This post originally appeared as a byline in Dark Reading.
For cyber intelligence sharing to work, organizations need two things: to trust each other, and better processes to collect, exchange, and act on information quickly.
As cyberthreats become more sophisticated and expand to the Cloud and the Internet of Things, the sharing of meaningful threat intel between trusted organizations has become more critical than ever before. At Fortinet this year, our teams witnessed the benefits of info sharing first hand as part of a joint operation that helped INTERPOL and the Nigerian Economic & Financial Crime Commission uncover the head of an international criminal network.
What did we learn? For one thing, these partnerships demonstrate the importance of global threat intelligence research and analytics that security vendors can offer in dealing with cyberthreats. In my opinion, security vendors have a responsibility to share threat findings with each other, as well as end-user advocacy groups. It is essentially the best way to combat adversaries and assist law enforcement in fighting cybercriminals. Yet, serious challenges remain to the worthwhile goal of information sharing, even among classified, trusted networks.
One of the major barriers to information sharing is the perception of liability. In a 2014 Ponemon survey of over 700 IT security practitioners, 71% of respondents who participate in information sharing said that sharing improves their security posture. But for organizations that don’t share, half pointed to “potential liability” as the principal reason for holding back.
To get beyond these obstacles, two things must be in place: trust between organizations, and a process to receive and implement threat intelligence information quickly.
Trust but Verify
Not only do organizations need detailed protocols in place about what information can be shared, but they also need to trust the organizations with which they are sharing, as well as the process being used to collect, process, and exchange such information.
Another major concern revolves around data privacy and protecting personally identifiable information (PII). How can you share information that provides details about an attack and attacker without having it be connected, even contextually, to customers and thereby risk customer privacy and assume liability? Organizations have to rely on trusted partners who rigidly adhere to and enforce agreed-upon protocols, e.g. only sharing information related to the adversary, and anonymizing PII.
Here are a few tips for developing trusted relationships:
- Start with folks you know in your industry. Ask them their thoughts about threat sharing.
- Join an ISAO (Information Sharing and Analysis Organization) or ISAC (Information Sharing and Analysis Center). These are groups focused on sharing threat intelligence relevant to that vertical that have established protocols and procedures best suited for an industry’s needs.
- Organizations like INTERPOL, the NATO Industry Cyber Partnership (NICP), and even regional organizations have active partnerships with vendors and industry leaders to collect and share threat data. For security vendors, participation in industry organizations such as the Cyber Threat Alliance (CTA) and the OASIS Cyber Threat Intelligence (CTI) group makes everyone safer.
- Meet people in person. Trust is a slow process and few things work better than meeting with peers over dinner or drinks to establish a rapport. There are dozens of industry-related conferences, local meet-ups and user groups designed to bring folks together.
- As Ronald Reagan famously said, “Trust, but verify.” Sharing and receiving critical security information requires constant monitoring. Are you sharing critical information but receiving junk? Is data being appropriately anonymized? Are you receiving the same data you shared? Keeping everyone honest is critical for maintaining a trusted relationship.
A common critique of many information-sharing services is that they are slow and unreliable. For sharing to work, organizations need to be able to receive, process and implement threat intelligence information quickly. They also need to ensure that any threat intelligence they share is immediately useful.
Actionable information is the best way to move from being reactive to proactive. It allows organizations to move from simply stopping attacks to actually catching cybercriminals. Developing and sharing truly actionable intelligence requires the efforts of a trained security team on the part of the organization developing that information, as well as on the part of the users or organizations consuming it.
While many organizations are actively engaged in collecting as much data as they can from a variety of sources — including their own — much of the work in processing, correlating and converting it into policy is still done manually. This makes it very difficult to respond to an active threat quickly, or share timely and actionable information. Ideally, the consumption, processing, and correlation of threat intelligence is automated.
Security vendors also need to automate the sharing of threat intelligence information – and not just with outside entities. Many organizations are still struggling to share threat intelligence between deployed security devices or even between different team members. Automation ensures that time-sensitive threat information immediately reaches all stakeholders so it can be shared in real time and acted on.
Trusted sharing, even with a known partner or community, is easier said than done. When evaluating your security landscape, characteristics of network design should be considered that will securely facilitate the receiving and sharing of threat intelligence. Given that the time to compromise for today’s attacks continues to shorten, it is essential that we begin to automate as much of the process as possible — including time-sensitive activities such as sharing, consuming, hand-correlating intelligence, and distributing updated policies.