Threat-intelligence sharing is dead, and here's how to resuscitate it

Share this article:
Kathleen Moriarty, global lead security architect, EMC's office of the CTO
Kathleen Moriarty, global lead security architect, EMC's office of the CTO

At this year's RSA Conference, my colleague, Art Coviello, executive chairman of EMC's security division, RSA, quoted President Lincoln when discussing the state of the security industry today: “The dogmas of the quiet past are inadequate to the stormy present. The occasion is piled high with difficulty and we must rise with the occasion. As our cause is new, we must think anew and act anew.”

This same quote is also relevant when considering our industry's current processes for threat-intelligence sharing. By sharing information equally with everyone, what results is information that is ultimately helpful to no one, and these “dogmas of the quiet past” will simply no longer cut it.

Today, many global organizations are continuing to rely on security information sharing procedures with significant shortcomings, including:

  • Shared data that is difficult to act upon;
  • A high level of manual processing required;
  • Redundant efforts abound;
  • A scarcity of skilled resources available to analyze threats;
  • Poor linkages to security controls; and,
  • Remediation often addresses symptoms vs. the root cause of threats.

As a result, these organizations are counting on information sharing measures that are so manually intensive, duplicative, and inefficient, that they are unable to scale to meet critical computer network defense requirements such as speed, agility, relevance and accuracy. In the long run, if we don't attempt to close this gap, our industry as a whole will continue to miss opportunities to avoid serious losses, improve overall security practices, prevent attacks and predict threats.

Threat-intelligence sharing as we've previously known it is dead, and together, the global security community must work to evolve our current methods, approaches, and expectations surrounding the sharing of threat information.

We must remind each other that information-sharing processes are successful only when the intelligence disseminated is relevant to one's individual business and effective in helping to address threats and provide a proactive defense. Information that can be quickly distributed to where it can have the greatest effect (preferably while both users and adversaries remain unaware of the protections deployed) is the ideal.

Confronting many of the problems with information sharing today will necessitate that the security industry collectively strive for two goals:

  • Ensuring that the dissemination of threat intelligence is relevant and actionable. This means all sharing efforts should be connected to a fundamental shared objective and clearly identify an immediate and proactive security response focused on where it can have the greatest risk-mitigating effect.
  • Developing a speedy, sustainable and scalable model to automate reliable threat information sharing among trusted parties and integrate response processes to minimize and prevent damage.

In conclusion, for too long, too many organizations participating in threat-intelligence programs have suffered from too much information, while, at the same time, often struggling to use threat intelligence that's neither relevant nor actionable to their business objectives. Intelligence for intelligence's sake is not the goal; the goal is remediating risk and neutralizing threats. Information sharing done right – by realizing the two objectives outlined above – will prevent security organizations from being awash in information, while still thirsty for wisdom.

Share this article:

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.