Cybersecurity is a form of asymmetric warfare. The attackers need to only succeed once; the defenders must succeed constantly. The attackers share weapons and methods continuously; the defenders are often isolated silos of private knowledge that comes only from the attacks against themselves. Threat intelligence sharing between the defenders is a primary method of reducing the attackers’ inherent asymmetric advantage.
But intelligence sharing is difficult, comprising both human and technology problems. The human element is largely around ‘trust’ — with whom can you share potentially sensitive commercial information. The technology problem involves constraining the shared data to intended recipients and ensuring there is no breach of data protection regulations.
These problems have been successfully tackled by seven Fortune 500 companies in Columbus Ohio. They came together in 2014 to form and capitalize the Columbus Collaboratory — an Information Sharing and Analysis Organization (ISAO). As a private and voluntary ISAO, they solved the ‘human’ problem. Last week they adopted the TruStar intelligence sharing platform to solve the technology problem.
The Collaboratory comprises seven major non-competitive firms in several separate sectors: Nationwide Insurance, Cardinal Health, LBrands (which includes Victoria’s Secret, and Bath & Body Works), Huntington Bank, OhioHealth, American Electric Power, and Batelle. It was formed with $28 million commitment from the members, and a $5 million Ohio Third Frontier Grant.
The non-competitive nature is important. “Columbus lends itself to such an approach,” Jeff Schmidt, VP and chief cyber security innovator, told SecurityWeek. “It’s an important commercial center, but is not dominated by any one vertical.” This allows the members to come together with no fear of disclosing sensitive data to competitors. While Schmidt sees the group potentially growing with new members, he doesn’t believe the non-competitive element will ever change.
One of the first things Schmidt did when he joined the organization in October 2016 was to bring the liaison officers from the different companies together. “Nothing encourages trust more than face-to-face meetings,” he said — drawing perhaps from his earlier experience as Director at the InfraGard National Members Alliance.
The Collaboratory offers its members three primary services: cybersecurity, advanced analytics and talent solutions. “By sharing threat intelligence,” he said, “we can break out of the silo model, pool ideas and resources, and better protect against cybersecurity threats.” But, he added, “One of the nice features is that being completely private, there is no mandatory reporting from the Collaboratory to any outside agency, such as the FBI. In that way, it is different than other government-sponsored information sharing platforms.”
These other platforms include ISACs (created by the DHS) and InfraGard (created by the FBI). “We’ve seen what works and what doesn’t work,” he said. “A lot of the inhibitors to effective information sharing are legal and philosophical — if I share this information is the FBI or the NSA going to get it. Removing that variable is a net help.” The individual members, many designated as part of the national critical infrastructure, may have their own vertical reporting responsibilities — but the Collaboratory itself has none.
The final piece of the puzzle came into place last week with the adoption of the TruSTAR information exchange platform. “There is a common desire in business to share intelligence,” commented Paul Kurtz, former cybersecurity advisor to the White House and now co-founder and CEO of TruSTAR, “but those legal and philosophical inhibitors have made it difficult.”
The TruSTAR platform provides a walled enclave where data can be shared with just the Collaboratory members. Data can be redacted before sharing — indeed, TruSTAR will automatically detect any likely PII with a point, click and redact facility to prevent its sharing — and anonymized to prevent attribution. Only data specifically allowed for wider sharing can leave the enclave to be shared among the wider TruSTAR community. In this way, it maximizes sharing both between the members and with the wider community, while protecting any data that should not be shared. This is further enhanced with TruSTAR’s selective version capability.
“If members wish to share a redacted document within the Collaboratory, and a more redacted version with the Wider TruSTAR community,” added Schmidt, “then TruSTAR can accommodate selective version sharing.”
For the most part, the shared information will be indicators of compromise, behaviors, patterns, attackers’ infrastructures and not PII. If any PII slips in it can be redacted. In this way, Schmidt believes that the members can stay the right side of data protection regulations, including GDPR when it arrives next year. If anything, the structure imposed upon shared data is likely to make breach notification simpler and more efficient; making it easier for members to comply with GDPR’s 72-hour notification requirement.
It’s early days for the Columbus Collaboratory; but does the theory work in practice? “Yes,” said Kurtz. “One example was a firm that thought it had a staff problem only to find that other companies were having the same problem. It wasn’t staff, it was subtle indications of an intruder that only became apparent through intelligence sharing.”
The Columbus Collaboratory, aided in this instance by the TruSTAR sharing platform, is unique. But it is an example to other regions where different companies can come together and share their threat intelligence, safely, securely, compliant with data protection regulations, and with no three-letter agency inhibitions.