Check Point plots to disrupt threat intelligence market with new IntelliStore feeds

Is crowdsourcing for cash the next security gold?

Security giant Check Point has launched a pioneering new market for real-time security threats it hopes will offer a way for smaller third-party security firms to embed their intelligence on cyberattacks and malware attacks directly into the real-time filtering applied by the company's security products.

Called ThreatCloud IntelliStore, the idea behind the initiative is a logical next step for the ThreatCloud threat sharing system announced two years ago. That aggregated attack intelligence from Check Point's own customers as a way of offering herd immunity; Intellistore takes the same principle but extends it to a cottage industry of small security firms that gather often very high-quality intelligence on attacks in their respective niches.

The problem is that nobody gets to hear about this intelligence unless they happen to be a customer of that firm, leaving much of this important data stranded inside threat systems where each accumulates a small part of a much larger attack puzzle.

The technology behind IntelliStore has the potential to be disruptive for the security industry on a number of levels although at the company's annual CPX show in Barcelona this week the firm's management was keen to set more modest goals.

A major theme is simply the admission that acquiring broad intelligence on cyberattacks, especially targeted campaigns, is now almost impossible for even the largest players in the security industry, Check Point included. IntelliStore offers a standardised and automated mechanism for small firms to improve Check Point's own intelligence as part of a common pool.

Check Point lined up the first tranche of partners for the launch, including iSIGHT Partners, CrowdStrike, IID, NetClean, PhishLabs, SenseCy, and ThreatGrid, some of which are better known than others but all of which specialise in documenting different types of security threat.

Currently, nobody else has a market like this so Check Point has stolen a lead for the time being if - and only if - it can hold good on the second disruption promised by IntelliStore, namely that adding third-party attack intelligence actually makes the firm's security systems better at spotting threats.

Exactly how this happens depends on the type of feed being supplied. Some generate researched data on complex threats and targeted attacks, others simply a fingerprint of a specifc type of attack, for instance, a phishing campaign. Check Point takes this data and adds it to the filtering it applies on its security gateways, on paper at least boosting their security effectiveness.

There is, of course, another disruptive effect in play here which has as much to do with the security industry as the protection sold to customers. Currently, the industry is incredibly fragmented, not only in the multiplying layers of technology it offers but the the firms themselves. Many stay small because they can't find new customers rapidly enough to grow beyond their niche of expertise.

IntelliStore could offer a way out. Each security partner sets a price for the intelligence they are feeding to Check Point (which Techworld understands will be competitive), which in turn offers this to its large customer base. If a customer decides it wants a subset of the third-party protection on offer, the partner gets revenue it would otherwise not get and Check Point gets a cut too.

What nobody, including Check Point, knows is what appetite there is for this kind of service let alone how Check Point's customers will get a sense of what they have bought by licensing extra threat intelligence from one or more of the parties. How do they see the benefit?

"You see it in the logs, you see all the events that were blocked," said Check Point founder and CEO, Gil Schwed during a series of briefings at the CPX show.

It might be more user-friendly if subscribers received some kind of report although you suspect that Check Point's typical large enterprise customer actually enjoys paying people to peer a log files for a living. Not everyone will necessarily be that log-centric.

Partners remain upbeat about the potential. A good example of this is iSIGHT Partners, a small US boutique specialising in selling threat feed data to Fortune 100 firms on a daily basis.

"It's a way to get to a market we can't reach direct. There is an ease-of-use component to this because it takes away the pain for the customer. It is turning our intelligence into actionable intelligence," said iSIGHT's SVP products and technology, Sean Catlett.

That's perhaps the biggest disruption of all; feeding intelligence through ThreatCloud potentially solves the bane of this industry which is that large organisations are overwhelmed with news of threats they can't easily or cheaply translate into protection. They are aware of threats but don't have the resources to do much about it.

For another IntelliStore partner, Swedish firm NetClean, the technology is simply a means to find more customers and spread its brand. The company is highly-regarded for its technology used to 'fingerprint' images of child abuse for use in police investigations, but admits that it is never going to be a mainstream system for most organisations. However, if those same organisations can apply digital fingerprints to the files passing in and out of Check Point's gateways without having to do anything, it believes it could be on to a winner.

"We like to see ourselves as having something that everyone should have. This should be as natural as antivirus," said CEO, Christian Berg. "By riding on the Check Point ecosystem it's going to be easier for the customer to get our technology."

Is child porn really a big deal in most firms? According to Berg, around 2 in 1,000 employees is using a company PC to look at child sexual abuse images, sometimes moved around on USB sticks as a way of circumventing filtering security.

In the end, this remains Check Point's project, part of a larger attempt to project one of the largest pure security firms in the industry as an open platform and not simply another company that puts security software inside expensive boxes. It calls this 'Software Defined Protection'.

"Intelligence is becoming important but the ability to translate it into actions almost doesn't exist today. That is what intellistor is trying to create. They [customers] can translate IntelliStor into prevention."

"IntelliStore is a good way to start the market. It gives us a big edge because Check Point is the first and so far the only vendor that provides this," he said. Will Check Point's rivals legitimise the idea with threats markets of their own?

Tags intelhardware systemsConfiguration / maintenance

Show Comments