Actionable Intelligence

Verint developed a cyber intelligence system capable of converting information into knowledge and knowledge into action. An exclusive interview with a company that aspires to close the gap between offense and defense

The Verint Company is expected to break its own turnover record, with this year’s turnover expected to exceed one billion dollars. A major part of this achievement is attributed to the Company’s cyberspace activities, which focus on their “Advanced Actionable Intelligence” platform. Sources at Verint told us that this intelligence platform supports cyber decision-making. It can receive structured and unstructured information from an extensive range of sources within the client’s network and from open Internet sources (OSInt), analyze this information and provide the analyst with recommendations on what to do.

“Our solution is sold to the government sector, business corporations, critical infrastructures and Managed Security Service Providers (MSSP),” explains Hanan Gino, CEO of Verint Israel and head of the Company’s defense division. “We have taken the technological assets we possess, acquired additional companies in Israel and in the East and established a cyber unit that employs hundreds of people. During the first quarter of last year we already saw some results with a deal involving a cyber solution on the scope of one hundred million dollars. Subsequently, we had additional deals.”

Verint chose to focus on actionable cyber intelligence, and for a good reason. Today, despite the diversified intelligence solutions available on the market, companies fail in their attempts to convert intelligence into preventive action. If you collected intelligence, analyzed it and eventually failed to translate it into defensive action – you would have invested resources in vain. Intelligence collection is not a goal in itself if you do not put that intelligence to good use. “We develop the story of the attack and all stages thereof,” Explains Hudi Zack, head of Verin’ts cyber activities.

“The system collects the intelligence, analyzes it through a process that includes real-time forensics, and that information returns in the form of instructions for new intelligence collection operations. Everything is performed semi-automatically with the analyst in control throughout the process. We call this process ‘Forensics in the Loop’. You do not wait for the attack to end. Instead, you investigate it using real-time intelligence fertilization.

“In some of the major attacks staged recently around the world, there was a device that issued an alert to the cyber command center – but no one paid attention to it. The companies only discovered that they had been attacked after several months. According to our methodology, every bit of information that is relevant to the attack generates a new intelligence collection task intended to complete the jigsaw puzzle as promptly as possible. The system should preserve, at any given moment, a complete cyber picture for the analysts at the command center.”

Verint’s system is made up of a collection of intelligence collecting engines using various vectors, all intended to identify irregularities in the network. The intelligence from the engines is fed into an information system that analyzes the data and produces insights for future intelligence collection tasks. “During the process of analyzing the attack, the system provides the command center operators with recommendations on how to update the organization’s information security elements in accordance with on-going developments. It can operate manually or semi-automatically. It is a prompt and highly accurate closure of the cycle,” says Zack.

As this is a cyber intelligence system, the people at Verint stress that it is an open-ended system in the sense that it can connect to an extensive range of information sources in the client’s network – even sources that had not been developed by Verint. The system also enables anonymous sharing of Meta-Data with other clients who purchased Verint’s system, according to the client’s wishes. Naturally, this is not relevant to the defense/security sector, but it is highly important for the commercial/business sector. In this way, every client can be provided with intelligence other clients see, so he may defend himself against attacks he cannot “see” through his own system. In order to perform the intelligence collection task successfully, the system should be deployed as deeply and as extensively as possible through the client’s network and be exposed to each and every bit of information available in the client’s network. Additionally, the client should set priorities for each type of information, be it a sensitive database or public marketing material – each information type should be handled differently. “The system enables the client to set forth a defensive policy from which the priorities for the allocation of defensive measures to the various information assets will be derived,” says Zack. “The CEO, for example, may be defined as a high-priority asset. Once this definition has been made, we will allocate resources within the system to defending the CEO’s information within the organizational network, with the highest priority. We can also incorporate OSInt capabilities to identify the types of attacks staged against him, but that is a complementary capability that is not built into the system.

As far as cyber attacks are concerned, one of the questions that pertain to intelligence systems is whether they can identify the attacker. Unless the attacker is positively identified, there is no way of punishing him using legal, military, economic or other means. “Anyone telling you he has a system capable of positively identifying the attacker does not know what he is talking about,” explains Gino. “Identifying the attacker is an almost impossible undertaking. There are certain capabilities for identifying clues as to the attacker’s identity, but it cannot be done with any degree of certainty.

The people at Verint told us that in some cases, clients come to them in order to find out the reason why they are being cyber-attacked, rather than the attacker’s identity. This happens when an apparently naïve organization that should not have attracted any antagonism finds itself under attack. In such cases, they attempt to collect intelligence in order to understand what the attackers are looking for. “If a client comes to us, we know how to link up to his network, translate his information into a language that our system will understand, and provide him with the information he is looking for,” says Zack. “We are currently developing the infrastructure for Managed Security Services. These are services where our people work at the client’s facilities, operating the system for the client.

“We also have a dedicated solution for the field of critical infrastructures,” says Zack. “Verint does not have tools for interpreting SCADA environment protocols, but we are working with a company that provides us with the ability to monitor those protocols, including the ability to identify irregular behavior patterns. This information is fed into our platform and incorporated in the intelligence analysis process.”

Regulation & Cloud Computing

Verint’s cyber defense capabilities constitute a substantial revenue channel for the future, and the Company aspires to be among the world’s leaders in this field. “We are currently active in 180 countries worldwide with our products. Cyber warfare is a relatively new field of activity for us, but this activity, like other solutions we offer, demands a relationship based on trust,” explains Gino.

“One should bear in mind the fact that today, the attackers have the upper hand. There is a gap between offense and defense, and many organizations have not yet realized the extent of the potential damage a cyber attack may inflict. Many people still tell me ‘it will not happen to me’, thinking that they are small and pass under the attackers’ radar. Naturally, this concept is false. Over time, people will come to realize that cyber defense is like physical security for the citizens and the cities. This will lead to an increase in the demand for more effective defensive solutions. Businesses understand that peripheral cyber defense is no longer sufficient. More organizations are currently looking for new ways to invest their money in defense.”

Another aspect that is likely to affect Verint’s activity is cyber regulation. The people at Verint say that regulation will promote cyber defense as it will set forth a minimum threshold that many businesses currently lack. However, regulation will not be able to provide the high threshold. 

Along with regulation, the transition of the business, government and defense worlds to cloud computing is also likely to affect Verin’t cyber solutions. Whether the cloud is a hybrid or a public one – the change is already here. “Some sectors in the defense world will not transfer to the cloud any time soon. Alternately, adopting the cloud will take them a long time. On the other hand, the business sector is already there. We are beginning to address that vector. Our system can provide solutions based on cooperative alliances we had established with other companies. According to the increase in market demand, we will decide whether it would be worth our while to develop solutions for the cloud in house,” explains Zack.

Another aspect of Verint’s system is automation. Eventually, it is a semi-automatic intelligence system that can – if one reads between the lines – be fully automatic. “Technology notwithstanding, I do not think that the ‘man’ should be removed from the loop,” says Gino. “In the future, the human element may be kept only for safety purposes or even removed from the loop altogether. But in the near future, the systems are still incapable of understanding the entire context of the attack on their own.”