Today Brian Krebs quoted sources who say Norse Corp is in serious trouble, to the point where an emergency buy out by CloudFlare has reportedly been put in motion. Underlying causes appear to include inability (or unwillingness) to develop new practically useful products from their flagship threat-data-gathering offerings, plus some questions about credibility of the threat data itself. The leadership team at Norse also allegedly have a less than impressive history of business management, but could this be more than a tech firm meltdown? Could it be signposting an industry-wide and fundamental disconnect between threat intelligence products, and fulfilling real business risk reduction needs?Robert M Lee has written an essential counterpart to the questions likely to be raised about the threat intelligence industry as a whole. In it he highlights the fundamental difference between Threat Data and Threat Intel. Noting that Norse largely dealt in the former, whereas other firms, more aptly calling themselves Threat Intel outfits, deal diligently in the latter.
No, Norse is Not a Bellwether of the Threat Intel Industry, but Hold Lessons Learned
And here Steve Ragan offers to put you in touch with Norse employees now on the job market. It’s important not to bomb their careers based on negatives you might currently be feeling about the firm.
Having said all that, even if you buy in intelligence, rather than just data, it’s vital you understand local context to gain advertised value. On Independence Day 2014 I wrote the below article (prompted by Norse’s newly unveiled IPViking Live Threat Map), to specifically address that question of context. In it I work hard to draw out the real day-job effect and risk mitigation value of both Norse’s map and threat intelligence in general. My main conclusion was that value derives from ability to relate delivered intel to your organisation’s risk profile, high value assets, and distributed IT estate.
That might sound utterly obvious, but if it weren’t such a challenge (a challenge companies rarely tackle with sufficient expertise, time, and money), perhaps Norse wouldn’t be where they currently find themselves.
Dynamic Cyber Threat Intelligence – Pretty, But Potentially Pointless
Excerpt from the article first published July 4, 2014 by Information Security Buzz and reproduced in full today on Peerlyst
You won’t often find me writing something prompted by a specific product, in this case IPViking Live Threat Map, but it was too fascinating not to.
June 2014 was arguably the month of Threat Intelligence (TI). Microsoft, Symantec and GCHQ have all been shouting about new tools or resources. Things that give better or more joined-up sight of global cyber threats (no doubt heralding complimentary consultancy offerings from just about everyone).
Decent, dynamic threat intelligence is indisputably a critical ingredient when trying to thrash out your real level of cyber risk. It’s also pretty handy when you pitch for budget to fix existing vulnerabilities, buy new tools and/or cyber insure.
On 19th June, Business Daily looked at a survey by Checkpoint (who have their own TI offering). 140 InfoSec professionals were questioned and called out widespread problems identifying and mitigating attacks. This was put down, in large part, to a lack of useful threat intelligence.
“The gap between attack sophistication and available threat intelligence meant 31% of respondents said their organisation had suffered up to 20 successful attacks in the past 12 months – while 34% were unable to say exactly how many they had fallen victim to”
In this case study Norse tell us how IPViking detected over 100 TOR exit nodes used to attempt over $400k worth of fraudulent transactions via a political campaign’s fundraising website. When the so called “bad actors” were identified, they were blocked and the fraud was prevented.
So, before folk bring you stats and pretty graphics – like the “WOW” stuff from Norse – and get your senior budget holders properly excited, how do you prepare to balance out the hype? It’s lovely to have more risk data, but are you ready to use it? Can you translate it into meaningful security ‘to do’ lists?
Not an easy question to answer.
As a starter for 10, the following are ways threat intelligence is expected to inform your security stance and security response, put together from various sources;
If you would like to read on, the rest of the original post is reproduced in full on Peerlyst