“Right now the way we gather signals is essentially a honey pot in the industry,” explains Philippe Humeau, CEO of CrowdSec, in a recent episode of Category Visionaries. But there’s a fundamental problem with this approach: “The problem with this approach is it’s nothing realistic.”
The Problem with Traditional Threat Intelligence
Traditional threat intelligence relies heavily on honeypots – fake vulnerable systems designed to attract and study attackers. But as Philippe points out, this only captures “the background radiation from the Internet. Nothing really targeted or exceedingly dangerous most of times.”
This limitation creates a significant blind spot in cybersecurity. Organizations need intelligence about real threats targeting real businesses, not just opportunistic scans hitting decoy systems.
Real Businesses, Real Threats, Real Intelligence
CrowdSec’s approach is fundamentally different. “Our clients and our users are sitting in a vertical,” Philippe explains. “They are running real businesses, real machines, belonging, providing real services and being attacked by very real cybercriminals willing to make real money.”
This focus on real-world data enables a deeper understanding of threat actors and their motivations. Philippe shares a revealing example: “Some IP addresses were only aggressive toward media in France during presidential election, but the same IP addresses were aggressive in Germany during the chancellor election and in UK during the renewal of the parliament.”
This pattern reveals something crucial: “Those IP addresses are not aggressive toward specifically media. They’re aggressive toward democracy.”
The Scale of Modern Threat Intelligence
CrowdSec’s network processes an enormous volume of threat data:
- “16 million threats per day”
- “7 million IP addresses we are watching continuously”
- Coverage across “175 different countries”
But volume alone isn’t enough. From these millions of potential threats, Philippe notes they carefully curate their block list: “Only 20 to 25,000 make it to the block list. That way we’re sure that there is 100% success rate and no false positive and no poisoning attempt.”
The Power of Vertical-Specific Intelligence
One of CrowdSec’s key innovations is organizing threat intelligence by industry vertical. As Philippe explains, “Since they are belonging to a vertical, we can say, for example, all these IP addresses are aggressive toward media or toward banks or toward automobile industry.”
This vertical-specific approach enables:
- More accurate threat assessment
- Better understanding of attacker motivations
- Identification of industry-specific attack patterns
- Discovery of “second order effects” across verticals
The Five-Year Vision: Real-Time Global Threat Mapping
Looking ahead, Philippe outlines an ambitious vision: “We should have, five years from now, an entirely real time list or map of all the addresses using by cybercriminals.”
This system would operate with unprecedented speed and accuracy:
- “If one is used and we don’t know about it yet, it will be added to the block list in minutes”
- “If one is released by the guys and is not used anymore, it will disappear from the block list in minutes”
- Eventually, this could happen “down to seconds if we are enough partaking into this effort”
From Individual Defense to Collective Security
The underlying philosophy of CrowdSec’s vision challenges traditional cybersecurity approaches. “Hollywood makes us think that you can fight alone against an army,” Philippe observes, but “when you fight alone against an army, you lose, period. No matter how better you’re equipped or whatever, you just lose.”
The solution? “To defeat an army like the cybersecurity threat actors, you need a bigger army. That’s just a good old fashioned military thinking here.”
Building the Network Effect in Security
To achieve this vision, CrowdSec aims to grow their network to “1 million machine partaking into the network that are all belonging to a vertical.” This scale is crucial for creating what Philippe calls a “second order effect” – where the collective intelligence becomes greater than the sum of its parts.
The company’s approach mirrors successful network-effect businesses in other industries. As Philippe explains, it’s “Exactly like ways with the network of roads. It’s the same principle.”
The Future of Threat Intelligence
CrowdSec’s vision suggests a fundamental shift in how organizations approach cybersecurity – moving from isolated defense to collaborative protection. By combining real-world data from actual businesses with industry-specific analysis and real-time sharing, they’re working to create a new paradigm in threat intelligence.
The success of this approach could mark the end of an era where organizations try to fight cybercrime alone, replacing it with a model where, as Philippe puts it, “if they collaborate together, even though indirectly through us, they will all get better protection.”
Twitter
facebook
linkedin