REPORT REPRINTKaspersky highlights its threatintelligence portfolioMAY 18 2020By Scott CrawfordThe company’s investment in threat research has long supported its growth as a worldwide contenderin endpoint security. That research has helped build Kaspersky’s threat intelligence portfolio intoan important contributor to its enterprise strategy, with a set of offerings that seek to augmentcapabilities for security teams.THIS REPORT, LICENSED TO KASPERSKY, DEVELOPED AND AS PROVIDED BY 451 RESEARCH,LLC, WAS PUBLISHED AS PART OF OUR SYNDICATED MARKET INSIGHT SUBSCRIPTION SERVICE. IT SHALL BE OWNED IN ITS ENTIRETY BY 451 RESEARCH, LLC. THIS REPORT IS SOLELYINTENDED FOR USE BY THE RECIPIENT AND MAY NOT BE REPRODUCED OR RE-POSTED, INWHOLE OR IN PART, BY THE RECIPIENT WITHOUT EXPRESS PERMISSION FROM 451 RESEARCH. 2020 451 Research, LLC W W W. 4 5 1 R E S E A R C H . C O M
REPORT REPRINTIntroductionKaspersky has long been known as a provider of cybersecurity technologies and a recognizedinternational contender in domains such as anti-malware and endpoint security for many years. Fuelingits success in these domains, however, has been an investment in research that has built a significantbody of threat intelligence for the company. Today, as Kaspersky broadened its emphasis in enterprisemarkets from hybrid cloud to industrial cybersecurity and the Internet of Things, it highlights its threatintelligence capability as a primary enabler of its strategy.451 TAKEThreat intelligence is a valued capability among enterprises, with 42% of respondentsto 451 Research’s 2019 Voice of the Enterprise: Information Security, Workloads & KeyProjects survey reporting it as already in use, with another 15% reporting projects in pilotor proof of concept and a further 25% planning to deploy over the ensuing 24 months.Kaspersky has achieved significant penetration of global markets, which informs itsvisibility into geopolitical concerns as well as cybercrime – visibility that can add valuableperspective to threat intelligence, especially when other researchers often speakprimarily from North America or western Europe.With multiple offerings for access to intelligence reports and findings, analysis ofsamples and exposure of an organization’s digital footprint, Kaspersky seeks to putthis intelligence more directly to work in security operations. Recent offerings such asCyberTrace highlight this strategy to correlate internal security monitoring and alertingwith external threat intelligence, to arm more responsive defense with the insightneeded to detect malicious activity, respond to attacks and prioritize risks in light of realworld threats. We would expect Kaspersky to press even further into optimizing securityoperations, enhancing visibility and action through its combination of widely adoptedtechnologies in multiple environments and its threat intelligence capabilities.ContextFounded by Eugene Kaspersky and colleagues in 1997, Kaspersky began as an antivirus vendorfocused, like many at that time, on the endpoint, and has since grown to become a significant globalvendor of security software, operating in 200 countries and territories on six continents. Today, thecompany’s portfolio embraces multiple aspects of security for enterprises as well as SMBs, across awide range of IT and operational technology (OT) and the Internet of Things.Established in Russia, the company is now administered through a holding company in the UK, withprocess and storage of data for North American customers now based in Switzerland. It currentlyemploys more than 4,000 in 34 regional offices worldwide. Privately held with no outside investors,Kaspersky reported audited 2018 revenue of 706m (adjusted for foreign exchange) through bothdirect sales and a number of OEM relationships.
REPORT REPRINTThreat intelligence gathering and analysisA provider with a significant presence in endpoint security such as Kaspersky has many advantagesothers don’t. Its agents often number in the millions, deployed on systems around the world invirtually any scenario, from the datacenter to end-user devices. They encounter attack tools andtactics such as malware and exploit techniques on a daily basis. They examine samples to understandthreat behavior and activity, and their technology may respond with a combination of heuristics andbehavioral analysis to recognize malicious patterns when previously unencountered threats emerge.Substantial as it is, Kaspersky’s endpoint presence represents only a part of its global intelligencegathering capabilities. Web crawlers, spam traps and ‘bot farms’ (networks of hosts that interact inhoneypot fashion with malicious automated functionality or ‘bots’) collect data available from attacktechniques. Open source intelligence (OSINT) further contributes to inputs. The Kaspersky CloudInfrastructure supports the gathering and analysis of all this information by human experts and AI.Human analysis is spearheaded by the company’s Anti-Malware Research organization and by itsGlobal Research and Analysis Team (GReAT), an elite group of more than 40 experienced researchersin 20 countries tracking more than 200 threat actor groups. Customers and partners can alsoparticipate in threat research through the Kaspersky Security Network, a cooperative initiative thatallows participants to voluntarily submit contributions and depersonalized data for analysis and obtainfindings such as threat detection and reputational analysis deployable in operations.For the integration of its threat intelligence output with security tools and operations, Kasperskyhas partnerships with several IT security and operational technology (OT) providers, including majorsecurity information and event management (SIEM) vendors, threat intelligence platforms (TIPs) andnetwork security technologies.Threat intelligence offeringsKaspersky’s threat intelligence output includes actionable data ranging from machine-readableinformation to in-depth human analysis and reports. IP reputation, malicious file and content hashes,malicious URLs, vulnerability data, passive DNS findings, command-and-control (C&C or C2) serverdata, structured indicators of compromise (IoCs) and a widely embraced approve list of legitimatesoftware are among the many types of vetted data Kaspersky provides through its threat intelligencefeeds. Additional insights available to premium subscribers include detailed reports on maliciousfile activities and behaviors, other domains and URLs associated with suspicious files or sites andDNS resolution of suspicious IP addresses. These feeds can be consumed directly by security and ITinfrastructure and endpoints, as well as by security operations platforms such as SIEMs.For enterprise security analysts, the Kaspersky Threat Intelligence Portal is a primary point of accessto Kaspersky threat intelligence. With over 20 petabytes of data under management, the portaldelivers access to feeds as well as reports that help organizations correlate threat intelligencefindings across data sets, answer questions of relevance of findings to their organization, accessdetailed analysis of threat actors and tactics, understand their exposure to specific threats and act onconclusions and recommendations. Premium subscribers have access to additional details such as thefunctionality of specific attack tools and the relationships evidence has to other threat intelligencefindings. APT Intelligence Reporting details include analysis of methods and tools used in an attack orcampaign, technical detail on C&C functionality, IoCs and YARA rules for mitigating attacks. Countryand industry-specific reporting is also available.Functionality supported by the Kaspersky Threat Intelligence Portal includes the Kaspersky CloudSandbox, which enables customers to upload suspicious content for analysis via a web interface.Findings reveal sample behavior and actions initiated by an attack, such as opening additionalconnections or initiating C&C channels and identifying possible threat actors associated. Premium
REPORT REPRINTaccess includes the ability to integrate security tools directly via RESTful API, default and advancedsettings to optimize performance, intuitive reporting and visualizations, and in-depth analysis ofcomplex or advanced attacks through workflows provided to better manage incidents and handlemore complex investigations.Relevance and actionability are two keywords often used in describing the evolution of threatintelligence in recent years, and two Kaspersky offerings in particular – Kaspersky Digital FootprintIntelligence and Kaspersky CyberTrace – highlight these values.Kaspersky Digital Footprint Intelligence shows organizations how their information assets – frombrand presence and integrity and public information to intellectual property and sensitive data– can introduce exposures to the threat landscape. Through this offering, Kaspersky assessesan organization’s digital presence, from online infrastructure and domains to visible corporatecontent, and correlates findings to its body of threat and vulnerability intelligence. It can identifyattacker activity associated with such exposures, from attacks detected against customer assets toinformation leaks and unauthorized or unintended exposure through social media.Kaspersky CyberTrace seeks to answer a central question of security operations teams: Do detectedevents in security monitoring and alerting correspond to known attacker activity? Answers are