Security Experts:

Industry Sharing Feeds, A Step in the Right Direction but Not Enough

Flintstones Chewable Vitamins were among the first multivitamins for kids, and when I was growing up they were all the rage. Today, many adults continue the practice of taking a multivitamin. To get a dietary supplement more tailored to our needs we can choose a formula designed for women or men, for people over 50, or for bone, eye, heart health, etc. This approach gets us part of the way to reaching our goals, but it isn’t tailored to exactly what we need. So, a new breed of vitamin is emerging that is personalized according to body chemistry and lifestyle. Combining data from your health history, nutrient testing, your fitness apps, DNA and more, the objective is to ensure you’re taking a supplement that makes sense for you and helps you reach your goals. This move towards personalization is happening in many aspects of our lives. And when it comes to what is best for you from a security standpoint, the more personalized, the better also holds true.  

Security professionals are slowly getting there; however, many of the conversations I’ve had recently are about industry sharing groups instead of focusing on what my specific organization needs. The first Information Sharing and Analysis Centers (ISACs) came on the scene about 20 years ago with the intent of helping organizations protect their infrastructure, employees and customers from cyberthreats targeting their specific industry. There are dozens of ISACs today including financial services, retail, energy, supply chain, you name it. If you can think of an industry there’s probably a corresponding ISAC.

Much like that multivitamin formulated for the subgroup with which you identify, these industry sharing groups can get you further down the path to better protection. But the problem is that there’s a growing belief that if you join an ISAC and sign up for a feed you’ll have all the information you need to protect yourself. Instead, these feeds only get you part of the way there. Industry sharing groups often have lots of members and rely on automation to share threat information. They typically push out thousands of indicators every week that are technical and tactical, like IP addresses and domain names. Unless that information is curated before it is shared, you won’t be able to understand the who, what, where, when, why and how of an attack. The truth is, the quality of information shared often isn’t of the caliber intended.

Even when your industry sharing feed is curated, you are still only part of the way to getting threat intelligence that is high priority and relevant to your specific organization. You also need:

Internal threat and event data. Contextualized, industry-specific threat intelligence is extremely valuable. But you need to augment and enrich it with internal threat and event data that is typically spread across your organization and housed within various systems and tools. Sources like security information and event management (SIEM) systems, log management repositories and case management systems contain events and associated indicators from inside your environment that, when correlated with industry sharing group data and other global threat feeds you subscribe to, allow you to hone in on what is relevant to your environment.

Data based on your ecosystem. You must also consider threat data based on your supply chain and other third parties within your ecosystem. Mentions of their names, brands, or sectors may alert you to adversaries and campaigns that may be actively targeting them and then, in turn, can potentially infiltrate your organization.

An understanding of your own risk profile. The level of risk each organization is willing to assume also varies. What is high priority for you, may not be for someone else. Assigning risk scores to threat feeds based on parameters you set helps to filter out the noise. Based on your risk profile, you can act quickly upon the most relevant threats facing your organization to reduce risk now and in the future.

User education. We all know that employees are the weakest security link. Educating users to recognize and avoid unsafe practices, such as clicking on malicious links or unwittingly sharing valuable information in unprotected ways over the Internet, and ensuring they understand how to report something suspicious can go a long way to mitigate risk. 

Finally, we must update each of these inputs to our threat intelligence program on an ongoing basis. Recalculating and reevaluating priorities based on a continuous flow of new data, learnings and your risk profile, helps to ensure you’re staying focused on what matters in a highly dynamic environment. 

A multivitamin will get you part of the way to reaching your health goals, but there’s a lot to consider when you start to think about a dietary supplement that’s specifically designed for you. The same is true of threat intelligence. It’s nice to think that industry sharing groups can provide all the intelligence we need to protect our organization, but they are not tailored specifically for your needs and should be viewed as one of several necessary inputs into your threat operations program. They were never designed to, and simply can’t, reflect the many important nuances that make each organization different and that must be considered as we develop a robust threat operations program to address our unique requirements.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.