“Real-time”, “AI”, “hyper-context” are words that may be easily dismissed and often viewed as oversimplified concepts used ad-nauseum by B2B tech marketers.
This couldn’t be truer in cybersecurity - maybe the most fragmented, saturated market where everybody promises that you, the savvy security professional, will sleep good at night, knowing you’re protected.
But what if these words are there for a reason? In the next few posts, we’ll take a look at the words that marketers use to describe threat intelligence solutions, and explain, elaborate, and illuminate their true meaning.
While we’re not aiming to “empower” you to achieve anything, we hope to provide you with tools to understand and qualify cybersecurity solutions by seeing beyond the market language - or as hip hop phenomenon Flavor Flav and Chuck D, a.k.a. “Public Enemy” so eloquently put: “Don’t believe the hype”.
Is real-time for real?
It would be so hard to imagine our lives without real-time technologies.
Just try to explain maps, traditional dating, or booking a doctor’s appointment, to someone from the younger generations and watch their mouths agape and eyes widened. Mind. Blown.
Everywhere you turn, real-time technologies are the norm. Antivirus updates, app notifications, and turn-by-turn navigation - we want what we want and we want it now.
But it wasn’t always like this. In fact, the term “real-time” came from “real-time computing” and meant something completely different. It dates back all the way to the era of analog computers. Take it away Wikipedia!
“It derives from its use in early simulation, in which a real-world process was simulated at a rate that matched that of the real process (now called real-time simulation to avoid ambiguity). Analog computers, most often, were capable of simulating at a much faster pace than real-time, a situation that could be just as dangerous as a slow simulation if it were not also recognized and accounted for.” (source: Wikipedia)
Back to the present day: “Real-time” means different things in different industries. It might even mean different things within an industry - cybersecurity is a perfect example. Antivirus’ real-time protection (vs. a scan) means something completely different than real-time cyber threat monitoring.
So it begs two questions:
What about X is real time (where X=feature, tech, capability etc.)? For threat intel, is it the collection? Is it the extraction? Analysis? Insights?
How fast is this real-time X? What constitutes real-time?
The first question usually has clear-cut answers that would probably make some marketing and salespeople brace themselves, waiting for prospects trying to poke holes in their pitch (and here lies, marketing boys and girls, a great lesson - NEVER over-promise. Ever.)
Question number two, on the other hand, is more open for interpretations (If you can’t decide, try to put it on a “spectrum”).
Is the speed of X measured in seconds? Milliseconds? Minutes? Hours?
But the real question for any threat-intelligence prospect and/or consumer is why is it important?
The main take for a prospect is to try and understand the impact.
If your vendor has, for instance, a super-speedy, road-runner-like, “real-time” data collection, but their analysis team or tech takes days to extract insights for you to take action - that is about as useless as a screen door on a submarine.
So, what exactly is being performed in real-time, and what’s the impact on your work, processes, and results.
What might be the biggest challenge to wrap your mind around, is actually deciding where is the starting point whence from you measure the time-to-result.
Is it from the moment a vulnerability has been published on the darkweb?
Is it from the moment it is deployed in your network?
It can be totally subjective. Different organizations will have different definitions for different use cases.
For instance, when talking about malware, I would like to be informed the moment it’s published/offered for sale on the dark web.
But when talking about a vulnerability assesment, I’d want all the information in a click of a button whenever I want my report (weekly/bi-weekly/monthly).
Only once you define your metrics and test the vendor’s tech against it, can you begin to assess what are your “real-time needs” (“How fast do I get the intel?”, “How hard do I have to work in order to ingest it?”, and “How much does the intel cover?”) - and understand if this is the right solution for you.
When it comes to threat intelligence speed, I’d like to offer a new line of thinking.
I’d like to think about real-time as “the time before sh*t gets real”: Before a vulnerability has been exploited, a malware weaponized, or a breached account is being purchased and used by a threat actor.
That way, the impact is clear to everyone. You just managed to save the day - and that’s as real as it gets.