Security Experts:

Microsoft Releases Threat Information Sharing Framework

Threat information-sharing is a phrase that gets thrown often, but there isn't much agreement on how organizations should be working together or the methods they should be using. This week, Microsoft chimed in on the subject with a 25-page framework offering guidance on effective information sharing and the types of data that needs to be shared.

For the most part, industry and government agree that information sharing is a good idea. The right information exchanged or shared at the right time can enable security professionals and decision makers to reduce risks, deflect attacks, mitigate exploits and enhance resiliency, Paul Nicholas, senior director of Trustworthy Computing at Microsoft, wrote on the Cyber Trust blog this week. "In this case, forewarned really can mean forearmed."

Some forms of information sharing already exist—the ISACs for various industries, including financial services, retail, and industrial control systems are just a few examples. Industry consortiums and groups have launched several sharing platforms, such as the one from MITRE. But some organizations remain wary about information-sharing for a myriad of reasons, including competitive concerns, liability worries, and reputation damage. Despite years of talking about it, there are still roadblocks to effective, widespread information sharing.

"We believe that understanding how to incentivize information sharing and how to better harness the practice for risk reduction can help move policy and strategy debates forward and support better defence of cyber assets and infrastructure," Nicholas said.

Microsoft defined in the framework document all the parties which need to be involved in an information sharing exchange as well as the necessary types of information which should be included. Exchanges should include governments, private critical infrastructure firms, enterprises, information technology, security companies and security researchers. The framework also provides guidance on how to design methods, mechanisms, and models for these sharing exchanges. Sharing should focus on actionable threat as well as vulnerability and mitigation information, Microsoft said.

 

According to the framework, information sharing exchanges should discuss successful attacks, including what was stolen, the techniques used, intent, and impact, as well as potential future threats, exploitable vulnerabilities, and ways of mitigating bugs before patches are available. Organizations should exchange best practices, executive-level situational awareness, and strategic analysis of threats they face. Receiving organizations should use the information to its full potential to improve their security, Microsoft said.

“High-quality strategic information can help to project where the next classes of cyber-threats may come from and to identify the incentives that could motivate future attackers, along with the technologies they may target,” Microsoft said.

 

It's also important to remember that information sharing is not going to always be between humans as information can be automatically passed between machines. “It is believed that such systems enable actors not only to identify information important to them more quickly, but also to automate mitigations to threats as they occur,” Nicholas wrote.

Organizations need to think about built-in privacy protections and well-established governance processes as part of a comprehensive information sharing and collaboration strategy, Microsoft said. Exchanges can also be formal—with contracts and non-disclosure agreements specifying what to share and for how long—or informal—which are generally ad hoc efforts arising from a specific event, the company noted in the document. Trust is a key issue here. Formal exchanges will likely have members having similar levels of security clearance while informal ones will likely depend on inter-personal relationships.

Forming voluntary relationships with other organizations make it easier to enable trust-based information sharing. Mandatory information sharing doesn't have that sense of trust, making it of limited use. Mandatory sharing models can result in companies just reporting threat-related information just to comply with the rules but not ensuring the information is presented in a way that is useful to others.

While laws can compel organizations to report incidents, "they do not increase trust or collaboration nor do they reduce risks,” Microsoft said. Even so, Microsoft supports recent efforts to include information sharing in cybersecurity legislation.

Congress is picking up cyberlegislation again in the new session after a flurry of proposals from the White House last week.  United States Senate  Committee on Homeland Security & Governmental Affairs held a hearing on Wednesday to discuss  cybersecurity information sharing with liability protection and a national data breach notification policy. During the hearing, Richard Bejtlich, chief security strategist at FireEye described three types of information sharing: government to private sector; within the private sector; and private sector to the government. "All three face challenges," Bejtlich said.

In the government to private sharing scenario, officials should grant clearances to private security teams not working on government contracts, Bejtlich suggested. The reports should also include digital appendices that list threat data in machine-readable form. Private information sharing should occur within information sharing groups so that peer companies can compare notes, he said. The private-to-government scenario needs to think about liability protection because companies are worried about regulatory penalties if they voluntarily report incidents.

In 2014, financial services organizations received 5,000 FS-ISAC cybersecurity alerts providing information of a variety of threats, attacks and other information, and approximately 100,000 technical indicators such as malicious IP addresses, websites, and malware components, Marc D. Gordon, executive vice-president and CIO of American Express, said at the hearing. More can be done. "Meaningful legislation would greatly expand the quality and volume of cyber information sharing," Gordon said and reduce the differences in security levels within and across industries. "More information could be shared within and between industries," Gordon said.

"Effective information sharing is not an easy undertaking," Microsoft's Nicholas said. "It requires clear definitions and objectives rather than solely words of encouragement, or mandatory requirements."

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.