Companies that get hacked have the most curious reflex: they hunker down and pretend — at least to the world — that all is fine.
Only if they are legally obliged to or if it's obvious that word will leak out do they tend to reveal that a hacker gained inroads into its system.
This is stupid, Andrew Manoske, senior product manager at AlienVault, told CMSWire.
"Attackers are sharing information about the companies they hack or individual identities they have stolen. They are selling this data. Defenders are seriously compromised by this instinct not to share information."
This is why the company launched Open Threat Exchange (OTX) in 2012 – a community of security resources that share information about emerging threats.
It is also why it is updating OTX today with a user interface that almost anyone can use, as well as advanced integration technology that facilitates moving the information to the user's security system.
Threat Monitoring Emerges
Before these upgrades, these activities were done via an API, Manoske said.
But as more companies decided they needed to get in front of security threats, monitoring them as they emerged, it became clear that another, more elementary access point to OTX was necessary.
Indeed, mid-market companies that need access to threat intelligence research is becoming a core user group of OTX because, for one reason or another, they have felt compelled to take on security and defense instead of outsourcing it to a third-party provider, according to Manoske.
Not that threat intelligence is a mature facet of the IT security industry. It is still very much in the early days as most IT security approaches to date have focused on defense and repealing attackers — and not so much identifying these would-be attackers first.
Community-Minded Security Watchers
First a word about OTX: it's a free exchange, populated with a number of sources gathered by AlienVault. The company has its own proprietary security solution, which of course costs money.
But did I mention OTX was free?
Users love that aspect of the exchange, not surprisingly — and this is a user group that, while not expert in security tech, knows plenty about IT.
“Nearly every vendor has some sort of threat service or product, but access is often limited unless you’re a customer or willing to pay a fee to consume that data," said Stefan Schwoegler, Director of NetOps at b Spot, a mobile games community that lets you legally bet and win cash in the US.
"What is compelling about AlienVault OTX is that it is open to anyone to participate or contribute, and it is truly a community where individuals can share, explore, challenge and validate threat data."
OTX, though, is a collaborative effort by 26,000 participants in more than 140 countries. All together, they contribute more than one million threat indicators daily.
"We gather threat information from a variety of different sources," Manoske said. "Research partners, law enforcement, some private research groups, the open web and even from "dark" or alternative web sources." The site is updated every 30 minutes.
The UI: Easy to Use
With the API staying on top of these developments, to say nothing of the disparate sources, could be a challenge.
"The interface we have designed allows non-security experts to navigate and look at potential threats just as easily as someone who is expert in this technology," Manoske said.
Perfect, in other words, for the user group AlienVault wants to help with the UI: companies that don’t have a large security team or huge amount of resources to devote to just to threat monitoring, which is a 24/7, 365-day-a-year gig.
The UI has been in beta since April of this year and is based on social sharing technologies that most people know and use. The tools are collaborative because, well, the entire purpose of the exchange is collaboration, Manoske said.
Underlying the UI is the same big data platform that supported the original OTX. It uses natural language processing and machine learning to automate the collection and correlation of threat data.
The system contains thousands of threats, or pulses, that have been created by OTX participants. Each pulse provides a summary of the threat, a view into the software targeted and the related "indicators of compromise" that can be used to spot attacker activity and detect threats. Examples of these might be IP addresses, domains, malware samples, emails and file hashes.
Integrating It Back
The second piece of the upgrade is new integration technology that provides an easy way to relay these threats to the companies' security software systems — and yes, that does include AlienVault's Unified Security Management.
Besides creating the pulses, the new UI also makes it easier to subscribe to certain pulses and export and integrate them into the back end security systems.
"We have found the OTX 2.0 integration with USM capable of taking threat detection to the next level," said Grant Leonard, co-founder of Castra Consulting. "This single innovation is really what helps us find the ‘right now’ threat vectors for our clients."