Threat sharing should be a two-way street with all parties sharing relevant information with each other, industry pros Dax Streater, manager of cybersecurity operations at the Lower Colorado River Authority, and Jeff Brown, chief information officer with BNY Mellon, agreed Monday at SC Media's RiskSec 2017.
The duo said organizations considering threat sharing should be sure to decide beforehand what information they want to share and with whom they want to share it to ensure that they are getting the most actionable information.
“Its important to assess your organization to determine what types of information will be most valuable to you,” Streater said, adding that too much threat sharing could result in unwanted noise which does more harm than good.
It's important to not just focus on the tactics, methods and vulnerabilities exploited by adversaries but to look at learning from other partner's strategies as well. Dex said that typically when we talk about information sharing, a lot of our focus is around tactical types of information but there are other areas were threat sharing could come in handy.
One example he gave was that organizations with similar threat footprints could share recommendations for tuning early detection systems as well as knowledge learned from mistakes made along the way while implementing other systems.
It's critical, too, to take a step back and look at trends and to make sure you are receiving threat intelligence on things that are actionable. When sharing information related to adversaries, companies should also look to assign the proper urgency to and consider the time sensitivity of each threat, the cybersecurity pros said.
“I can't emphasize enough that there's a timeliness factor to many of the threats out there and I don't think you want to say well we have a meeting in two months we'll wait until then,” Brown said “I think in most cases we're trying to share information that is timely in a timely level.”
One audience member who works with New Jersey Healthcare Associations said that his organization participates in threat sharing programs where chief information security officers speak amongst themselves and share the latest threat at least on a quarterly basis, but often much more frequently.
Security clearance is a huge plus when sharing threat intelligence with government agencies and can ease communication on the team if more members are authorized to speak about more threats.
Brown said that researchers should start early as it could take up to six months to get clearance but added that it makes threat sharing easier and allows access to more resources even if government agencies sometimes don't share information back, it's still a valuable asset.
Ultimately sharing intelligence with industry groups, government agencies and similar organizations can prove valuable to organizations in more ways than one.