Security Experts:

We're Looking at Information Sharing The Wrong Way

Recently, it seems like I’ve been hearing phrases like: “we need to get better at information sharing”, “we need to share more information”, or “information sharing is critical to success in information security” everywhere I go. These phrases trouble me, and I have a hard time understanding them. Not because I haven’t successfully leveraged information from a variety of sources (and shared in return) in an operational setting – indeed I have. But rather, the way in which we as a security community seem to be approaching the topic of information sharing seems backward to me. Sound like a radical statement? Allow me to elaborate.

As someone who does a fair amount of public speaking, I hear a lot of different viewpoints and perspectives on a wide variety of topics. Sometimes they come in the form of questions or comments from the audience I may be presenting to. Sometimes they come from sidebar discussions and information chats. And sometimes, they come from other panelists joining me on a panel. One thing I hear quite often is the need to share information, along with the fact that we’re not very good at it as a community.

I have no doubt that sharing information is important, and I don’t take issue with this. Rather, what doesn’t sit right with me is the way in which these statements look at information sharing – as an end, rather than a means to an end. It’s as if some people really believe that the way to improve information security is to “throw more data at the problem”. For example, it’s not uncommon to hear statements like “In order to address the challenges of the day in security, we need to share more information”. But one key question is often left unanswered by this line of thinking: To accomplish what? While I often hear people talk about information sharing, they seldom talk about the “so what” factor. In other words, what end goal are we trying to accomplish through information sharing? It we share information, what will we subsequently do with that information?

I’d like to discuss this angle in the remainder of this piece. What are some end goals to which we can apply information that we send and receive? In many cases, when people are discussing information sharing, they are looking to improve detection, bolster analysis, and speed up response. This requires many things, of which information sharing or access to intelligence is just one of them.

Let’s look at how information sharing plays a role in each of these high level goals.

Detection:

Many organizations suffer continually from alert fatigue. The story is a familiar one. Too many false positives and too few true positives conspire to create a signal-to-noise-ratio that is far too low to facilitate reliable detection. Because of this, increasing the signal-to-noise-ratio and reducing alert fatigue is often a top priority in many security organizations. Information sharing can help greatly in this effort, but only when applied correctly.

What do I mean by this? As discussed in my previous SecurityWeek column, detection works best when fed by good content. And good content comes first and foremost from a solid understanding of risks the organization is looking to mitigate and how behavior identifying those risks can best be identified. When having a dialogue on information sharing, it’s important to determine what information would be most helpful in positively identifying those behaviors.

For example, let’s imagine that we are gravely concerned about spear phishing attacks against our executives (probably not such a difficult scenario to imagine). In this case, we might choose to focus our information sharing efforts on Indicators of Compromise (IoCs) that identify malicious spear phishing campaigns to aid in improving detection. Our focus helps us identify different sources of information and intelligence that might be helpful, but we still need to understand where to apply that information to produce the detection results we are looking to produce. In other words, the information is a means to an end, but if we don’t know how to apply it once we get it, we will not improve our detection at all.

Analysis:

Information sharing can also assist with the analysis stage of incident response. When investigating a particular behavior, alert, event, or otherwise, understanding attacker behavior, malware characteristics, patterns, Indicators of Compromise (IoCs), and other pieces of information can greatly assist in the decision-making process. In other words, if we are trying to vet, qualify, and evaluate a particular incident or event, additional “puzzle pieces” provided to us via information sharing or intelligence can greatly assist in completing the picture. Once again, that information can only help us if we know how to apply it. Otherwise, it will not do us much good at all.

For example, if we are investigating encrypted traffic heading out over an unencrypted protocol to a strange looking domain name, additional information or intelligence can be quite helpful. But we have to know how to use that data to augment our investigative process and our own telemetry data. Otherwise, we cannot properly leverage it. The information is a means to an end – not an end in and of itself.

Response:

Similarly, information sharing and intelligence can assist in the response stage as well. For example, a well-informed decision making process that helps us understand the gravity of the situation can help us adjust our level and type of response appropriately. For example, are we dealing with commodity malware that merely requires cleaning and rebuilding a machine, or are we dealing with sophisticated nation-state or organized criminal activity that requires a broad and immediate response involving many different stakeholders? Good information can help us make the right decision and pursue the right level of response, but we still have to know how to apply that information and have a decision making process within which to apply it.

Information sharing is a noble goal. But it is a means to an end, rather than an end in and of itself. A formal security operations and incident response program, along with the process to support it provides the framework within which information sharing can be applied. Downloading a bunch of data feeds without understanding how to apply them has never improved the information security posture of any organization.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.