SAN FRANCISCO – All this week, Salted Hash will be walking the halls of the RSA Conference in California. The running theme this week is threat intelligence; what it is and what it isn't, the vendors who produce it, and the people who use it.
You'd think there would be an abundance of sources and source material given the topic, but that wasn't the case at all.
For two weeks, Salted Hash attempted to locate security practitioners in various market segments to talk about threat intelligence, incident response, and how the two areas overlap. It wasn't easy.
First, while most were willing to share their experiences, they wouldn't or couldn't share proof of those experiences, such as redacted screenshots of the product, or anything that would confirm they were a customer of a given vendor. It may seem extreme to require proof, but given the topic, we felt it was important to confirm first-hand knowledge of the product it possible, and avoid speculation.
Second, there was another segment of people willing to talk, but only in a general sense, because the threat intelligence vendor was holding non-disclosure agreements over their heads.
And that's understandable. Most people aren't allowed to talk to the media, and those who do often request that their name and employer be left out of the official record. But it's strange that a threat intelligence vendor would have a non-disclosure agreement preventing a company from discussing perceived value or sharing information on the types of data they see.
We reached out to FireEye, one of the better-known and widely used threat intelligence vendors on the market, and asked if they used non-disclosure agreements to prevent customers from talking about the intelligence they get, its scope, or its value, etc.
A spokesperson got back to us a short time later, explaining that the intelligence products that they sell are proprietary "and customers agree in the terms and conditions not to disseminate the content beyond the organization (standard clause when purchasing content of any sort.) Talking about the scope, and perceived value, is certainly not prohibited."
FireEye was one of the vendors where customers stated they couldn't speak due to a non-disclosure agreement. As it turns out, FireEye customers are in fact free to talk about their experiences, they just can't share content.
Perhaps the concept of what is and isn't allowed with regard to open discussion isn't being communicated properly by the vendor or the company. Then again, it could be a case where those in the trenches don't know the limits of the non-disclosure agreements they cited when declining to talk. The final possibility as to why sourcing this week's coverage was so taxing is that the organization just doesn’t want to discuss any aspect of their threat intelligence operations.
Maybe the entire notion of a vendor forcing non-disclosure agreements needs to be examined? Is it useful? Sure, keeping the sauce a secret has advantages, but how far is too far?
Rick Holland, when he was at Forrester (now the VP of Strategy for Digital Shadows), somewhat addressed this issue a report on threat intelligence last year:
One hundred percent transparency isn't realistic; providers naturally want to protect their sources and methods, but they must find a compromise that informs prospects and demonstrates differentiation.
In a crowded market, providers who keep everything about sources and methods private will be hard-pressed to make customer shortlists where they will be given the opportunity to validate their nebulous claims. Challenge vendors that provide little detail and suggest nondisclosure agreements; as a last resort, eliminate them from consideration.
As mentioned, FireEye customers referenced non-disclosure agreements when asked specifics. Even after being informed that FireEye doesn't prohibit discussions about perceived value or scope, they remained firm on their stance.
As you'll see this week, we did find some people who use threat intelligence daily who were willing to share information, their experiences, and thoughts on the topic.
Those we spoke to use a number of different vendors and products to get the job done. Later this week, we'll look at an advisory from Radware and examine context, discuss threat intelligence automation, learn what it takes to start a threat intelligence program, and more.
Today's story looks at how an incident response manager uses CrowdStrike's Falcon platform.
Full Disclosure: I have recently learned that CSO Online, the parent publication of Salted Hash, has an existing business relationship with CrowdStrike.
I was not aware of this business relationship prior to starting my research on threat intelligence. Editorial and marketing have defined limits and do not overlap when it comes to news gathering operations, so there was no way for me to know of it before hand. The existence of this business relationship was brought to my attention after my research into CrowdStrike came to an abrupt halt on February 23.
This abrupt halt was due to CrowdStrike contacting senior management at CSO Online. I don't know the exact intent of the company in reaching out, but the contact with senior management alleged that I was refusing to give them a fair shake in what was shaping up to be a negative piece. This was confusing, because I had contacted the company twice in the previous week only to be met with silence.
Not only did I ask them to take part in the story on February 16; along with my questions, I informed them that I was speaking to a person working incident response in the finance sector, emailed them my story notes, the notes from a Falcon Host demo I watched, and informed them the demo notes would be part of the story, as they countered some of the source's remarks.
I took these steps in order for them to have the ability to respond fully to the comments made by a customer. It was eight days before they returned with a brief statement on February 24, refusing to answer any of the questions asked. –Steve Ragan, Salted Hash
CrowdStrike's statement is produced in full below. On page two of this post, you'll find the interview with the source (incident response, finance) that their statement addresses.
"Without understanding who the customer is, and not understanding the role of this anonymous person, it is difficult to address any specifics of their implementation. Each customer has specific needs for their environment, which impacts how they implement and use our products.
"With a combination of Falcon Host, Falcon DNS and most importantly the data provided by Falcon Intelligence, we believe customers are in a position to dramatically reduce their exposure of a breach. We pride ourselves to provide value to our customers everyday, and we continue to add new capabilities to our products as evidenced by our winter platform release, announced this week."
CrowdStrike's press release on the aforementioned product can be found here. While it wouldn't have stopped our research or reporting, Salted Hash was not aware of any pre-RSA Conference product releases from the company.