Optimizing your security architecture with global threat intelligence

As cyberthreats escalate, Global Threat Intelligence should be the minimum standard for effective research and response and the centerpiece of an optimized security architecture.

“Reputation-based Global Threat Intelligence is not just an important component of any security system; it’s table stakes given the nature of threats today. Threats move too quickly or too stealthily to rely on traditional techniques such as signature-based protection and blacklists.”
-Mike Gallagher, Senior Vice President and Chief Technology Officer for McAfee Global Threat Intelligence

The Cyberthreat Landscape

Cybercrime is rampant. Every website and networked computer is vulnerable, nine out of ten email messages should be blocked, and, according to our analysis, it takes an unprotected business user six minutes to encounter a cyber threat.

Each new day brings new, more ingenious cyber threats, with cybercriminals leveraging web applications, social media platforms, and mobile devices to reach their victims.

Cybercriminals are making threats more complex in order to circumvent defenses that react to known threats and simple patterns. By combining multiple threat vectors and types of malicious content, threats can stay under the radar for a longer period, evading mainstream research radars. These complex threats are why McAfee reminds customers that traditional defenses such as signatures and patching, while important, are no longer sufficient.

Threat Response

To implement effective protection against these threats, it helps to understand security research and response options today. The industry is evolving, moving from reactive protection through proactive protection to predictive protection. To illustrate the effectiveness of Global Threat Intelligence, a predictive security, we use the framework of reactive, proactive, and predictive security.

A variety of security products-anti-malware, intrusion prevention systems, firewalls, gateways, and so on - use behavioral and environmental as well as more historical mechanisms such as signatures to identify threats and trigger appropriate security responses.

Signatures and other reactive defenses leave IT infrastructure vulnerable for a period of time while threats are identified, security updates authored, tested, released, and deployed. Given the speed and dynamism of cyberthreats, this process is simply too slow. In the time it takes for a security update to become available, threats can propagate rapidly and systems can become infected.

A proactive solution goes beyond threat analysis to consider the reputation of a cyber entity such as a file, website, message, or network connection. It can infer the potential risk of a piece of content based on correlation analysis across thousands of dimensions, including anomalous behaviors and associations with other entities.

Proactive solutions can act against cyberthreats without the delay of the security update process. In many ways, these solutions determine "guilt by association" of cyber entities, protecting users against unknown or emerging threats.

Predictive solutions build on proactive techniques, using reputation systems and advanced correlation to produce Global Threat Intelligence. Predictive protection relies on a deployed sensor network of millions of deployed products around the globe that captures data from all threat vectors, ingests and analyzes the data instantaneously, and responds to queries with accurate, comprehensive threat intelligence in real-time. These global sensors can note the prevalence of new threat behaviors, threat propagation patterns and pace, threat delivery mechanisms, associations between online entities, and anomalous behaviors based on historical behaviors, among others. Most importantly, predictive solutions learn from what's happening in corners of the network to protect the whole network before threats happen.

Predictive Protection: Global Threat Intelligence

We at McAfee believe the right way to do Global Threat Intelligence is based on six principles. We believe these principles are requirements, and that all of them must be satisfied in order for any threat intelligence model to be successful. We see it as the obligation of any quality security vendor to deliver on these principles every day:

1.     A footprint that spans the Internet, including millions of sensors gathering real-world threat information. Quality threat intelligence needs to come from real-world products deployed in real-world settings across the Internet and around the globe. These sensors collect and must send data to a cloud-based service, allowing all nodes in the network to benefit from the breadth and depth of data collected.

2.     A footprint that gathers and correlates data from and across all threat vectors, including file, web, message, and network. Comprehensive threat intelligence must rely on visibility into all threat vectors, as well as into application and system vulnerabilities across the IT landscape. Breadth of coverage enables security providers to see threats accurately and rapidly, which leads to comprehensive protection.

3.     A real-time, "in-the-cloud" threat collection and intelligence distribution model. A real-time system must be cloud-based and have a distributed architecture that is optimized for speed of data collection, centralized analysis, and intelligence delivery. This is the only way to ensure immediate protection against both known and emerging threats.

4.     Use of reputation. A system that works in today's threat landscape must be reputation-based, and analyze, continuously adjust the reputation score of, and maintain over time information about the behavior of a variety of cyber entities such as files, websites, web domains, network connections, messages, and applications. Only this allows such a system to have a historical baseline and accurately represent the reputations of cyber entities at any particular point in time.

5.     Delivery of intelligence via a complete suite of security products. What good is threat intelligence if it is in a vacuum? For such threat intelligence to be effective, it must be automatically integrated into a broad set of security products. This shared intelligence ensures that the entire security infrastructure is armed with the latest information and working in concert to protect users.

6.     A global research team dedicated solely to threat intelligence. For any organization to create and sustain quality threat intelligence, it must invest in a global, dedicated research organization and developing a robust portfolio of intellectual property. The team must be solely focused on protection, not split between selling products or doing consulting and doing research. This is the only way to ensure focus and minimize business distractions.

Together, these six principles enable predictive protection.

Backed by its world-renowned McAfee Labs, McAfee Global Threat Intelligence is based on these six principles. McAfee Global Threat Intelligence allows organizations to take a predictive stance against cyber threats and benefit from multi-threat vector correlation to protect their users. It also gives security professionals peace of mind that they can enable their users to benefit from web applications and social networking without fear of expensive cleanup, downtime, and data theft.