Microsoft to launch real-time threat intelligence feed

Microsoft to launch real-time threat intelligence feed

Microsoft is looking to share its wealth of security information with the world through a new real-time threat intelligence feed, the company recently announced at the International Conference on Cyber Security in New York.

The project, which is still under development, aims to stream Microsoft's security information on high-profile and dangerous threats to organizations ranging from business partners and private corporations to domestic and foreign governments. Eventually, based on the success of beta testing, Microsoft will consider opening the threat intelligence feed to the public, officials said.

STRIKING BACK: Microsoft kills off a botnet

Paul Henry, security and forensic analyst at Lumension, says although the threat intelligence feed may not be able to prevent threats before they arise, it may be effective in reducing the impact of attacks before they become global problems, like the Rustock or Waledac botnets.

"I don't see a decrease in threats, but I do see this limiting the possible damage from a given threat as the community will be able to respond faster," Henry says.

T.J. Campana, senior program manager in Microsoft's Digital Crimes Unit, said at the event that the feed will function as a Hadoop-based cluster integrated with Windows Server, streaming information from a database that currently contains data on the Kelihos botnet Microsoft first disclosed in September. Given the company's other contributions to high-profile malware strains, including Rustock and Waledac, the threat intelligence feed could play an important role in global malware protection efforts.

Microsoft will still have to answer to privacy skeptics, especially considering the threat intelligence feed will distribute IP addresses of systems that are found to be part of large botnets. But according to Henry, there are ways of sharing information on security threats without invading privacy. Specifically, Henry cited the practices at the SANS Internet Storm Center, which he says Microsoft's threat intelligence feed will resemble, but from a different perspective.

"The information can easily be sanitized to address any privacy concerns," Henry says. "This is nothing new and SANS has addressed the issue in their feed, so I don't see this as being a [privacy] issue at all."

Campana stressed that no personally identifiable information will be published on the threat intelligence feed.

In either case, Henry sees any effort at sharing information as a proactive contribution to worldwide anti-malware efforts. Cybercriminals have been successful to this point as a result of their ability to distribute data quickly. According to Henry, those looking to soften the blow of global botnet attacks can learn from that.

RELATED: Should you share data breach information?

"We are still too secretive about security issues. The bad guys quickly and widely disseminate information, and defenders must do the same," Henry says. "The age-old argument about protecting users from copy-cat attacks because the information exposed a weakness does not hold water. The bad guys are already sharing information on new attack vectors in real-time."

In its efforts to take down Kelihos, for example, Microsoft claims it was able to step in before the botnet got too large.

"Although, Kelihos was considered a relatively small botnet (our investigations to date indicate that approximately 41,000 computers worldwide are infected with Kelihos, and that Kelihos was capable of sending 3.8 billion spam emails per day) and we do not expect its disruption to have the breadth of impact on the internet that our prior takedowns did, we took this action before the botnet had an opportunity to grow further and because we believe accountability is important," the company wrote in a blog post shortly after taking down Kelihos.

Colin Neagle covers Microsoft security and network management for Network World. Keep up with his blog: Rated Critical, follow him on Twitter: @ntwrkwrldneagle. Colin's email is

Read more about wide area network in Network World's Wide Area Network section.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments