With cybercrime such a big concern these days, cooperation and information sharing between public and private organizations has never been more important. We recently talked with Derek Manky, Global Security Strategist at Fortinet, to get his thoughts on the difficulty, and importance, of trusted networks for sharing information in the world of cybersecurity.
NOTE: This week NIAS'16 will bring together over 1,000 cyber security professionals and decision-makers (including Fortinet) to discuss NATO's future requirements for cyber defense and industry trends. Also read more about the ongoing cooperation between Agency and Industry representatives. You can also learn more about the recent NATO Cyber Threat Vector Analysis workshop hosted by Fortinet in Valbonne, France on August 23, 2016.
A Q&A with Derek Manky
Sharing threat intelligence is the basis for a lot of public and private cyber relationships, but trust and protocols quickly get complicated in scenarios that cross borders. Can you elaborate on how working together across public and private sectors is helping fight cybercrime?
Whether you’re talking about sharing information between countries, between the government and the private sector, or within the private sector, you have to have two things: detailed protocols in place around what information can be shared and how, and trust. This is not easy, and gets quite complicated when you consider national borders and multiple law enforcement organizations, contrasted with a borderless cybercrime world. In addition, it is important and necessary to always maintain data privacy and protect personally identifiable information (PII) when sharing threat intelligence between organizations. This is yet another important reason to rely on trusted partner networks that adhere to agreed-upon protocols, only sharing information related to the adversary, and doing everything we can do to anonymize information sharing.
Are we making any progress on bilateral information sharing?
NATO has been taking steps forward with this and we are pleased to be a part of this effort. Traditionally, NATO has used a platform called MISP, which was only for internal information sharing. Now the NATO Communications & Information Agency (NCI) - the cybersecurity arm of NATO - has created the NATO Industry Cyber Partnership (NICP) to collaborate with the private sector in addressing cyber threats and risks. Only trusted industry partners like Fortinet, for example, can plug into the NICP platform. And trust is a crucial piece to this. Everyone I’ve talked to on this agrees that the only way we can have useful information sharing is if it is based on trust. And trust is about face to face meetings and knowing the people behind the scenes.
Can you talk a bit about the various cybersecurity needs for public organizations vs. private industry? Is there a difference? Does it matter from an information sharing standpoint?
Threat information, at the end of the day, is still threat information. But the context may change and the impact of threshold for harm that can be done with that information is subjective, sometimes depending on the situation. Regardless, however, sharing information proactively across all verticals and public or private organizations is essential and moving forward. Security controls need to be able to digest automated threat intelligence and take action. The vast amount of threat intelligence that exists today - and more coming tomorrow - cannot be managed otherwise. Organizations of all types continue to struggle as they face ever-evolving threats, an expanding attack surface, and a growing security skills shortage. The challenge, of course, is that traditional information sharing does not contain context. It includes the ‘what’ but not the ‘what does it mean’.
How complex is the information sharing challenge for individuals managing actual security technology?
Today’s security teams monitor an average of 14 separate security consoles to try and manage, assess, and secure the expanding array of devices and technologies on their hybrid networks. Many times they have to compare log files, hand correlate data, and manually change policies between devices in order to address threats, which means that many threats go undetected, and response times are too slow for attacks that operate at machine speeds. This is essentially a growing Big Data problem for cybersecurity today. Yet this sort of actionable information is the best way to move from being reactive to proactive in cybersecurity today and to make examples out of cyber criminals. We need to automate how data is processed and correlated in order to shorten our time to response. Read more.
Is information sharing the answer to turning the tide on cybersecurity?
While the threats from cybercriminals and terrorist organizations are real and concerning, unintentional internal issues account for a lot of industrial security incidents. In critical infrastructure organizations, software misconfigurations from human error, malfunctioning network protocols, and device behavior are all issues to still keep an eye on. A holistic security approach can protect against intentional targeted attacks as well as human error from internal sources. Solving Industrial Control Systems (ICS) security issues requires a solution that unifies the best of current OT network security capabilities with an extensive understanding of ICS processes and protocols.