Threat intelligence from a provider's point of view.
We had a chance at the Innovation Summit to catch up with the CEOs of two companies whose work touches the threat intelligence space, Paul Kurtz of TruSTAR and John Jolly of Syncurity.
In our brief conversation with Kurtz, he observed that many consumers of threat intelligence were growing more comfortable with the idea of information sharing. ISACs in particular are beginning to warm to the notion that an information-sharing platform can facilitate exchanges among their members.
Jolly spoke with us about "orchestration," a currently fashionable term that he demystified by characterizing it in terms of what you do with the alerts point solutions generate. "It's a process problem," and orchestration deals with everything that goes on from the time an alert appears through its resolution.
Orchestration inevitably involves a degree of automation. Jolly thinks it important for each organization to develop its own doctrine, appropriate to its needs and missions, to frame the role automation will play in its defenses, and to specify where the human operator comes in. A degree of automation that might work in one place wouldn't do at all in another. Two enterprises may have completely different attitudes toward commodity malware. Thus their risk calculations and the tolerance they have for those risks will affect their doctrine, as will the enterprise's maturity.
If looking for threats is looking for the proverbial needle in the haystack, then "You've got to sort the haystack efficiently," Jolly said, and that's orchestration. Syncurity enables its customers to build scoring rules that normalize alerts across the enterprise.
And a final note about intelligence: the context of intelligence you develop yourself, Jolly said, makes that intelligence very valuable.