Threat intelligence information sharing efforts have become increasingly important as breaches become more pervasive. Karen Epper Hoffman reports.
Most organizations are loathe to share their secrets. But when it comes to cybersecurity preparedness, more and more private companies and government agencies are realizing that sharing their information is perhaps the only way to staunch the growing tide of threats.
Threat sharing initiatives in both the public and private sectors have been around for a decade or more. It started out as an informal understanding: IT security professionals at different companies might swap notes over beers about common problems or pesky IP addresses that were commonly plaguing their industry. But it has become more formal and more focused in efforts to get out ahead of the slick cybercriminals and even nation-states which are increasingly mounting online attacks at multiple targets across industries. Financial firms, health care companies, retailers and utilities operations alike are working with each other and in concert with federal agencies to share their real-time intelligence on breaches and potential threat as they are happening, to more quickly react, or even proactively stave off such attacks.
Robert M. Lee (left), the CEO of Dragos Security and a certified instructor for the SANS Institute, says that high-profile breaches in recent years in both business and government, like the ones at Target and the Office of Personnel Management, have encouraged more organizations to open up with experiences and become involved in industry and public-private threat intelligence-sharing efforts. “More organizations are realizing they need cybersecurity information real-time,” he says.
The launch of cross-industry initiatives – such as the Cyber Threat Alliance, co-founded by a handful of IT security vendors, including Palo Alto Networks, Symantec and Intel Security – as well as the growing popularity and success of sector-specific Information Sharing and Analysis Centers (ISACs) in financial services, retail and oil and gas, has driven more attention for such efforts. Similarly, the Cybersecurity Information Sharing Act (CISA), passed last December, has made it easier for companies in the private sector to share their threat intelligence with government agencies in efforts to reduce and mitigate threats. In February 2015, President Obama also introduced a new Cyber Threat Intelligence Integration Center to act as a central station for private-public threat-sharing. These efforts, across government and industry, have in turn given rise to the development of new platforms and standards aimed at helping the organizations involved better share their information.
Network defenders unite!
“The network defender community has learned that information-sharing groups benefit from the crowd-sourcing phenomenon just like any other community,” says Rick Howard, CSO at Palo Alto Networks. “In this case, the main benefit is speed.”
Typically, Howard (left) points out, cyberadversaries are “small, nimble and execute a finely tuned playbook in order to accomplish their mission.” Mostly, he says, they do not invent new attacks every time they change victims. “Once they have a campaign that works, they use it until it does not work anymore.” Or, he adds, they may change something in the playbook but not the entire plan.
“Network defenders operating in a vacuum have no chance against these agile adversaries,” he says. That's because organizations are too small to keep track of every existing adversary playbook, even the well-resourced staffs, he says. By sharing information among themselves, companies and government agencies can turn the tables on the bad actors who are plying their schemes across multiple attack vectors at the same time.
According to a 2015 study by the Enterprise Strategy Group, 37 percent of North American organizations share their threat information regularly, while some 45 percent say they share information occasionally but not regularly. And, until recently, most information-sharing only took place through the ISACs.
John Carlson (left), chief of staff for the Financial Services ISAC and a former IT security executive with Morgan Stanley, says that the threat-sharing environment is changing not only because threats are becoming more constant and pervasive, but harder hitting with the onslaught of adversaries that include major hacktivist groups like Anonymous and even nation-states. “There's a need for greater context about who is behind these attacks,” Carlson says “as well as more effective and efficient ways to protect systems and customers.”