Sharing the pie: Threat collaboration
Sharing the pie: Threat collaboration

Roadblocks to acceptance

The “concerns” Johnson speaks of are ones Smoak often hears. A big one for Johnson is trust. That's why a critical feature of Titan is its anonymity component to prevent any leaks that could jeopardize an investigation or encroach on someone's privacy. Or provide fuel to the very attackers Titan is seeking to stop. 

Smoak and company have extended a great deal of effort in ensuring that Titan is leak-proof, and that its members are vetted to ensure that information isn't accessible to the sinister.

“Every time data goes in or out of the system, we perform pre- and post-filtering that strips out things folks can't see,” he says. “That's before it leaves our internal network. Additionally, all data associated with any user/organization is referenced by a pseudo-random identifier.” The hope, though, is that once contributors feel comfortable using Titan, they will de-anonymize themselves and pick out certain people with whom they want to work. This speaks to Titan wishing to solve a more fundamental problem: removing the stigma that a successful compromise should be cause for shame. 

As for vetting users, Smoak says: “We call or have a face-to-face meeting with every prospective Titan member. During this call, we discuss background on the requesting user/organization, as well as give information about our backgrounds.”

For Titan to succeed, it also will have to convince ardent critics, such as John Pescatore, vice president and research fellow at Gartner, who says information sharing has amounted to more of a buzzword than a saving grace. To make his point, Pescatore references anti-virus companies, which, he says, essentially have been doing threat intelligence collaboration for better than two decades. Often, a business customer submits a malware sample to an AV firm, and the vendor in turn creates a signature. “The answer to these attacks is not going to come from more information sharing,” he says. “If that was the case, anti-virus would've solved our problems a long time ago. The answer is making your systems less susceptible to attack.”

But, Smoak says Titan offers far more capability as an information repository than an AV company can provide. “AV vendors typically only provide signatures to their particular product,” he says. “This means that during the time it takes the AV vendor to get a signature back – which may not necessarily detect all variants or other dropped files – malware may have already moved laterally or downloaded additional code that has not been identified. Their financial motivations only serve to push a small AV signature update and nothing else, which leaves organizations in a bit of a bind when remediating something in a time crunch.”

Pescatore makes a fair point, though, when he says that any successful data-sharing endeavor necessitates a two-way street. Naturally, most organizations want to get more than they give, and any model would be hard pressed to achieve the inverse of that. But mutual contribution is necessary, and the U.S. government has been one of the largest culprits. Pescatore says most federal agencies, like the FBI and Department of Homeland Security, covet the situational awareness that private-public sharing provides, but they are reluctant to reciprocate, tending instead to pick and choose which information they dispense – and when they do share, offering that data to only certain parties.

John Deere's Johnson has come to a similar conclusion. “The idea of a public-private partnership in sharing data seems to have mostly failed and been one-way,” he says. “Feds want corporate data, but they are reluctant to share what's going on, unless it directly impacts your company. When they do share information, it tends to be watered down and ambiguous, after the fact, and not prescriptive enough.”

The bevy of information-sharing proposals on Capitol Hill is the 800-pound gorilla in the room right now. Keith Alexander, the head of the U.S. Cyber Command, which serves as a depot of cyber space operations and liasions with U.S. military networks, recently pleaded with Congress that such a bill is needed to protect critical infrastructure, yet privacy and civil liberties advocates remain concerned. Titan may just have a role to play down the road to ease the transition for many private sector companies that are reticent to deal with the three-letter agencies. 

“My hope is that Titan becomes a technical conduit upon which info-sharing legislation can ride,” Smoak says. “Since many folks are weary of getting data directly from government, we can be a trusted third party to that exchange. But only time will tell. We're only just beginning to start these discussions.”