Security Experts:

Retailers Share Cyber Attack Data Through New Retail-ISAC

Public/Private Collaboration Aims to Help Retailers Strengthen Defenses Against Cyber Attacks

Some of the Nation’s largest retailers are now sharing cyber threat information among each other and the U.S. government, thanks to a new Cyber Intelligence Sharing Center designed specifically to help the retail industry identify real-time threats and share actionable intelligence to combat cyber attacks.

Officially launched on Wednesday by the Retail Industry Leaders Association (RILA), the Retail Cyber Intelligence Sharing Center (R-CISC) is an independent organization that operates the Retail Information Sharing and Analysis Center (Retail-ISAC).

Globe Information Sharing

Information Sharing and Analysis Centers (ISACs) are typically formed specific to industrial sectors, such as the well-known FS-ISAC, which was established in 1999 to help facilitate the detection, prevention, and response to cyber attacks and fraud activity for the financial industry. FS-ISAC boasts over 4,400 organizations as members, including banks, brokerage firms, insurance companies, exchanges, clearing houses, payment processors and trade associations.

R-CISC was developed with input from more than 50 of America's largest retailers, with companies including American Eagle Outfitters, Gap, J.C. Penney Company, Lowe's Companies, Nike, Safeway, Target Corporation, VF Corporation and Walgreens, participating and supporting the initiative.

“The Retail-ISAC's dedicated cyber-analyst and technician at the NCFTA facility are processing and distilling information about real-time cyber threats, such as new strains of malware, underground criminal forum activity, potential software vulnerabilities, and translating this information into actionable intelligence, in the most usable and timely form for retailers,” the RILA explained.

Retailers are also sharing anonymized information with the U.S. government via RILA partnerships with federal agencies such as the DHS, the FBI and the United States Secret Service, RILA said.

According to the Association, R-CISC will also provide training and education and research resources for retailers.

R-CISC Board Members include a number of senior security executives from some of the largest retail companies, including:

• Ken Athanasiou, Global Information Security Director; American Eagle Outfitters

• Rich Noguera, Head of Information Security; Gap

• Scott Howitt, VP, Chief Information Security Officer; J.C. Penney

• William Dennings, Chief Information Security Officer; Nike

• Colin Anderson, VP, Information Technology; Safeway

• Jenny Ley, Director, Corporate Security Intelligence, Target Corporation

• David McLeod, Chief Information Security Officer; VF Corporation

• Jim Cameli, Information Security Officer; Walgreen Company

"Our top priority is protecting our customers and maintaining the trust they place in us every time they make a purchase," said Warren Steytler, vice president of information security at Lowe's Companies. "We are confident that by sharing with our peers and industry stakeholders through the R-CISC, our industry will collectively strengthen its ability to protect critical customer information."

Retailers and merchants of sizes can join R-CISC, as the organization said that it hopes to become a resource for not only the retail industry, but related merchant industries as well.

While threat sharing groups such as FS-ISAC and Retail-ISAC are beneficial to participants in their specific industries, according to SecurityWeek columnist Rod Rasmussen, the problem is that this information is predominately only gathered and disseminated specific industry companies and on a limited basis to their security vendors.

“[The information] is not shared at all across industry lines. Therefore, financial companies aren’t privy to the latest threats against, say, e-commerce companies, threats that no doubt will hit them next,” Rasmussen explained in a Jan. 2013 column examining issues around threat information sharing.

“In order to stay ahead of the latest threats, some very limited security information-sharing groups have emerged. But these groups are typically confined to very tight industry and peer circles and/or ad-hoc email communication lists,” Rasmussen continued. “As a result, the effectiveness of these groups is limited; they are siloed and lack the large-scale structured collaboration needed to combat today’s constantly evolving, highly organized cybercrime networks.”

According to a May 2013 report from NSS Labs, Progress on threat information sharing has been made in financial services and defense industrial base, but not so much in other sectors, noting that real-time situational awareness is lacking.

For information sharing programs to succeed, there also needs to be some agreement on common definitions and formats in order to exchange actionable threat intelligence, the report from NSS noted

“As an industry, we must all work to encourage such efforts to be inclusive of a much broader, yet trusted, community,” Rasmussen concluded.

Related: Threat Information Sharing - Fighting Fire With Fire