Crowdsourced Security for Web Threat Intelligence
Companies such as ThreatStream and their OPTICS platform and AlienVault with OTX have relied on the security community to provide their clients with intelligence as to the nature of cyber threats that are currently out there and those that are just over the horizon. On the face of it, this goes against the perceived notion that an organization’s security is, and is believed to be, its own business – limiting its dependence on 3rd parties. While this has been the thinking for quite some time, the changing threat landscape requires a paradigm shift. Notably, there are three key enablers that support the growth of crowdsourced security.
The first is that the concept of a “lone wolf” attacker is pretty much an oddity for security teams these days. Most attacks are distributed, and rarely is a single attacker seen working against a large target. The more common threat security professionals now face is the use of automated systems such as bots that are often times geographically dispersed to launch coordinated attacks against multiple targets. In this sense, the ability to have information coming in from multiple sources about the threats being faced is crucial for any security team as this enables them to correlate events occurring from their end to determine if they are part of a larger, and potentially more damaging, trend.
The second is that of an addition to the usual threat actors. While the script kiddies or cyber criminals still constitute the primary source of threats, state and state-sponsored actors have come to light, bringing with them resources that most organizations will not be able to match. In this case, crowdsourcing security acts as a force-multiplier in the sense that the detection capabilities of multiple clients are essentially consolidated on a single platform for the use of the general public as a means of detecting advanced threats. Most notable of these is CrowdStrike and their work to uncover a host of advanced cyber campaigns in the last 2-3 years.
The final, and perhaps most practical, is that of cost-savings. The growing use of information communication technologies brings with it an increase in the size of the threat area (possible entry points into a system) and with this comes the need to cover and provide insight into these said areas. While simply throwing more money at the problem to buy security solutions and expertise can, in a sense, address this problem, most organizations will eventually hit the proverbial wall. At the end of the day, resources are finite. But by sharing resources, organizations can alleviate these problems (usually in the context of monitoring) to allow them to focus on other areas of concern such as incident response.
Although still in its infancy, crowdsourced security offers to alleviate some of the immediate concerns organizations have when it comes to providing insight as to the current threat landscape. While this will not replace the presence of a good security team, it does allow for increases in efficiency and accuracy in an area where uncertainty is usually the order of the day.