Big names in cybersecurity (Robert Lee, Brian Krebs) have been giving their input on why Norse has ended up in trouble, despite their recent ‘successes’, i.e in September 2015 when the company secured $11.8m in funding from KPMG Capital. At that time, KPMG’s incentive in its Norse investment was to focus on “accelerating innovation in data and analytics.”
But within the last two weeks, Norse Corp's website went offline, and attempts to email the company failed. Their famed attack map went offline soon after. It seemed pretty uncharacteristic to the threat intelligence experts.
Where Norse Went Wrong
The spoken facts about what went wrong with Norse in the last month or so haven’t been fully confirmed and made known to the public. All the while, Lee and Krebs have each made profound arguments to explain the recent developments.
Both Lee and Krebs elaborate on different reasons how although Norse was claiming to monitor cyberthreats around the world through their famed “online attack map” -- the data behind their insight was either flawed or not as ‘high profile’ as it was claiming to be.
Despite the speculative nature of these discussions, both Lee and Krebs shed insight on the novelty of threat intelligence, and how many companies fail to identify its fundamentally crucial attributes, and how data on cyber threats doesn’t suffice to provide adequate cyber safety.
Brian Krebs and Robert Lee: Expert Opinions
Both Krebs and Lee evaluate Norse’s failure from a common standpoint, although each of them develop their own unique position. Krebs emphasizes that Norse was falsely claiming that their ‘high-profile’ data was unique to their advanced technology used to monitor attacks, as the data they were using was actually available on Web server logs. We also got this feedback from several analysts and industry leaders.
Krebs posits a valid argument, and quotes Mary Landesman, who most recently held the position of “senior data scientist” at Norse to support his claims.
However, at this point, most of Krebs’ input on Norse’s flawed accountability cannot be substantiated by the facts currently available to those outside the company.
In contrast, Lee’s discussion on Norse’s shortcomings applies to the entire cybersecurity industry, addressing a consensus that all cybersecurity efforts must abide by to succeed.
How Companies Predict Threats: Intelligence vs Data
Lee argues that Norse’s inability to understand the inherent differences between ‘internet data’ and ‘threat intelligence’. In practice, Norse was failing to make this distinction, which is why their supposed threat intelligence failed to live to its name.
This failure results from Norse data analysis systems were (mistakenly) interpreting Internet scanning data against their high level sensors as attack intelligence. Because attack data and attack intelligence aren’t the same thing, Norse was inferring incorrect conclusions from the data they were analyzing.
Confusing Security Data for Threat Intelligence
Knowledge of a cyberthreat is indeed enhanced by and reliant on data. However, this data comes in the form of raw, unfiltered information. In this format, cyber data isn’t capable of evaluating and inferring actionable insights on how a threat could be applied to the context at hand. Without this understanding, analysts cannot anticipate which technologies are needed to confront the outcomes that the applied threat can produce.
Once the threat intelligence elements produce a circumstantial understanding of how the threat can impact the technology at hand, attempting hackers’ goals are made known, and their malicious activity renders patterns of behavior that intelligence forces are informed to look out for.
Actionable Threat Intelligence
Tomer Schwartz, Director of Security Research at Adallom Labs, points out another reason why data alone cannot achieve what threat intelligence can;
Because technology is a continuously changing product line, threats posed on products are constantly updating themselves. Data knowledge isn’t capable of performing and executing actionable decisions at the speed which intelligence technologies (and all its components as pictured above) operate on.
To gain actionable intelligence, Threat Intelligence vendors must be capable of filtering out the noise from the real intelligence. Analyzing threat intelligence using ontology and other advanced data science methodologies, while provide context to the intelligence indicators are key to good threat intelligence. Another key factor is making it actionable and as automated as possible, allowing the intelligence to work for you using standard protocols such as STIX and TAXXI. By achieving both of the above, companies turn intelligence into machine readable format for tactical use and adding context to the indicators for additional insights and strategic direction.