There’s a good chance that, somewhere within a company's security stack is at least one product from any of the 26 vendors in the Cyber Threat Alliance – a behind-the-scenes industry threat sharing group that this week announced its 100 millionth shared observable data point.  

CTA includes such industry mainstays as Cisco, Palo Alto Networks, and Symantec, as well as sector-specific defenders like Dragos, among many others of all sizes.

SC Media spoke with CTA Chief Executive Officer Michael Daniel, the former White House cybersecurity czar, about what threat sharing means to the industry and to the end users.  

Cyber threat Alliance announced its 100 millionth shared observable on Wednesday. What would you say to a CISO who says 'That's a nice round number, but what do I do with it?"

One of the things it’s starting to say is the nature of competition is changing in cybersecurity companies. It used to be based on companies being able to say “I know something that you don’t know." But no single entity sees every single indicator of bad stuff. No one is that big. And certainly no one has seen all of the context. It’s kind of like saying “My inadequate pool of data is better than hers.” That’s not a selling point.  

But if I can say, "I can do more with data, faster, or do something more specific to your sector," that’s worth selling.  

[Competition] used to be based on companies being able to say “I know something that you don’t know."... It’s kind of like saying “My inadequate pool of data is better than hers.” That’s not a selling point.  

CTA CEO Michael Daniel

Sharing didn’t make competition less intense. It just moved competition further up the value chain. 

But all products are better because of more indicators of compromise and more context.  

It helps the cybersecurity companies fight the adversary better.

Are there distinct examples of that happening, where industry sharing changed how defenders could respond?

A good example from early on was WannaCry. When that first emerged, everyone was looking for an email vector. That’s how security companies assumed it was spreading, but assumed they weren’t seeing the email. But CTA – which was 14 providers at the time – none of them had seen an email. A light bulb went off. [WannaCry spread via an at the time obscure, recently patched Windows network vulnerability]. 

At the time, it probably cut 24 to 72 hours off of the response time.  

There are a pretty broad array of companies in CTA – a bunch of different sizes, some like Dragos who are focused on very specific sectors. How do you make sure that everyone is providing good data others can use?

With the sector-specific companies, I think we are still learning that.

Bad guys share and reuse tools. When they try something in the financial sector, they may try it in the healthcare sector in the future. When you see something in the industrial control system space, where Dragos is, it still provides insights as to what other sectors see and are going to see.

Making sure all companies participate is baked into our bylaws. Companies are required to submit a certain amount of data a week that gets graded.

In theory, if someone was freeloading, we could kick them out. We've never had to do that.

CTA CEO Michael Daniel

Does not participating in CTA mean you've been rejected from an exclusive club or is it a choice not to join?

We try to be careful about how we say it, but we've never had to reject anyone for not meeting our criteria.

But when CISOs are looking at cybersecurity providers, one of the criteria should be how they play with others.  That benefits everybody.

If data sharing is so valuable, does that mean industry consolidation is inevitable?

When I talk to CISOs, the number one complaint is “I have 84 applications, I don’t even know what number 37 does, how can I simplify this?”

Clearly there's a demand, if not for consolidation, for more interoperability.  It's part of playing well with others.