IBM Security Opens Up Library of Malware and Threat Intelligence
Despite a career spent trying to defeat increasingly skilled and sophisticated hackers, Marc van Zadelhoff remains an optimist—at least a cautious one.
Van Zadelhoff, IBM Security’s vice president of strategy, isn’t ignorant of the risks his team is dealing with. He can rattle off the number of endpoints—270 million—and security events—more than 15 billion—IBM Security monitors every day. Like many in the security industry, he thinks hackers have gained the upper hand in recent years.
“The pace of hacker innovation is relentless right now,” van Zadelhoff said. “It’s asymmetric…and different than a few years ago, where the most sophisticated weaponry was in the hands of very organized criminals or nation-states. Now, any criminal gang on the Internet seems to be able to develop very sophisticated software.”
To combat that trend, IBM Security on Thursday announced it would make its archive of security intelligence data open to customers, trusted independent security experts, and even potential competitors. The database, named IBM X-Force Exchange, contains 700 terabytes of raw aggregated data supplied by IBM and will be continually updated with real-time threat intelligence from IBM and community members.
“The idea behind it is that as people come on board, they’re able to research data and exchange what they’re seeing about that data,” van Zadelhoff said. “They can even be people who might be competing with our technology. We want to open this up.”
The impetus for sharing the data is simple: the defenders need to catch up with the attackers, and they can start by copying some of their tactics.
“The hackers collaborate at massive scale behind encrypted browsers, on the ‘Dark Web,’ sharing all of the latest techniques. There are no inhibitors to their collaboration,” van Zadelhoff said. “Let’s get the good guys to collaborate on this platform, where we’re sharing data that people can augment with their observations.”
IBM’s early emphasis with the security database appears to be on compiling, sharing, and analyzing threats, but it has the potential to one day lead to the creation of new standards and products, van Zadelhoff said.
While van Zadelhoff eagerly touts the merits of X-Force Exchange, he has other reasons why the big picture for security “is not all doom and gloom.” Big data and behavioral analytics technology are coming into their own, providing security experts with new capabilities.
Van Zadelhoff also is bullish on cloud and mobile technologies—which might be a surprise, given the fretting over the “bring your own device” trend that was prevalent as smartphones took off. He believes Apple iOS and Google Android are surprisingly hard to write malware for and to hack, especially when compared to laptops and desktops.
“We see these as a chance for a do-over for many of our customers, where they can layer in security technology,” van Zadelhoff said. “We think if you can do it right, it really can make a big difference in having cloud and mobile be more secure.”
IBM Security, now based in Cambridge, MA, is the result of several high-profile acquisitions the company has made over the past decade, and it has a strong link to the Boston tech community. Big Blue created the division in 2011 after buying Q1 Labs, a Boston-area startup. Q1 CEO Brendan Hannigan became its general manager, and what van Zadelhoff describes as the company’s flagship security product, QRadar, is the legacy of that acquisition. QRadar is security event management software that van Zadelhoff likens to a single security console in an operations center that can integrate with almost any other security product.
Another former Boston startup figures heavily in IBM’s plans. In 2013, IBM bought Trusteer for a reported $1 billion. Trusteer was based in Israel and had a major U.S. office in Boston.
Trusteer gives IBM a product capable of detecting advanced malware threats such as potential zero-day attacks that have managed to get through a network’s antivirus and firewall protections and take up residence on laptops and desktops. Van Zadelhoff said it uses advanced behavioral analysis to distinguish between normal and threatening activity.
IBM remains the archetype of the vast global tech company—van Zadelhoff describes it as a “behemoth”—the security division views itself as “a huge startup,” he said. One reason why, he believes, is the company’s ability to integrate its acquisitions into a whole that has global reach but can still respond to emerging threats. Recruiting from startups helps, as does retaining key executives from the startups it acquires and keeping them in leadership positions, as is the case with Hannigan.