RSA 2015: Knowing which way the wind's blowing
Sharing of industry and government data, collated centrally to create a cyber-threat weather map is now underway in the U.S., with threat indicators being issued.
In the wake of U.S. President Obama signing an executive order in February urging companies to share cyber-security threat information with one another and the federal government, it was reported during RSA that the US government is already collating and analysing that information to create a ‘weather map' of the threat landscape and is making it available to industry.
Phyllis Schneck, deputy under secretary for cybersecurity and communications for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security (DHS), told delegates at the RSA 2015 session, Modern Department of Homeland Security Cyber – our vision forward, that the government's priorities were to:
1) “Build trust with our stakeholders. They need to understand what we bring, and that we have a customer-service orientation.
2) “Situational awareness.
3) “And how can we leverage this cyber-security framework, leveraging what private sector brings, its technology, people, ideas and those of the government and the Department of Homeland Security. This includes defining what are our best practices and delivering our technical expertise o boardrooms, to venture capitalists, small companies, explaining how we can measure risk consequence.”
Extending the weather map analogy, Schneck described the information provided as the cyber-indicators, the raw material forming the core of data to be analysed. And while it was recognised it may be hard for some companies to share with government, only by sharing data could an accurate picture be created, allowing responses at machine speed. And by feeding into a bigger picture, the contributing companies would then get a broader perspective of the threat landscape than they could see alone.
“Adversaries can't have the situational awareness that we can get, - every attempt is a piece of knowledge, and we can learn to attack what we know is bad, and build our ecosystem. So some organisations may think an IP address is bad, others don't – how do you decide? Is it high impact but confined, or low impact and widespread? We need our machines know when to accept instruction or not.” said Schneck.
The goal is for cyber-response times to go from months to milliseconds, and DDoS was cited as a good example, with response taking a month ten months ago, now down to hours, and milliseconds the aim in the future. The target is that our machines should not accept the bad traffic. So we need to ensure routers know what to block. As a result, a central place is being created to correlate the data. Competitive concerns would be catered for, so some companies will share with some organisations and not with others – hence Shneck's challenge, “How do we get the right stuff to the right place at the right time if someone has an indicator we could use?” And her reassurance to the 15 or 16 companies providing threat intelligence: “We are not threatening that, but want to use what you are learning to understand and use that information.”
This integrated initiative, which now includes a West Coast presence being opened (announced during RSA), is intended to enable:
Tailored and protected information sharing and situational awareness. This aggregation and analysis across commercial and government-based information sources would provide high confidence reputational information, with behaviour-based indicators and mitigations.
Rapid access to enriched trusted indicators and mitigations using data/sensor inputs/indications to create a cyber-weather-map whose capabilities are supported by multiple sources, enterprises, and partners.
Unity of effort for cyber-readiness and response facilitating coordinated cyber response planning, execution and scalable network speed cyber-defence.
Advanced analytics/information sharing.
As Schneck commented: “The more good stuff we put in, the more understanding we get out.”
She also emphasised that everyone should have access to what the government can bring, and the smallest to largest organisation needs to be feeding into this hence it needs the ability to scale for SMEs : “They often can't afford cyber-security – leaving them exposed and losing a ton of data for a more complete weather map and it's our job to fix that. (We need an) architecture for each organisation to have a microcosm that feeds into macrocosm and we integrate and give a wider view, how good or bad we think a file name, IP, hashtag – providing a ‘credit score' and get the right information to the right place.”
Asked whether the information might be shared internationally, including say with Russia, Schneck responded: “We will push indicators out everywhere and expect to receive indicators internationally – it will be a risk decision as to who we offer them to.”
"There's only one way to defend America from these cyber-threats, and that is through government and industry working together, sharing appropriate information as true partners," said Obama at the initiative's launch - though it's unlikely that partnership extends to Russia, China or North Korea.