Opinion published at 22/02/2016


by Melanie Flug

‘Threat intelligence’ is a hot topic in cyber security. But what is it and do we need it? The example of FireEye’s shopping tour in recent years shows the high relevance of this new, emerging market. However, with respect to ‘security intelligence’, the market is still in its infancy.

Obviously innovation in the area of cyber security is currently taking place mainly around the buzzwords of ‘threat intelligence’ or ‘advanced threat protection’. Sounds fine. But what is it? And do we need it? ‘Intelligence’ or ‘advanced’ refer to the ‘next generation’ of cyber defense solutions, primarily the accumulation, enrichment and correlation of external and internal data with the real-time provisioning of alerts associated with faster remediation. The ‘new’ concept revolves around UNIFICATION. This means orchestrating the large variety of (in-house) best-of-breed, point solutions with external data – the latter usually in the form of a database that (globally) collects information about different methods of attack. Today, threat intelligence solutions are designed to help better detect and prevent (advanced) threats through automated, efficient processes and better visibility in combination with faster incident response, while focusing on high-value activities.

The recent acquisitions by FireEye show that this is an important and evolving topic. To evolve from cyber threat tracking to cyber threat intelligence, FireEye made three major acquisitions.

In January 2014, FireEye bought the security specialist Mandiant, which was primarily known for its security report on espionage by China in 2013. The security provider specializes in the elimination of malicious programs from affected systems with its IT incident management for large financial institutions and forensics. The company has not only strengthened FireEye’s product portfolio with endpoint security products and incident response management solutions. The integration of Mandiant’s consulting arm has also led to the establishment of an incident response team, helping FireEye to offer emergency and assessment services.
This was a significant step because consulting capabilities are becoming more important, especially for large enterprises. The innovation in threat intelligence will evolve in the user company and every company needs its own security approach depending on its size, industry, business model, customer focus and so on. For CISOs it will not be an easy job to find the right ‘technological’ way, and consulting services are more important than in the past for both IT buyers and software vendors.
The acquisition of its competitor iSIGHT in 2016 brings a further boost for the offerings for governments and businesses and strengthens the threat intelligence portfolio by adding iSIGHT’s threat intelligence network, which monitors and mines global cyber threat development and thousands of threat actors. And iSIGHT has also brought in 350 employees including about 250 cyber threat intelligence experts across 17 countries, covering 29 languages, according to the company.
This move touches another important issue: The shortage of high-skilled security professionals is not only noticeable on the client/ IT buyer side, but also on the vendor side. Acquisitions are one way to get hold of scarce security expertise. But in addition we will also see a rise in coopetition among security providers – this means they will work together in exploring knowledge and doing research on new products while competing in marketing and sales.
Finally, in February 2016, FireEye bought the security orchestration and automation provider Invotas to merge the security product, threat intelligence and incident response elements of the threat management platform into a single console. Thanks to this orchestrator approach, customers should be able to integrate FireEye with third-party products under one umbrella while automating security processes with faster response to attacks.
Freeing security specialists from the high number of manual, low-value activities is an important step for both security vendors and IT buyers. The ‘single pane of glass’ – a popular term in this context – looks like a real added value for CISCOs.

In addition, the partnership with Forescout, a provider of real-time network security, should shorten the time between alarm and mitigation on the customer side. Thanks to the combination of the ForeScout CounterACT platform with the FireEye threat protection platform, customers should view and control devices from the very moment they connect to the network.

To sum up, ‘threat intelligence’ is a highly competitive market and security specialists cannot afford failing to take the right steps now. It is about integrating innovative technologies, winning (rare) security experts, offering consulting capabilities and building a valuable ecosystem through partnerships and coopetition.

But the journey to ‘real’ threat intelligence is far from being over, because intelligence requires ‘big data’, which will significantly rise in importance. Behavioral analysis, deep forensic search capabilities and self-machine learning are closely interlinked when it comes to advanced security analytics. There are some nice examples of innovative approaches and ‘deep’ threat intelligence. The French start-up CybelAngel, for example, uses a proprietary big data algorithm to detect threats on the Deep and Dark Web. The UK-based company Darktrace uses self-machine learning based on the biological principles of the human immune system. Finally, Reveelium’s technology uses an analytical algorithm that combines advanced statistical analysis, machine learning and correlation rules to create and continuously update normal behavior profiles for entities such as users, devices and applications. PAC expects that especially in terms of ‘threat intelligence’, there will be further consolidation and partnerships with respect to BI capabilities.