IT security has accepted that it needs to move away from a reliance upon hardened appliances on the perimeter and endpoint security on devices. These traditional solutions are often hampered by the fact that they only work on known attacks which can mean companies have been under cyber attack for some time before detection catches up. As a result companies are often leaking data long before they have the tools to detect it.
The solution is being able to profile applications, users and network traffic to detect threats as early as possible. Unfortunately, this is a non-trivial problem. The amount of data to be managed often exceeds the abilities of most companies to capture and analyse. The arrival of cloud computing, big data and advanced analytics has gone someway to making this easier but the real advance has been security vendors moving away from point solutions to security intelligence services.
The latest security vendor to go down this path is Palo Alto Networks who have now released a product they are calling AutoFocus. In the brief press release it is described as: "cyber threat intelligence service, a new offering that provides prioritized, actionable intelligence designed to give customers a clear advantage in the battle against cyber threats."
What makes this interesting is that it is a clear challenge to the very big security intelligence vendors such as IBM and HP. Palo Alto is claiming that the intelligence it is delivering is the result of information gathered from attacks on over 5,000 global enterprise, service providers and government organisations. It is not clear if all of these are Palo Alto customers or whether this is the first significant result of the Cyber Threat Alliance formed in February with Palo Alto as one of the founding members.
What is important for customers is that this is not just a list of threats but a context aware set of data that can be used to quickly identify patterns and the early stages of an attack. What will be important is that the context awareness of this intelligence is accurate enough to differentiate between reasonable user behaviour and not flag it as a false positive. For this to happen, there needs to be training for IT security teams rather than over reliance on the security intelligence service.
Palo Alto claims that there are four key things that the AutoFocus cyber intelligence service is able to deliver:
The press release also highlights three key features of the AutoFocus threat intelligence service:
AutoFocus is available to Palo Alto Networks customers now as part of a community access program. It will then be made publicly available in the second half of 2015 when pricing will also be announced. Between now and then it will be interesting to see how much more information Palo Alto Networks is prepared to disclose around how AutoFocus works and its successes.