Serving the common good: intelligence sharing in an era of automation


Vincent Weafer, SVP, McAfee Labs, Intel Security
Vincent Weafer, SVP, McAfee Labs, Intel Security

Vincent Weafer is a long term veteran of the IT industry and cyber security battleground. A former VP of Symantec’s security response unit, as SVP at McAfee Labs, he now manages a team of four hundred researchers working in 30 countries, as well as millions of sensors around the globe dedicated to helping protect Intel customers from the latest cyber threats. With a gift for simplifying complex security concepts, Vincent is popular presenter and has shared his point of view at numerous international security conferences. He is co-author of a book on Internet security, and has testified on multiple government committees, including the United States Senate Committee on the Judiciary hearing on Combating Cyber Crime and Identify Theft in the Digital Age; the United States Sentencing Commission’s public hearing on Identity Theft and the Restitution Act of 2008; and the United States Senate Committee on Commerce, Science, and Transportation on Impact and Policy Implications of Spyware on Consumers and Businesses.

Weafer spoke with InsightaaS at this year’s Intel Focus Security Conference, on the occasion of McAfee’s full integration into Intel Security. An edited version of this conversation, which ran the gamut from obstacles and opportunities for security intelligence sharing to threat reporting, follows below. (ed.)


Mary Allen: How do security vendors balance the need for information sharing to serve the end-user community, against the need to protect their own IP, developed though investment in security intelligence gathering? It seems a bit of a conundrum.

Vincent Weafer: Yes, it’s a really good question. Today, most of the sharing is done in two places – on premise and in the back office. Let me start with the back office. We literally do tens of millions of event sharings with other vendors or competitors – because you have to. A [security] lab is almost like a factory, where there is lots and lots of raw material coming in in the form of unclassified files and you convert this into a high-value proposition, which is the protection of content. You need to be able to collect a lot of this, but everybody else has the same need so for years we’ve had this ecosystem of sharing. But, it’s the machine-generated, machine-consumable sharing: I’ll trade files with you, whether they’re clean files, malicious files or unknown files, because we both have an interest in this. And at the end of the day, I’m going to apply my classification to it, you’ll apply your classification, so we can keep that cooperative spirit alive.

That has been the traditional approach and we do an enormous amount of this today. But the industry is going up to the next level, where we now start sharing information which is more risk information, contain information. Who is doing it? Where are they doing it? How are they doing it? This kind of information is much more interesting from the ‘detect’ perspective. What is it? Where is it? Where did the information come from?

A few years back, we all began to talk about IOCs (indicators of compromise). IOCs are basically an assessment that starts with “what are the indicators that I should look for if I was looking for a bad guy in my environment? What is the risk level associated with those? We’re all looking for bad guys. That’s ok, but now we want to identify the people who are highest risk for us, in our companies or our industries, so we’re doing a lot of work there. We just announced the Cyber Threat Alliance, where organizations including Intel, Symantec, Palo Alto Networks and Fortinet have come together and said ransomware is one of the biggest topics this year. It’s impacting everybody at all levels, from enterprise all the way down to consumers. We wanted to come together to share intelligence around specific ransomware campaigns with the goal not just of providing better protection, but also to provide destruction of the [ransomeware] ecosystem. That’s a good example of how we’re [security companies] are trying to come together more frequently to do something more for the greater good, and then ultimately to disrupt the ecosystem: working with law enforcement and with infrastructure partners, we’re saying “hey, can I do something here? Can I make it more meaningful?”

At the next level is the on-premise option, the DXL (Data Exchange Layer), a real-time communications fabric for security products. The challenge that we face with ‘detect’ is having traditional security products generate enough of the right information. Traditionally, these would say “I detected malware.” That’s all it told you – in the log, it would say, “I detected configure worm.” Well, what you’re really looking for in order to detect is to know all the suspicious behaviour: “tell me everything else you saw that happened during that time.” Using an airport analogy, you would say “don’t tell me he’s a tourist, I know that. Tell me about the people who come in that are acting funny. Show me the people that are coming in that have got some objectives. Tell me about everybody who went into the restricted zone.” That’s what I need to know.

So DXL is a messaging file that is designed to share that information across Intel products and among our partners, but, also across the industry more broadly. For example, information could be going to ArcSight, or it could be going to a different SIEM (security information and event management system). As we create our sensors, we want to ensure that the platform can be used by multiple sources – ours, but other vendors’ as well – because we’re all trying to connect the dots in integrated security.