vital,since they directly indicate the nature of detected actions, and how high a priority they should be givenin escalation, response and threat mitigation.CyberTrace matches log data with evidence in threat intelligence feeds to help security operationscenters (SOCs) in a number of ways. It provides connectors for direct integration with many popularSIEM systems, offers a web interface for data visualization and access to findings and is also availablein a stand-alone mode for parsing logs and inputs from a variety of security infrastructure and tools.It provides context to tier 1 SOC analysts to help them identify higher-priority events. For escalation,it offers on-demand lookup of indicators for more in-depth investigation. Advanced filtering of feedsenables security teams to tailor correlations to their specific requirements, with bulk scanning of logssupported, and findings exportable to common data formats such as CSV files for ingestion by othersystems. Feed usage statistics help organizations better manage their threat intelligence investment.These capabilities help boost SOC analyst expertise while optimizing processes and reducingworkloads for data correlation and event management.Customers can access Kaspersky threat intelligence in a variety of ways. Customers can use their ownbrowser, without any requirement for additional software or browser plugins of any kind, to access theKaspersky Threat Intelligence Portal. For customers who value insight into threat indicators that areoften present in web pages from any source, those with an active subscription to the Kaspersky ThreatIntelligence Portal can use a Kaspersky browser plugin for Google Chrome that reveals that contextin any visited web page. Customers can also integrate with Kaspersky threat intelligence via API, anduse certificate-based, client-side HTTPS authentication and authorization to download and updatepurchased threat intelligence feeds.CompetitionThreat intelligence is a unique segment of information security. For one thing, competitors may oftencooperate and even partner with each other, particularly on the integration of threat intelligence frommultiple sources into proprietary tools. This reflects another distinctive aspect: threat intelligenceconsumers often value differing perspectives from multiple sources, even if those sources sometimesoverlap in terms of coverage. In Kaspersky’s case, it can bring a multinational perspective from outsideNorth America.
REPORT REPRINTKaspersky thus competes with other leading security portfolio vendors in many business andenterprise markets, such as McAfee and Symantec (now a part of Broadcom) in North America,BitDefender, ESET and Sophos in Europe and Trend Micro in the APAC region (although all thesecompetitors have a global presence). Worldwide, Microsoft has expanded its presence in enterprisesecurity. Other players in markets such as network security or SIEM also offer threat intelligencecapabilities, as with Cisco’s Talos group, IBM’s X-Force and Palo Alto Networks’ Unit 42. At the sametime, however, Kaspersky also partners with many of these companies to offer threat intelligenceintegration with their products. Additional partners include TIP providers such as AlienVault (now partof AT&T) and its Open Threat Exchange (OTX), Anomali, Arctic Security, EclecticIQ, ThreatConnect,ThreatQ and the MISP open source TIP.More direct contenders in various aspects of threat intelligence per se include FireEye, particularlysince its acquisitions of iSIGHT Partners and Mandiant, as well as CrowdStrike, Flashpoint, Group-IB,Intel 471, LookingGlass, Recorded Future, SecureWorks, Team Cymru, Verint and Webroot. ‘Dark web’visibility is an emphasis of those such as DarkOwl and Sixgill.Global systems integrators with threat intelligence offerings include Accenture (which acquirediDEFENSE in 2017), BAE Systems, Booz Allen Hamilton, Deloitte, NTT and PwC. Carriers withthreat intelligence offerings in addition to AT&T include CenturyLink and Verizon. Digital Shadows,Proofpoint and ZeroFox are among those specializing in visibility into an organization’s digital footprintas an aspect of the market. A large number of boutique firms further contribute to one of the mostfragmented segments of information security, itself one of the most prolific markets in technology interms of number of vendors.SWOT AnalysisSTRENGTHSWEAKNESSESKaspersky has strong foundations in threatresearch that inform its expertise, as well as adifferentiating perspective as a multinationalvendor. Customers in many regions could findthis perspective to be a welcome alternative,particularly to providers with a distinctlyNorth American point of view.Kaspersky is currently unable to sell intoUS government agencies, but the companyclaims year-over-year growth in NorthAmerican threat-intelligence sales regardless.OPPORTUNITIEST H R E AT SKaspersky has the opportunity not only tointegrate its threat intelligence capabilitieswith its own broad portfolio as well as withpartner offerings, but to differentiate thesecapabilities based on its global view of threatinsight.The offerings of threat intelligence providersoften overlap, which can make differentiationchallenging. Kaspersky compensateswith its distinctive global perspective butfaces significant competition from othermultinational providers.
integration with their products. Additional partners include TIP providers such as AlienVault (now part of AT&T) and its Open Threat Exchange (OTX), Anomali, Arctic Security, EclecticIQ, ThreatConnect, ThreatQ and the MISP open source TIP. More direct contenders in various aspects of threat intelligence per se include FireEye, particularly