Snake oil add-ons
McKitrick: “A lot of the stuff being sold today is really a kind of snake oil”, with an overall lack of context
The pair took aim at threat intelligence offerings, dubbing much of it 'snake oil' and data that created a 'haystack of haystacks', favouring quantity of alerts over quality.
"A lot of the stuff being sold today is really a kind of snake oil," McKitrick said.
There was, McKitrick said, an overall lack of information context to inform security decision-making, and a reliance on inferior indicators and data sets.
"Some random input coming off some honeypot somewhere in the world is not really threat intelligence," Peteroy said.
The marketing wheels behind threat intelligence were well-oiled, according to the pair, meaning that chief security officers often felt compelled to buy the services despite not knowing how best to harness and employ it.
It was sold often as 'super', 'magic' add-ons to product deals, building up customer base counts, which then helped to sell the intel feeds, amounting to a kind of pyramid scheme, the pair said.
They went further and argued that actor attribution (while intriguing) was unnecessary for most network security professionals.
"It is more important to know the 'what' and the 'why' of attacks, unless you want to write attackers a strongly-worded letter," Peteroy said.
Threat intelligence information was often already on hand but simply unused, they said.
They urged security bods to share attacker information.®