In my previous SecurityWeek column, I wrote about how information is at the heart of most U.S. bills to secure the Internet. From CISPA to CSA to SECURE IT, all of these bills have one common tactic they are looking to tap: information sharing. My colleagues and I have a more descriptive saying for exactly what this is. We call it collective intelligence.
Collective Intelligence—A Definition
So what exactly is collective intelligence? According to Wikipedia, it is, “A shared or group intelligence that emerges from the collaboration and competition of many individuals and appears in consensus decision in bacteria, animals, humans and computer networks.” When it comes to Internet security, this collective intelligence is essential. Recent security breaches have shown time and time again that if there was an effective way to share the latest attack vectors and methods, many of these breaches could have been avoided—at least by a majority of victims who were hit with the same attacks that hit others.
Renee Guttmann, Chief Information Security Officer of The Coca-Cola Company, summarized this well in a recent report, “Getting Ahead of Advanced Threats” (PDF) from the Security for Business Innovation Council (SBIC): “If something happens at your organization, the first question you’ll ask is, ‘Is it just me or is everybody else getting hit with this attack?’ You can’t answer that for yourself. And it takes too long to call 20 of your closest friends. You’ve got to be part of a larger gene pool to get an immediate answer to that question.”
But how does one go about finding the appropriate sources?
Developing a Short List of Intelligence Sources
Cultivating intelligence sources is a time consuming task. Relationships must be developed and maintained with colleagues throughout an organization, and with peers at other companies, law enforcement, government officials, and members of various industry associations. Enough information must be collected to perform meaningful analysis, but the goal is not to collect data on everything from everywhere. There is plenty of “data” out there, and it will overwhelm people and systems very quickly—what you need to win in the security game is actionable intelligence. The team has to prioritize based on the threat model and information they are trying to protect, as well as the total costs of data collection and use.
From CERTs (Computer Emergency Response Teams) to federal and international law enforcement like the FBI and INTERPOL to information-sharing associations, and groups like FIRST (Forum of Incident Response and Security Teams) and the APWG (Anti-Phishing Working Group), there are literally hundreds of organizations that a security team needs to be in nearly constant contact with. While it may be possible to build an internal team that can tie into and manage all of these relationships, it is inefficient at its heart, and only affordable for the largest of enterprises.
And even such an internal team may not be able to handle the intricate relationships and data points coming in from other companies, many of which are in the same industry. Many companies are reluctant to share security data points with other companies, especially direct competitors. But they would be willing to share that data with an independent third party security provider, an independent, trusted “broker,” who in exchange can provide security data from many other companies and organizations.
With safeguards in place to ensure anonymity (when needed) and privacy of data exchanges, it is far easier to share more sensitive, and highly actionable information. Industry groups with strong charters, or companies under contract that have legal and fiduciary obligations to members/customers can provide such conduits. This allows an enterprise leverage its limited security resources to work with a smaller set of contact points that still scale out to a much wider world.
The Right Relationships
Once you’ve got a “short” list of possible intelligence sources, how does one evaluate them? Identifying and working with good data sources and partners is not a check box, it’s an ongoing relationship. While higher cost is sometimes a proxy for top-notch data and services, that isn’t always true in the Internet security world.
In the SBIC report, “Getting Ahead of Advanced Threats” the authors pretty much nailed the continuous process needed to establish and maintain collective intelligence sources:
“Finding good sources is an ongoing process – information requirements need to be reviewed, current sources assessed to determine if they meet requirements, and new sources researched and evaluated. As well, as data is collected and analyzed, sources may need to be adapted on the fly. Even trusted sources could get things wrong. Keep in mind that sources vary in quality and scope. Some of the best sources may cost very little and some of the worst may cost a lot. The value of the data from each source should be tracked so that, over time, the team can judge how good particular sources are.”
That said, the old adage, “you get what you pay for” still comes to mind when looking at many of the “free” sources of data or free-for-all security mailing lists one can tap into out there. There is a lot of noise, and a lack of accountability inherent in those models, so even though a lot of interesting and relevant information can be found there, you have to do plenty of work to make it “actionable.” From a total-cost-of-ownership (TCO) perspective, you need to keep that in mind. Beyond man hours, other factors affecting the TCO calculation may include hard costs like legal review and hardware, as well as soft ones like lost productivity or loss of reputation if you react strongly to incorrect information—false positives.
A good guiding list to evaluate intelligence sources is the TRACE framework.
Timeliness – How fresh is the data?
Responsibility – Does the data provider stand behind the data?
Accuracy – Is the data clean and reliable?
Comprehensiveness – How much of the whole picture does the dataset provide?
Efficiency – Is the size of the dataset optimized and presented to ensure ease/speed of using it?
Destroying the Silo Security Approach
A final consideration: most organizations that keep their information security specialists siloed inside their walls by focusing solely on their own networks and systems, may miss many of the threats going on “out there.” Their internal viewpoint means they are not exposed to the various always-changing methods that cyber criminals use to weasel their way into networks elsewhere.
Think of an all-internal security team as a person with blinders on. They may be good at stopping one specific type or range of threats, but overall that very focus means it’s likely they’ll miss the many other ways crooks are looking to con their way into an organization’s walls. Get those people in touch with their peers and make sure they can tap into the relationships, data, and know-how that can be found in other organizations that spend their time looking across the spectrum. Having an external group tied in with other organizations around the world that can monitor evolving threats not only within an organization, but also with extended enterprise partners, takes those blinders off.
Collective intelligence must be a primary piece of an organization’s security arsenal in order to stay one step ahead of the bad guys.
Related Reading: Threat Sharing - A Necessary Defense Strategy