Global threat intelligence – the foundation of an optimized security architecture

By Mike Gallagher

Recently our network of sensors picked up anomalous network traffic to ww.robint.us/us.j. Our cloud-based Global Threat Intelligence system predictively adjusted the site’s reputation and our products blocked access to it. A month later, the news media reported a widespread iFrame injection attack originating from ww.robint.us/us.j that infected more than 100,000 websites.

The cyber threat landscape is evolving so rapidly that organizations can't keep up. Not only have threats grown, with more malware identified last year than all prior years combined, but they have become increasingly sophisticated, leveraging online objects like iFrames and social media platforms like Facebook and Twitter. With these dynamics putting extra pressure on organizations' IT infrastructure and budget, security needs to work more intelligently. 

Industry observers agree that having a cloud-based, real-time reputation system is a necessary cornerstone of an optimized security architecture. This type of intelligence pulls data from millions of sensors deployed globally in real-world settings gathering threat data in real-time and across all threat vectors over which attacks can be carried out - file, web, message, and network. For such a system to work effectively, the sensors must rapidly collect an array of data about files, web domains, URLs, images and other web objects, messages and sending activity, IP addresses, network connections, and communications protocols, DNS servers, and the intricacies of intrusion attacks, among other things.

Used to identify both known and emerging threats such as temporarily hijacked websites - as in the example above - zero-day exploits, and distributed denial of service attacks in real-time, reputation-based Global Threat Intelligence collects threat data in a cloud system and applies sophisticated correlation analysis to make associations between online entities, track emerging dangers, and predict attacks before they happen.

Global Threat Intelligence

At McAfee, we calculate the reputations of hundreds of millions of cyber entities using a highly granular scoring system based on a variety of information about the entity's behaviors, characteristics, and our own baseline of how its comparable entities normally behave. Among other inputs, we rely on telemetry data - billions of queries per day - from tens of millions of McAfee products (ranging from anti-malware clients to web and email gateways to firewalls) that we have deployed around the globe and that act as sensors for our cloud-based analysis engine. For example, in dynamically calculating the reputation score of an IP address, we look at thousands of attributes and behaviors including the address' duration of existence, email sending activity vis-à-vis a baseline of expected behavior, attack history, and association with other known IPs. We also take into consideration network port and communications protocol, evolving a simple IP address into a very specific type of communication, and growing our visibility from hundreds of millions to trillions of unique reputation possibilities.

Reputation-based Global Threat Intelligence is not just an important component of any security system; it's table stakes given the nature of cyber threats today. Threats move too quickly or too stealthily to rely on traditional techniques such as signature-based protection and blacklists.

As in the iFrame example, reputation-based Global Threat Intelligence allows organizations to take a predictive stance against online threats and benefit from multi-threat vector correlation to protect their users. It also gives security professionals peace of mind that they can enable their users to safely access web applications and social networking platforms without fear of expensive cleanup, downtime, and data theft.

McAfee is committed to tackling the world's toughest security challenges. Backed by an award-winning research team in McAfee Labs, McAfee creates products that empower organizations to protect data, prevent service disruptions, maintain regulatory compliance, identify vulnerabilities and continuously monitor security, while simultaneously reducing operating costs.

Biography

Mike Gallagher brings more than 18 years of experience in networking, cryptography, and Internet security to McAfee Labs. His organization is responsible for delivering threat intelligence across all vectors to McAfee products and customers. McAfee Labs' scope includes malware detection, web protection, spam detection, network intrusions, and other emerging threats.