

BRIAN: And it is really important to note, you know, IoCs by themselves, that is not the endpoint that they needed to detect threats, right? You have got to look at those understand them, and then understand what detective controls you have, and ultimately you have to tune those controls. Today's threats aren't simple one indicators, you are going to have tons of false positives. So it is an artful exercise to be able to tune all of your detective controls effectively so you catch everything without inundating yourself with noise. There is no way to do that without a research team. All of the advanced techniques, a lot of the vendors talk about machine learning, and these are great tools for a security research team, and if you have got a security research team and you are capable of doing that, then you want data like OTX and others so you can figure out your game plan. If you stretch there and you don't have the budget, then you want something like what we do where the tools themselves are being tuned. So you are just dealing with alarms.

Watch a Demo ›
GET PRICE FREE TRIAL CHAT