Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Threat Sharing – A Necessary Defense Strategy

Sharing Threat Data – What’s Worth Sharing and What are the Benefits?

Sharing Threat Data – What’s Worth Sharing and What are the Benefits?

Network defense is a challenging undertaking. In today’s environment where the landscape is so open to global cyber threats, it is difficult for any firm, company, or organization to rely solely on itself to provide protection. But that hasn’t stopped most from trying. Point source security solutions have flooded the marketplace for almost a decade and recent proactive advances in cyber security are still in their infancy. The cost of securing information continues to grow and many organizations are spending upwards of 10% of their overall IT budgets on security. Yet they still are very limited and at the mercy of the technology they implement and the skill set of their security staff.

Sharing Threat DataWhat’s Driving the Need to Share Threat Data?

From organization to organization, the menu of data sources they collect and security tool sets they implement differ. These variances exist either because of the specific mission they are carrying out, the experience and expertise of those weighing in on the procurement process, and/or the environment in which they operate. As a result, there are both strengths and weaknesses to each organization’s security profile and capabilities. And while everyone has security intelligence to offer, noone has the complete picture. Wouldn’t it be nice to leverage each other’s strengths and pool resources since everyone faces similar challenges?

Global cyber threats are more persistent and penetrate deeper as they go unnoticed. The reason for this is two-fold: (1) in some cases there are new and unique attacks that go undetected; and (2) in other cases known threats fly under the radar due to limited awareness. Similar threats and often the same actors impact multiple organizations. In fact the majority of malicious actors or bad IPs are repeat offenders and have already been detected and flagged as such. But like the Terrorist Screening Center’s “No-Fly List”, this data is not effective unless shared with the appropriate agencies and authorities.

Most financial organizations have done a respectable job identifying and documenting IP addresses involved in fraud attempts, identity theft, and phishing schemes. They maintain these lists and often times program the IPs to be blocked by their perimeter security devices. The next step is to share this information so others can benefit from their analysis. The financial industry is certainly a competitive environment; however, they have expressed an interest in banning together to work towards information sharing to secure their business environment. This will allow them to compete on a level playing field where their services and offerings distinguish their brand rather than allowing the loss of confidence due to being the victim of the latest cyber attack drive their position.

What’s Worth Sharing?

Bits and pieces of attack data and malicious activity exist throughout the Internet. There is NO one data source that serves all. Pooling assets to amass a comprehensive view is a logical way forward. Details characterizing specific threats would serve as the basis for cyber security information sharing. Elements worth collecting and sharing include:

• Threat Type – phish, DNS or BGP hi-jack, malware, etc

Advertisement. Scroll to continue reading.

• Threat Source – URL, nameserver, DNSserver, hostname, IP address, etc

• Assets Targeted – websites, systems (DNS, mail, etc), infrastructure, etc

• Impact and/or Severity of Threat – scenarios, likely effects, things to look for

• Recovery/Remediation Steps – procedures, patches, call lists, etc

• Prevention Tips – buying/configuration guides, recommendations, etc.

How to Enable Sharing and Notifications/Alerts?

Sharing works best when a broad spectrum of participants are involved in a win-win engagement. Industry partners, Information Sharing and Analysis Centers, (ISACs), and the federal government are all major players that have lots to offer. Cross-sector sharing is a concept requiring the complete support and participation of the federal government, the various industry ISACs, and the effected community. In an ideal situation, the government would alert the various sectors, not via email, but through a common web-based sharing platform. Consequently, commercial industry players would provide input to the platform to be shared with industry partners, the federal government, and the community at large. Obviously, to achieve optimal efficiency for ALL involved, this has to be a two-way street!

A cyber situational awareness platform is at the core of threat sharing. To ensure we are not left with the ineffective report and alert systems that exist today, a platform providing context to each notification should be employed. One that accepts and fuses data from global, sector, and private data sources; provides adequate visualization and analysis capabilities; and delivers actionable information in a timely fashion through existing and well adopted wired and wireless devices. While automation is critical, the human element must also be introduced to develop and deliver course of action information and to evaluate the severity of the attack.

Realizing the Benefit

Response time, data access, coverage, flexibility, participation, and accuracy are the criteria that will determine the success or failure of a solution supporting threat sharing. But if effective the following benefits may be realized:

• Reduced Incidents

• Reduced Costs – leveraging cross-industry assets, resources, tools, and data

• Extended Awareness

• Community Trust

• Successful Prosecution of Bad Actors

Just as firefighters, police officers, and federal authorities have had to learn to communicate and work better together, so too do cyber first responders in order to provide a safe environment to conduct business over the Internet.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem