Re: The Blue Pill of Threat Intelligence

[Harry Hoffman <hhoffman () ip-solutions net>]

Most of what I've seen is that the various threat intelligence feeds are
used more in line with how BL filters are used in email systems.

Folks are blocking things out-right based upon a certain confidence
level and then allowing the rest into their networks.

It doesn't mean that the traffic that wasn't on the BL doesn't get
inspected, it simply means there's less traffic to inspect.

Local logs may add to the threat intel and provide additional blocking
but that's a bit harder for many people to get right.

How many (small?) companies block whole geographic regions from
communicating with them? If you cull out all of Russia and South East
Asia there's significantly less traffic to deal with in the end.

Not necessarily the way I'd deal with things but </shrug>.

Cheers,
Harry


On 10/15/14 11:59 AM, Dave Aitel wrote:
> http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13
>
> In this article I go over "Threat Intelligence". And I'm a little hard
> on it because I think it has to make a choice, and soon. In one hand, is
> a pill that takes it down the road to AV-like financial success, but
> strategic failure. And in the other hand, the current models are only
> stepping stones towards offerings that provide true strategic
> situational awareness to their clients, so their clients can build
> customized incident response programs that really work.
>
> Honestly, I think because of the way VC-funded firms work, we may end up
> taking the blue pill, which is unfortunately for companies, but good for
> those of us doing offense.
>
> -dave
>  
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave