AI Research

Sharing Threat Intelligence Gives Defenders an Edge

Cybersecurity is a fiercely competitive industry. It is unique in the information technology space in that we don’t just face competition from other vendors, we also have human adversaries, and they are the real competition. While our products and services must compete in the market against those from other vendors, it must never happen at the expense of our ability to protect our customers.

Recently, Sophos issued a reminder encouraging the cybersecurity industry to compete foremost on technology, not on threat intelligence. If we in the industry can align ourselves to rapidly share intelligence – ideally approaching real-time – businesses, governments and individuals will be able to defend themselves from adversaries in a more effective and efficient way. It could change the economics of cyber defense, giving defenders an advantage over attackers.

Over the past five years, Sophos has made significant advancements in improving both the usability and the predictiveness of our products, two technology dimensions that I believe vendors should compete in. In particular, we’ve delivered the following:

  • An API-first design approach in all our Sophos Central enabled products to facilitate automation and integration with other tools and platforms that our customer and partners use in their operations
  • Security operation workflows within our products that are heavily influenced by our Managed Threat Response (MTR) team, and which, as a result, are highly empathetic to practitioners
  • Pervasive use throughout our portfolio of high-quality Machine Learning (ML) models that were jointly created by our Sophos AI and SophosLabs teams to help improve detection efficacy and to help focus the attention of security operators

Predictiveness and usability are just two important technology areas where competition among vendors will help raise the bar in the entire industry, but there are, of course, others. If vendors competed on innovative technology improvements like these, and shared threat intelligence, we would collectively make it harder in many ways for adversaries to succeed with their attacks. If we spread our knowledge, everyone could apply defenses to protect against subsequent recurring and/or similar attacks, which means attackers couldn’t use them over and over again – they’d be forced to change infrastructures or tactics, and this would be costly, increasing overall deterrence.

In a recent keynote I was invited to deliver at the Cyber Threat Alliance’s TIPS track at Virus Bulletin 2020, I explored ways we can incentivize enterprises, governments and security vendors to overcome the obstacles that are preventing them from sharing information about cyberthreats. The industry has gotten better, but there are obstacles to overcome. One of these obstacles is privacy, a very real issue that has hindered many for decades now. It’s time we stop hoarding and start looking at advancements in privacy-preserving technologies that can eliminate concerns and help move us forward. This is an important area of research for us as we continue to look for new ways to make operations more expensive and difficult for attackers by reducing the security industry’s obstacles to sharing.

The closer the security industry gets to sharing and operationalizing threat intelligence in real-time, the more likely we are to meaningfully encumber our adversaries.

Earlier I mentioned predictiveness as a prime example of a technology that vendors ought to compete on. One of the key methods of improving predictiveness is derived from an exhaustive understanding of the threat landscape, and this is often a function of access to data, whether that is malware samples, phishing campaigns, ransomware characteristics, adversary behaviors, or attack tools.

Sophos has a very large surface area, so we have abundant access to such data. More importantly, SophosLabs and Sophos AI have massive processing pipelines to make sense of all the data we see every day, and our MTR service often gives us very early glimpses into novel threats as they are in their initial (even developmental) stages.

Not all security vendors have uniform access to this kind of data, even if they have access to well-known industry watering holes like VirusTotal. This means that there is not even-footing for vendors or independent researchers to create technology innovations, like more high-quality predictive ML models, because sharing still has barriers. As a measure to help overcome this, I’m excited to announce a joint effort between SophosAI and ReversingLabs, called SOREL-20M, to provide the first production scale malware research dataset with the sole goal of driving industry-wide improvements in security.

Some readers may wonder at the sense of a security company releasing a trove of malware. Rest assured, the samples have been disarmed to prevent accidental execution, and an attacker would have less expensive options available to them than rearming these components. In general, it is essential for defenders to have access to these types of offensive-tools whether in the form of malware samples, or the many tools and frameworks that attackers can use for pre- and post-exploitation. You can read more about this joint venture and the benefits it will bring on our dedicated SophosAI page established, in part, to serve as a platform for these types of data sharing projects like SOREL-20M.

This is just the beginning of more announcements we’re planning about our threat intelligence and tools sharing initiatives, as well as our unfolding philosophy behind the efforts – all in the effort to transform the industry with transparency and openness to better arm defenders and drive the industry forward. Please stay tuned.

Leave a Reply

Your email address will not be published. Required fields are marked *