Georgia Tech's Christopher Smoak helped create an intelligence system for threat information collaboration. Dan Kaplan reports.
When hackers from the United States, Eastern Europe and Russia raided Heartland Payment Systems to funnel out an estimated 100 million credit card numbers, most observers were flabbergasted by the astonishing number of records involved in the incident.
But as it would turn out, if the Princeton, N.J.-based company had only been privy to the methods and malicious executables that the intruders used, it may have avoided one of the largest recorded data breaches in history, says John South, Heartland's chief security officer. This may sound implausible in hindsight, except that South and his team were far closer to those answers than you may think.
“One of the things we found going through our breach, the indicators that would have been available to protect ourselves were out in [the financial services] community,” he says. “People knew about the indicators, but they had no way of sharing the information. Everything [the hackers] used, everything was known by someone at some point in time, including some of our competitors. If we had known them, perhaps things would have been different.”
The breach, which was disclosed in January 2009, prompted Heartland to not only get serious about beefing up its data security stance – it implemented an end-to-end encryption system to cloak credit card numbers from point-of-sale swipe to bank handover – but also recognizing the value of collaboration. Bob Carr, the company's founder and CEO, helped launch the Payments Processing Information Sharing Council, part of the Financial Services Information Sharing and Analysis Center, better known as FS-ISAC. The endeavor created an interesting dynamic – all of the council's members are staunch competitors – but it underscored the collective realization that threat data carries exponentially greater value when it is aggregated.
All of the drivers to make more partnerships like this one thrive seem to be in place. By their very nature, IT security departments crave visibility. And, they are befuddled by the sheer speed by which attacks occur and the long period it often takes to discover them. Plus, the criminals share information, so why shouldn't the good guys, too? If everyone assisted one another, the theory goes, they'd be in a much more enviable position to combat cyber risks. Still, despite efforts across the industry to improve threat intelligence, even among seemingly fierce rivals, significant barriers to information sharing still exist, chief among them the fear of admitting compromise.
That's why researchers at the Georgia Tech Research Institute (GTRI) are trying to reimagine information sharing through the introduction of Titan, an anonymous threat intelligence system that, for a small cost, seeks to lend a hand to organizations of all sizes. In devising the idea, engineers at GTRI determined that a need existed within the industry to communicate around threat data. Large organizations either relied on purchasing too many appliances for malware analysis – or they had to build their own – while smaller outfits didn't have the budget to do either. Yet most companies, no matter their spending ability, have one thing in common: Their security efforts are far too inward focused.
“A lot of them think of this as their dirty laundry,” says Christopher Smoak, a research scientist at GTRI and one of the creators of Titan. “It's time for us to stop being scared about talking to each other. If we're not going to start building these bridges to share stuff with each other, then we might as well give up.”
He even suggests sharing security intelligence during the times when organizations often are most reluctant, like during internal investigations, or, if they are permitted to, during a law enforcement probe. The more, the better, Smoak believes.