The cyber threat intelligence business is a rapidly expanding and highly lucrative one, and rare is the large enterprise that doesn’t subscribe to at least one, and possibly several, intelligence feeds these days. Those feeds do not come cheap and so are not always within reach of smaller organizations, although they may face the same set of threats and attackers as their larger counterparts.
The challenge of defending against top-level attackers is a difficult one even for mature security organizations, and for teams with fewer resources it can seem an overwhelming task. It’s a disparity that savvy attackers can take advantage of and one that a new startup called Stairwell is planning to address. Stairwell emerged from stealth mode on Wednesday and founder and CEO Mike Wiacek, a longtime Google veteran and founder of the company’s formidable Threat Analysis Group (TAG), said he hopes to shift the tactical advantage from attackers to defenders by giving any organization the ability to defend against all classes of threat actors.
“If we accept that we’re never going to catch the A players and we just focus on the B and C, then we won’t ever catch those apex predators. We accept defeat. But I don’t think that’s the way to look at the problem. We came at it from the perspective of this problem is solvable, so how do we go about it?” he said.
That question is the one that Stairwell is hoping to answer, but Wiacek is not saying much yet about the company’s specific approach or what the product will look like. He said the middle of 2021 is the target for a public product launch and added that Stairwell is in discussions with potential customers now. Wiacek’s own experience with Google’s TAG and later as CSO and co-founder of Chronicle, the security startup from Alphabet, Google’s parent company, suggests that Stairwell may look to fill in the gaps that the major CTI products and services may not address.
TAG was among the first private threat intelligence teams and does some of the most sensitive work defending both Google itself and the company’s billions of customers from targeted attacks. The group grew out of Google’s response to the Operation Aurora attack in 2009, a months-long operation by a Chinese APT group that penetrated Google, Adobe, and many other technology companies. In the months and years afterward, Google began building a number of new internal security teams, including TAG, and Wiacek said the Aurora incident helped change the company’s mindset regarding security.
"A lot of threat intelligence is locked away inside big companies. What about everyone else?"
“When I was at Google early on, it was a normal company in terms of security. But then Aurora happened and it all changed,” he said. “You saw the idea of BeyondCorp come in, hardware security keys. The way that we were able to get two-factor authentication in the hands of so many people relatively quickly was magical. There was this renaissance in, How do we think about these problems in a new way? I had the good fortune to look at them as giant data problems that have answers to them.”
One of the things that Wiacek took away from his time defending one of the world’s more attractive targets from the most aggressive and well-resourced attackers is that there is no magic involved on either side of the equation.
“The mythology of those top players plays to their advantage, and not to ours. But at the end of the day, whatever flag they have on their wall, or if they’re cybercriminals and just in it for money, they’re still people. They’re not demigods or anything. It’s important to approach this in a practical way. We shouldn’t mythologize the operators on the other side,” he said.
Security is not a purely technical problem. And if we think some magic box is going to fix it, we’re mistaken.
Much of the work that TAG does necessarily is done in the background and the team’s findings and product don’t always see the light of day. The same is true of many CTI teams, especially internal enterprise groups that do not have public-facing products or services, something that Wiecek would like to see change.
“When we started TAG private threat intel didn’t exist. It was just inside the three-letter agencies. I was always personally happy and glad Google approved this crazy idea, but a lot of threat intelligence is locked away inside big companies. What about everyone else? It’s not within the realm of a 150 person law firm to staff up an intel team,” he said.
“So it becomes commoditized. It’s a valuable practice and CISOs look at it as doing something, but there’s not a lot of ROI. We need to get that information into the hands of other people. We have to have bigger goals.”