Cybersecurity: Threat Intelligence and an integrated approach to security
What is Threat Intelligence (TI)?
It is different things for different people. Everyone has their own ideas what TI should be and how it works. In this day and age, people think it’s a magic bullet and it’s gonna fix all security problems. That’s not what it is. TI is just another tool in your arsenal that you need to help build a good security infrastructure. Right now, going forward, it’s going to become one of the key components that you need because it’s going to tie all stuff together. When it comes to TI, there are only two words that matter: actual advice.
In other words, whatever you do for TI, it needs to tell you to do something to make your world a better place: how to build better infrastructure, how to be able to identify things that are bad, whatever it is, it needs to tell you something that you can do with it, otherwise it’s a complete waste in the environment.
Like I said it’s a not magic bullet, you have to think about what is it you want to do with TI: Do I want to block attacks? Do I want to stop information leakage? Am I interested in identifying new threats and attacks more quickly? Am I able to do risk assessment better? The problem is customers don’t think about these things. If I am going to use TI, how am I going to use it in the context of the above mentioned questions? And that’s what customers need to think about.
What is your company’s approach to security management?
The Chinese mentality has been that, “I need to manage everything as a whole”. It turns out we have over 700 managed service customers, managing over 1200 networks. So we have to pull the stuff together for our customers. And because of this, the assisting methodology we’re bringing forward to our devices is we have to have these things start playing together, either through communication for better dynamic security response, or in terms of better central alerting and management. The problem with most other companies is they’re fixing on their products but very few pure cybersecurity companies actually have their products speak to each other, that siloed mode, I can’t get this device to talk to that device, even though they’re from the same company. Whereas it’s part of what we had to do in China to support our customers, that becomes a very big thing for us. So that’s where the intelligence and hybrid security is, to bring to the fore that our devices are gonna be better at sharing information, not just within our own devices but also third party applications.
Regarding the level of ‘toxicity’ of an IP address, does it increase when it receives more malware-based emails?
From a reputation perspective, we track an IP address for a period of time to see what it does. In a lot of cases, IP addresses are signed by DCHP, they’re dynamic. Everytime you log in from some place, you get an IP address for a period of time, and then it expires and then you get the same IP address or you get a new one, depending on what your service provider does. And what you find out is, an IP address can do something bad for a period time and just starts getting blocked because people knows that this address is doing something bad, so its usefulness starts to decrease.
At a certain point, it will stop doing bad things because the attacker will go to a different IP address and jump to something else. So you see a lot of this happening all the time. Then what’s interesting is, because it is dynamically assigned, is, at a certain point, they will go back around and come to back to this IP address. So you might see an IP address a year or so down the line, that is again doing something and happen to show up on the list so we gotta start tracking it again. But because it showed up second time on our list, we’re going to monitor longer and more stringently.
What we’re seeing is, on average, an IP address will cycle through probably in less than 40 days before it’s no longer of value.
Can you share some of the advantages of being based out of China? Like your partnership with Kingsoft? What are some of the homegrown things that China is doing?
We have partnerships with Kingsoft, Tencent and China Mobile. I don’t have to sell anti-virus, I just have to partner with the company that does. Having to access 400 million end points is awesome – that’s more than twice the population of the US and that’s a huge thing. I get to see things and do research that other people don’t get to play with: in terms of looking at malware, behavioural patterns and educating people to avoid clicking into sites that carry malware.
I can tell you data privacy is non-existent in China, we’re allowed to some things we’re couldn’t do elsewhere in the world. When we’re doing attribution, we’ve identified where exactly the malware came from, we can actually identify the source, the controller, the guy who’s selling it. We’ve actually gone into the users’ computers just to download a picture from there to provide verification to the customer to pay for the malware service and do the attribution. We can’t do stuff like that in the United States, there’s no way I will be allowed to hack into a person’s computer.
Then the ethical thing comes up. If my company does this, do I have the responsibility to notify the authorities who this person is, even though it’s a paid contract? Or should I let the customer who paid for the service do it? So there’s some ethical things that you have to deal with based on what you do and we’re trying to address some of those challenges going in. The things that you think about from being a cybersecurity company: “With great power, comes great responsibility”, a quote from Uncle Ben in Spiderman. The cool thing is that we have some really good researchers, they participate in a lot of hacking forums to identify information, to make better products and try to secure customers better. None of them will go off to attack someone for the sake of attacking.