Russ Spitler, AlienVault’s SVP of Product explains how security pros can leverage the community-powered threat intelligence of OTX - Which sees more than 19 million IoCs contributed daily by a global community of 80,000 peers - to quickly protect themselves against emerging attacks.
Lennie Liebmann: Hi. It's Lennie Liebmann of Dark Reading, and I'm here at RSA San Francisco with Russ Spitler who's SVP of Products for AlienVault. Russ, it's good to see you.
Russ Spitler: It's great to be here this afternoon.
Lennie Liebmann: I know that you're here because you've got a big product announcement –OTX Endpoint Threat Hunter, but before we talk about that, I really would like to get your opinion about kind of the big framing of the industry, which to me is an ever-growing threat tsunami counterposed against really limited resources in terms of budget and head count skills.
Russ Spitler: I think it's an interesting point that you bring up there, because certainly there's a perception of this growing threat tsunami. But really, what you've seen over the last few years is a change in tactics from the criminal organizations that are behind a lot of these campaigns.
And really, what we used to see before 2013 and towards the late '08/'09 is we saw a lot of targeted campaigns against larger organizations, financial services, military. But since 2013, it's been a major shift towards more of a consumer focus. Of course, the rise of ransomware was the criminals finding a way to make money off of us as individuals. That has really put us in the forefront of this conversation and really helped to raise awareness of a threat that was always there, but now we're feeling a little bit more viscerally.
Lennie Liebmann: So maybe you do want to now tell me about OTX Endpoint Threat Hunter and what it does?
Russ Spitler: Yeah. Absolutely. So, OTX Endpoint Threat Hunter is built on top of Open Threat Exchange®, which is our crowdsource threat intelligence platform. We have more than 80,000 people contributing information to us daily from more than 140 countries. What that gives us is an incredible wealth of threat intelligence of emerging and evolving threats from all over the world. And with Endpoint Threat Hunter, what we've now enabled is for users of that platform to be able to simply install an agent and then be able to scan their endpoints for evidence that any of these threats are present there.
Lennie Liebmann: And you're giving it away for free?
Russ Spitler: We're giving it away for free. Open Threat Exchange has always been open community. That's one of the powers that we see and of course the breadth of our contributions that we get from those participants. It's really a stone soup approach to threat intelligence. Everybody brings a little something, and they go away with what everybody else has brought as well.
With Endpoint Threat Hunter, now this allows us to extend that visibility, gives more compelling reason to participate, and of course, in the future, we're eager to help extend those capabilities to allow people to contribute some threats that they find with those agents themselves.
Lennie Liebmann: Gotcha. So that makes sense. And you mentioned ransomware. Do you want to specifically connect the dots between Threat Hunter and ransomware?
Russ Spitler: Well, this is one of the things that we've seen as part of that emerging trend, which is a lot more focused on those endpoints. Not only is it a point of entry into an organization through the traditional phishing campaigns, but now, it's what they actually exploit when they're trying to make money, and so visibility to those endpoints is absolutely critical and particularly as you start to see more industry-targeted ransomware campaigns going after healthcare, after law firms, it's really critical to get that visibility down to the endpoint, making sure that you can address those threats as well.
Lennie Liebmann: And [any] other threats that you think are particularly interesting that we might be wanting to be thinking about in these terms?
Russ Spitler: Yeah. So this is one of the other more recent revelations is as people have gone to ransomware, they've also realized just using your CPO, and crypto mining, and creating cryptocurrency, and that’s a common attack factor we see today. If you're able to install a crypto miner on somebody's machine, you can actually continue there for months, if not years, before they unplug the machine, and throw out the computer. So very valuable for the hackers to be able to just gain access from that perspective and of course start mining those cryptocurrencies.
Lennie Liebmann: Yeah. I think one of the concerns we always have though when we're at a show like RSA, and somebody does make a product announcement, is that we've got a lot of products already, and there's also a lot of stuff we're shopping for here – so we have some concerns about kind of complexity of our own arsenal, right? I mean our environments are inherently complex, and we've got a lot of technologies to manage. We have to amend relationships with all those venders. We have to have people training all these products, maybe you want to help me understand how it is I'm going to acquire your technology without adding too much of a burden on my staff?
Russ Spitler: I think it's a really good point. I think it's one that as an industry, we're really waking up to. One of the things that I always encourage people that I talk with to evaluate when they're working with vendors – Do they have open platforms? Do they have open integrations? Do they have APIs that allow you to work with the other vendors that are out there?
Some core theses of AlienVault and to have that open approach – and particularly with Open Threat Exchange®, and our open API, and open availability for anybody to participate – it's a key tenant for what we've developed as our product philosophy. It's really critical for anybody to be looking at inter-compatibility and opportunity for those technologies to work together, in order to ultimately solve the threat. None of us are going to solve it alone, but certainly we can do a lot to help.
Lennie Liebmann: Anything else you want to share – maybe a next step or anything else – in closing?
Russ Spitler: Yeah. Absolutely. I encourage everybody to check out OTX Endpoint Threat Hunter at OTX.AlienVault.com. Again, open participation…I really encourage everybody in the security industry. At least take a look, and try it out, and see how it works for them.
Lennie Liebmann: Great. Good talking to you, Russ.
Russ Spitler: Great to talk to you as well.
Lennie Liebmann: This is Lennie Liebmann of Dark Reading here at RSA San Francisco. Thanks so much for watching.