Now, from the perspective of “I think my solution is better than anybody else’s solution,” how you integrate the value you get from that information is still unique to each practitioner. The notion that we all need that data, that we all need to act in a co-operative way still holds. For example, I could operate in an environment where I’m the end-point, but someone else’s product is the network gateway. In this case, I would want to exchange information and to know what he [the gateway] saw. That notion of interconnectivity and sharing of information occurs at the ecosystem level, which is where DXL comes in, where TIE (the Intel Threat Intelligence Exchange) comes in, ATD (Advance Threat Detection) comes in, where the broader research ecosystem comes in to provide threat intelligence. There are lots of companies who have got intelligence exchange platforms, but it’s all about how you bring it in and how do you do it – how you actually create the value add, because we’re all drowning in knowledge. We’re all drowning in events so it’s a signal to noise problem, which says, “of all the stuff coming in, 90 percent of it is probably just noise, and I don’t care about that 90 percent. I care about the 10 percent which is the stuff I’m not really sure about – let me focus my efforts there.”

Allen:   If everybody’s moving towards sharing the same information, how do you convince customers that you provide the value-add that they need? How do you articulate that value?

Weafer: There are two things. First is that when customers look at the solution, they have to know that they can rely on you and trust you. So, when we approach a customer, we say “look, we already are deployed in your environment. Endpoint protection is what we do, and we do it really well. We’ve already got connected security as we use ePO software for management of systems, so you already have a lot of our bases there. And by adding this additional capability, we can help solve your problem without having to reinstall every new sensor, every new endpoint, every new thing.” This means we can provide extra capability in a way that is less destructive as it builds upon the foundational pieces that the customer is already using – as opposed to rip and replace.

The second part comes down to, are you better at solving their problems? The challenge with security intelligence is that it’s very easy to generate noise – I can create workflows to have events and close them down. But going from millions of events down 30,000 legitimate events, down to a few thousand that can actually be investigated is the secret sauce. If you miss the wrong things or if you generate too much noise, you’re not going to be effective. For a long time SIEM systems were great at aggregating information, but they really didn’t help you identify the problem. There are multiple breach examples in which the event was seen, but not acted upon because analysts didn’t recognize the significant of the event amongst all the other events that they were seeing.

At Intel security, we believe we’re putting together the portfolio of solutions which will allow us to do that very simply. We have this kind of funnel of things and we want to sort through the good and the bad things and get rid of the bad really quickly. Now we have a reduced number of items that we can take care of through reputation, through analysis, through behaviour. Now I can send things to a sandbox, to ATD and bring it down into a set of a manageable items which are actionable from the point of view of infra security aims. So once I’ve already blocked and tackled, identified the most important items to analyse, the final part is corrective blocking actions. This is where Intel has a very big advantage: ultimately if I determine something is a targeted attack, I may need to update my firewall, my endpoint security or deploy some patches, which is not trivial. But the attack is probably going to come in fifty different guises which come from the following the source characteristics, so the email filter will need to be updated with that characteristic, and the endpoint will need to go looking for this type of characteristic. The filter is told, “if you see this again, this is something bad. Alert on us or block us.” At the same time, the customer may need to deploy some encryption in that area. Corrective action is actually quite complicated, and may require translating the message to other platforms, in the case, for example, the customer is using a Cisco or a Juniper firewall.

Allen: Is there any way to integrate security information directly into your endpoint device protection so that you can automate that corrective response?

Weafer: Yes. The whole point is to try to automate what we can do. For example, if an endpoint finds something that is suspicious but unknown, we can go into our threat intelligence exchange server and say “okay, is this known? Is this prevalent? What do you want to do about this?” If at the end of this, threat intelligence analysis is not conclusive, then it can be sent to the sandbox, to ATD. When ATD detonates it and says “actually, yes, this is bad,” then that file is automatically blocked because we sent it to Global Threat Intelligence, which in turn sends that information to every endpoint within 20 minutes, where customer policy will decide on blocking. Twenty four hours later, in the lab we can create a more generic policy or signature that protects against this threat and 10,000 other similar variations and follow up by sending that out as well. So the first action is a quick, automatic one, and the second is a more generic, more robust kind of policy.

Allen:   What happens if it’s a Cisco firewall and not your product? How do you integrate the threat intelligence information in that case?

