Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Enhancing Security Through Information Sharing

Internal opportunities for information sharing might seem obvious, but are easily overlooked.

Internal opportunities for information sharing might seem obvious, but are easily overlooked.

Information sharing is essential if we want to get ahead of the escalating cyberthreats today’s organizations are facing. We are just beginning to learn that we can no longer afford to build network security solutions based on isolated devices that cannot share threat intelligence or coordinate a response. As networks becomes more complex and distributed, the ability to consistently secure a workload as it moves across the network from an endpoint device to the cloud is more critical than ever.

The same is true for sharing critical information between related organizations. While there is understandably a natural resistance to sharing sensitive security-related information with another organization, the interconnectedness of our infrastructures, and the critical role they play in both our public and private lives makes this issue too important to ignore or delay. Of course, the problem is as much in the how as in the why.

Threat Information Sharing

Until recently, attempts to exchange information between disparate entities have been complicated by the ad-hoc methods being used. Fortunately, a number of reasonably well-defined methods for exchanging information have finally been established. These include STIX (Structured Threat Information eXpression), TAXII (Trusted Automated eXchange of Indicator Information), and more recently, CybOX (a standardized language for representing cyber observables). As more feeds begin to support these standards, the effort required for an organization to support multiple feeds will be simplified.

Eventually all of this starts looking like a big data analytics problem, given the massive variability inherent in the data. Even IP Addresses are only meaningful for decreasingly shorter periods of time. Technologies like de-duplication and data correlation need to be incorporated into the overall solution to keep the volume of data down to a reasonable amount. Additionally, making data more easily consumable will require new data visualization techniques.

This data volume challenge is being further complicated by the recent increase in the number of platforms being targeted. Smart devices are everywhere, and are powerful, well connected, and frequently under-protected. Even if you are relatively competent at tracking attacks against one or two platforms or operating systems, it is becoming increasingly unlikely that you can track everything that is accessing your network – particularly as the IoT invasion into corporate networks starts to escalate.

One of the most efficient ways to reduce the number of feeds you need to consume is to discover what feeds your security partners and vendors provide. While there will most likely be a charge, if they already consolidate a lot of feeds into a single stream then much of the complicated work has already been completed, thereby actually reducing your implementation costs. And you will have moved the cost for this from a resource-based expense to one that is purely an operating expense.

There are also a few public domain open-source feed consolidations, like hailataxii, that are a starting point towards consolidating feeds, and a good way to start to get an understanding of the complexity involved.

Advertisement. Scroll to continue reading.

Consuming the data provided by these feeds becomes significantly more complicated as the number of feeds increases. And once you have the data, the bigger challenge is how to take that data and make informed and actionable decisions. Simply making this data another thing to monitor doesn’t provide a lot of value, other than perhaps being able to say you consume external threat information.

While consuming, consolidating, and correlating information provides obvious benefits, always keep in mind how you and your organization can also contribute back to these information feeds. There are tangible benefits to your organization for doing so – particularly with the evolution from broad-based attacks focused on specific platforms to highly complicated, multi-vector targeted attacks. So the wider the scope of visibility (i.e. by sharing threat information) the more able we will be to detect and mitigate these attacks.

A number of information sharing groups have been created, known as ISACs, to assist in this process. There are almost as many as there are industries: financial services (FS-ISAC), power generation (E-ISAC), oil and gas (ONG-ISAC), health (NH-ISAC), industrial control systems (ICS-ISAC), and even information technology (IT-ISAC).

Assuming you choose to share, consider sharing more than just the malicious payload. The most useful information also includes the behavior and activities observed, suspect connection attempts to Command and Control (C2C) servers, etc.

Once you decide to collect and consume threat information, how do you prioritize your efforts?

• Evaluate logging and analytics platforms to see if you can incorporate their data with that from external sources. You need to find out if your current system provides actionable information, or if a lot of manual intervention is required.

• Start slow in order to understand the scale of the problem. Focus on consuming data from organizations that already consolidate data from multiple sources

• Consume feeds from organizations that actually perform their own threat research, particularly in the area of zero day attacks and threats against emerging platforms like IoT.

• Join an applicable ISAC or similar threat information sharing community. You should be able to leverage this community experience back into managing your own operations.

• Consider how you will contribute back to the larger community, and what data you are willing to contribute.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...