Security Experts:

Your Own Private Cyber ISAC: How To Get Up and Running

The idea of an Information Sharing and Analysis Center (ISAC) for cyber defense by industry is a very good thing as member organizations benefit from critical incident reporting. In fact, in hard hit areas like financial services, the ISACs have become a necessity for helping businesses - and ultimately their customers - stay safer.

The ISACs are a fairly straightforward operation. In the case of cybersecurity events, they gather cybercrime and threat information from member companies and other sources and disseminate it to the group as a whole to inform and alert as conditions warrant. In short, they’re kinda like a watch desk for things that might affect their members.

But what about incidents that hit a little closer to home? What about cyber events that may be affecting just you and your business specifically? Where time and direct relevancy are critical factors? How can a business complement a more broadly-applicable ISAC membership with even more valuable, personalized info?

How to Build a Cyber Security ISACIt’s simple. Start your own private ISAC. It’s easier and more important for the long-term than you might think.

For most companies, supply chains and partner networks are a part of doing business. Almost every company needs the goods and services of others to offer their own wares. Things like payroll processing, claim filing, data storage, payment processing, shipping, software development and customer support are all examples of things often outsourced or subcontracted to other businesses. For most companies, supply chains are wide and deep, full of dozens of partners and suppliers - even for small businesses. For large companies, supply chains can number in the thousands.

When you think about it, your partners and suppliers are really an extension of your own company. And an extension of your insecurity.

They often have access to your B2B systems, internal portals, networks and even customer data. They’re the ones most likely to lead to a breach, a malware infection or an intrusion you didn't see coming in your “security blindspot” and they’re increasingly the first target for cyber criminals seeking to gain access upstream to much bigger fish. For example, for just the healthcare sector alone in 2014, cyber intelligence data from SurfWatch Labs shows over 70% of breaches in the sector were actually caused by companies whose businesses are not related to healthcare. As well, business support services were to blame in over 30% of breach incidents. Staggering numbers.

But there is a silver lining. Your suppliers can also be one of your most valuable sources of critical cyber information that’s especially relevant to you and the foundation for a “distant early warning” system.

Here are five key steps to get you started:

1. Get organized - Most enterprise security organizations don’t have a lot of visibility into the makeup of their supply chain. In fact, the business side of things in many cases doesn't do a great job of who’s who among the suppliers and partners, who has access to what and so on. For starters, inventory and profile the companies in your chain into something as simple as a spreadsheet and keep it updated. Organize them by the industries and sub-industries they're in, as well as other key data points such as:

• Who the security POCs are in each supplier/partner organization

• What functions they provide and what “areas of impact” they touch

• What system accesses/roles/permissions they have for your organization (what do your people use of theirs?)

• What data of yours they access, store or transmit (and the reverse)

• Any mandatory governance and compliance restrictions (e.g. PCI, HIPAA, etc.)

• Other relevant info as appropriate...

The critical part of this is to ensure security teams, as well as business operations have complete visibility into the information and use it diligently as part of regular risk assessment processes.

2. Start simple - Enterprises today tend to equate simplicity with ineffectiveness. But when it comes to leveraging your supply chain for important cyber event info, simple approaches yield big results (and often offer maximum return on low investment). Start by defining the rules of sharing info and why you’re doing it. Document for your suppliers a simple, clear program that asks them to provide you with any cyber-related info on thing they’re being affected by or seeing that could affect them or you. Create a simple data entry form in Word or Excel, with text/numeric entry fields like:

• Date/Time

• What happened?

• What was hit?

• How was it carried out?

• Who did it? (if any info is known)

• Any systems or technology involved? (on their end and yours)

• Data involved?

As for delivery, simple emails suffice, either regularly or as events happen. Ask them to let you know immediately as soon as anything happens that involves something of yours (e.g. a B2B system, VPN or your customer data for example). Spell out how they contact you and who to contact when urgency is a factor. Define what it means to be a “high priority” item clearly and simply to avoid noise and work on their part. On your end, define the simple information flows between business operators coordinating with the suppliers and your security teams. It doesn't have to be complex to be effective. From here, businesses can choose to build on humble beginnings and leverage tools or in-house application development to aid the sharing process.

3. Store, analyze and share - The data you’re collecting about your suppliers and partners, as well as the data they’re sharing with you, can become a treasure trove of useful information over time. Mine it and make it visible in practical ways such as Key Performance Indicators (KPI’s) - much as you would with data on financial performance. Beyond stopping something bad from happening, this kind of data informs of valuable cyber trends, vital technology information and more. It can help you budget, plan, spend and, most importantly, begin to develop cyber resiliency by supporting the development of a long-term cyber defense strategy.

The most valuable data for you is what’s most relevant and most available. Too often, security organizations drown in data noise. Clear and straightforward information that means something directly to you which can be immediately used by more than just security teams ultimately will help your organization know what actions to take and the most effective methods. Again, simple steps with big results.

4. Make it official - More and more, certain industries such as healthcare, defense and financials are starting to legally require that their suppliers and partners take real measures to increase awareness of cybersecurity and take real steps toward protecting data, vital systems and more. For many in banking and defense contracting, accountability and expectations are woven into the language of subcontracts. In order to become a supplier or partner to one of these businesses, companies must meet legal terms in black and white as to how they’ll protect data and system accesses. Suppliers risk litigation or dismissal in violation of these terms.

Once your private ISAC is up and running, consider making participation a requirement to remain in good standing as a partner or supplier. This may seem drastic, but, in the end, it helps everyone involved and states clearly how much importance cyber defense matters are to your organization, thus spreading the “culture of care” beyond your walls.

5. Grow your network - As you begin to reap the rewards of info-sharing and collaboration, expand your network. Consider your own organization’s subsidiaries, satellite or branch offices, internal departments and more. Increasingly, every part of an organization is on the “front lines” of the cyber war. Some businesses are even extending their networks to their employees and even customers, providing them incentives to report things they’re seeing that may be indicators of cybercrime activity.

Consider appointing cyber “neighborhood watch” POCs throughout your business departments for software development, finance, business development and sales organization, just to name a few. Some companies are even incentivizing with bonuses or small amounts of extra pay as they deputize key personnel into the cyber battle. It may sound silly until you consider just how many big-time breaches in 2014 alone have been caused by things like phishing and social media exploits.

Of course, there are more ways to set things up and many variations on how you can form and structure your own private ISAC. However you do it, the key is to get started. Today, many tactical cyber defenses are becoming little more than Maginot Line-like defenses as cybercriminals roll all too easily through walls we built that lull us all into a false sense of security. Simple, practical and strategic solutions often cost considerably less, keep our security operations actively engaged and informed and result in quicker, more focused action directed against specific threats and risks.

Related: Why You Need Your Own Private Cyber ISAC

view counter
Jason Polancich founder and Chief Architect at SurfWatch Labs. He is a serial entrepreneur focused on solving complex internet security and cyber-defense problems. Prior to founding SurfWatch Labs, Mr. Polancich co-founded Novii Design which was sold to Six3 Systems in 2010. In addition to completing numerous professional engineering and certification programs through the National Cryptologic School, Polancich is a graduate of the University of Alabama, with degrees in English, Political Science and Russian. He is a distinguished graduate of the Defense Language Institute (Arabic) and has completed foreign study programs through Boston University in St. Petersburg, Russia.