Weafer: What we’ll do is provide that information to the infrastructure security team. We don’t talk directly to the Cisco firewall today, but, we do talk to the security ops team, who, in turn, can take that information and act on it. We are working on trying to do more integrated systems.

Allen: It’s hard not to become cynical about reporting that comes out of security vendor labs because it seems with each report the threats are bigger, the landscape keeps evolving, and security is a moving target. How does this kind of reporting help to establish trust within the customer enterprise? Years ago, the biggest challenge to cloud adoption was security: many businesses preferred their own trusted environment. Will security act as the check on transformation to the digital enterprise as well?

Weafer: No, security should not be a check on anything; it should be an enabler if it’s done properly. The reports are generally threat reports that ultimately translate into a risk story, because to mitigate risk we need to let people know what’s actually happening out there. With the quarterly report, you’re trying to show trends – what’s changing over time – allowing businesses to respond to those stories by assessing their risk, integrating the threat stories, and taking action. Now, what we often do for consumers is to tell little vignettes, based on the notion that when security is out of mind, you don’t do it. Recently, we did a vignette about what happens to your data after a breach. Where does it get reused? Making it clear that the consequence of a breach is not just an isolated action, it’s a longtail. The data gets resold and reused. It’s got market value. Here’s how it is combined, and here’s what you might see in the future. The purpose of these type of stories is to try to get people thinking of security as more than a one-time event.

Allen: My last question is about the public/private partnerships. You mentioned the Cyber Security Alliance, which is a private sector organization. What about working with public organizations? Is this largely ad hoc? Is it opportunistic? Or, are there some structures around that?

Weafer: There are structures around it. If you think about things like the US-CERT, it is a very formalized with a great application for sending information to industry, a great tool for sending information out to a broad audience. There are also great partnerships with law enforcement, the FBI, Secret Service, and others. The challenge has always been that governments always want to be part of the information dissemination, the ISACS (Information Sharing and Analysis Center) information, but we all know it was generally one way: industry provides it to them and they went, “hum, that’s interesting and it’s classified.” We’ve made ongoing effort to get the right model – President Obama talked about the security information sharing models. It always comes down to “no, trust us this time. We will share the information. We will get it out.” But the need to declassify and get the information out has always meant that it comes out slowly and tends to come out a little bit dumber as it goes out for us. So, I think everyone’s still trying to find the right formula.

I think most industries would say they are very nervous about the government holding their data. We need find some way to say “we know we need to work together because there’s a lot at stake and government has a lot of very smart people.” But at the same time, if you’re not going to share it, then we need to find some other way to collaborate. There are a number of variants on the problem. So we [Intel] might have lot of secure, trained people and there is fantastic sharing going on at the classified level. But how do I take that out to the rest of the people? That’s always been our challenge – turning information into actionable intelligence. I may be able to turn it into product protection because I don’t have to say where I got it from and how I learned about it. But, if I wanted to disseminate it in the form of an alert or an advisory, then this is really tied into the fact that the information has to be declassified. It has to be open for me to talk about it.

Allen: And another obstacle to good information dissemination is that enterprises don’t want to share that they’ve had a breach or experienced some other kind of issue.

Weafer: You’re absolutely right. The problem we have is that sharing works at the small model level: I trust you. You trust me. We trust each other. But as soon as 28 other people come in the room, there is lock down. The bigger the organizations get, the dumber they get, because half the people are in listening mode. But, at the small group level, there’s an amazing amount of sharing. A CISO to a CISO will often be very open because they have a lot in common and because that’s how they have to learn. Part of our role is to try to establish safe havens for having those discussions where there is no attribution. Now, where ISACs have got together, where we have been able to achieve that model it works really well because they all realize you’re seeing the same thing I am. You may be seeing it a little bit earlier or differently, and if I can share that technology, or more importantly, understand what you did with this attack – What did you react to? What did you miss? What could you have done better? – that’s very valuable.

The notion of intelligent sharing is something that is happening, but I would say it’s happening at the broad – IoC level – where it’s machine consumable, machine generated. It is happening at the very, very small scale at the trust level. And we’re all trying to figure out how to take that and scale it. The CTA is just one example. If vendors can come together and share very openly – and we hate each other – then it can work. It’s a trust model. We trust each other. You’re all very competent people. We all believe in the greater good. Now, let’s see what we can do together.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.