Threat-intelligence sharing is dead, and here's how to resuscitate it
Kathleen Moriarty, global lead security architect, EMC's office of the CTO
At this year's RSA Conference, my colleague, Art Coviello, executive chairman of EMC's security division, RSA, quoted President Lincoln when discussing the state of the security industry today: “The dogmas of the quiet past are inadequate to the stormy present. The occasion is piled high with difficulty and we must rise with the occasion. As our cause is new, we must think anew and act anew.”
This same quote is also relevant when considering our industry's current processes for threat-intelligence sharing. By sharing information equally with everyone, what results is information that is ultimately helpful to no one, and these “dogmas of the quiet past” will simply no longer cut it.
Today, many global organizations are continuing to rely on security information sharing procedures with significant shortcomings, including:
- Shared data that is difficult to act upon;
- A high level of manual processing required;
- Redundant efforts abound;
- A scarcity of skilled resources available to analyze threats;
- Poor linkages to security controls; and,
- Remediation often addresses symptoms vs. the root cause of threats.
As a result, these organizations are counting on information sharing measures that are so manually intensive, duplicative, and inefficient, that they are unable to scale to meet critical computer network defense requirements such as speed, agility, relevance and accuracy. In the long run, if we don't attempt to close this gap, our industry as a whole will continue to miss opportunities to avoid serious losses, improve overall security practices, prevent attacks and predict threats.
Threat-intelligence sharing as we've previously known it is dead, and together, the global security community must work to evolve our current methods, approaches, and expectations surrounding the sharing of threat information.
We must remind each other that information-sharing processes are successful only when the intelligence disseminated is relevant to one's individual business and effective in helping to address threats and provide a proactive defense. Information that can be quickly distributed to where it can have the greatest effect (preferably while both users and adversaries remain unaware of the protections deployed) is the ideal.
Confronting many of the problems with information sharing today will necessitate that the security industry collectively strive for two goals:
- Ensuring that the dissemination of threat intelligence is relevant and actionable. This means all sharing efforts should be connected to a fundamental shared objective and clearly identify an immediate and proactive security response focused on where it can have the greatest risk-mitigating effect.
- Developing a speedy, sustainable and scalable model to automate reliable threat information sharing among trusted parties and integrate response processes to minimize and prevent damage.
In conclusion, for too long, too many organizations participating in threat-intelligence programs have suffered from too much information, while, at the same time, often struggling to use threat intelligence that's neither relevant nor actionable to their business objectives. Intelligence for intelligence's sake is not the goal; the goal is remediating risk and neutralizing threats. Information sharing done right – by realizing the two objectives outlined above – will prevent security organizations from being awash in information, while still thirsty for wisdom.