Security Intelligence, two different Approaches
We are monitoring activities around Security Intelligence since a while and found quite different understandings and approaches. Security Intelligence is one the newest disciplines in the area of Information Security and the goals seems to be quite vague. Different organizations seem to have totally different understandings of what Security Intelligence should be about. To illustrate this I would like to compare two of the leading IT vendors and what they publish as “Security Intelligence”:
Cisco Security Intelligence Operations
Cisco lists on the Security Intelligence Portal mainly security advisories, alerts, responses and information about Cisco product updates, signature updates, mitigation bulletins virus watch and similar topics. To provide this kind of information is in my humble opinion the task of a CERT (Computer Emergency Response Team) or a PSIRT (Product Security Incident Response Team).
A large portion of this area is devoted to advertise and endorse Cisco products and commercial services. Cisco -undoubtedly- hast to offer a lot of robust security solutions and services but this is not not what I expect to find under the category Security Intelligence.
Only in the second level of the menu, under “Resources -> Cisco Security Reports” you can find a couple documents which relate directly to security intelligence and provide additional insight. The Cisco 2010 Annual Security Report has a couple of very good written and interesting articles on 44 pages, but some 20% or 30% of the document are photos or graphics which are not related to the content like business people playing with their smart phones or attractive ladies smiling while drinking coffee or tea. Another three or four pages are endorsing Cisco products or services or confront us with the inevitable “Return on Investment” or “Award-winning <something>” . So what remains are roughly 20 or 25 pages or real hard-facts, insight or analysis.
The Annual Security Report is accompanied by a 15 page Global Threat Report which offers us some statistics and additional insight not very much in detail but presented in a nice way.
Microsoft Security Intelligence Report
Microsoft has devoted a dedicated area to Security Intelligence. On this portal you will find only information which is commonly understood to be Security Intelligence. Just a few links and little information is related to advisories, alerts, Microsoft products or services. The Microsoft Security Intelligence Report Volume 11, first half of 2011 provides 168 pages of valuable insight, analysis, risk and threat taxonomy, risk management and much more.The report is accompanied by a 70 pages Worldwide Threat Assessment and a 664 (!!!) page Regional Threat Assessment. Just a few topics from the table of content:
- Classifying Malware Propagation
- Analytic Methods
- User Interaction vs. Exploits
- Breakdown of geographic regions, commercial sectors and attack vectors
- Feature Abuse
- Zero-Day Exploits: A Supplemental Analysis
- The Project Broad Street Taxonomy
- Worldwide Threat Assessment
- Managing Risk
- Comparison of global and regional threats
- Classification and categorization of risks
- Social engineering and security awareness
Both companies have a very broad insight into global IT security and insecurity as well as malware and viruses and other undesired content and activities through their network of endpoints which are protected by their products. Cisco mainly with the Ironport “Sender Reputation Base” and worldwide analysis for malware, phishing and spam for several 100 million endpoints and Microsoft with 600 million endpoints which provide security “telemetry data” as Microsoft calls it.
However: the amount of information and depth of analysis, which is published openly and the effort of public analysis differs a lot.
Please feel free to to comment, suggest additional resources etc. As usual, comments will be approved by the DeepSec staff.
The DeepSec Team