Last year may have been the best, bad year for the information security profession. There were numerous significant headlines about breaches and intrusions into different companies across industries, with pundits deploring the generally serious state of affairs. But you might not have noticed that a radical improvement for the good guys was also taking hold.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) was founded in 1999 to allow information on physical and cyber security threats and vulnerabilities to be shared, with the ultimate goal of protecting the U.S. critical infrastructure. In 2011, the organization saw an unprecedented in-flow of incident submissions from its membership and shared that information, as directed by the submitter, to the 4,200 institutions supported by FS-ISAC, to other critical infrastructure ISACs, and to government agencies. At the same time, other parts of the critical infrastructure community were bidirectionally sharing richer, more complete and actionable information among its members, the Department of Homeland Security and other U.S. government agencies, within a series of concentric rings of trust supported by formal agreements. This enhanced volume of sharing and level of detail is allowing critical infrastructure operators and government agencies to better defend themselves from attacks and is giving the initial submitter a deeper understanding of whether an attack is a direct target or a non-specific threat.
The FS-ISAC went from measuring prior information flow as a trickle with a single-digit number of events per month and paying little detail to the current torrent of information flow spanning dozens of events with hundreds of associated indicators per month. This increased maturity and robustness allows defenders to detect and mitigate similar attacks and, in many cases, understand what part of the attacker lifecycle the indicator information has represented.Amplified velocity, width and depth of information that needs to be shared clearly highlights the need for the design of frameworks to be enhanced to industrial-strength capacity and near real-time dissemination.
When building these capabilities, organizations must recognize that there is a spectrum of maturity across the community to act on this information. The key point to remember is that most organizations still work in isolation. At the same time, our adversaries are recycling attacks. Sharing information within a community of trust is the best defense you can give your organization to thwart those attacks.
Today's CSO must ask themselves many questions, says Clancy. Does my organization understand the risk/reward trade-off between sharing and not sharing?
»Community of trust
Do I have a community of trust where I can share information – with or without attribution – to make that community stronger? If not, why not, and how do I find one?
»Automate, don't be late
The only way to achieve scale is to automate the collection, processing, communication and analysis of critical information. Open interoperable standards are the key to realizing this goal.
»Toolkits are available
Efforts, such as MITRE's Cyber Observable Expression (CybOX), are the kinds of toolkits needed to facilitate machine- and human-readable content exchange.