Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Stronger Together: How Sharing Orchestration Models Makes for Better Cyber Defense

Security collaboration has, and still is, generating significant attention: How can we join forces and use crowd intelligence to employ better security defense strategies against growing cyber-attack threats?

Security collaboration has, and still is, generating significant attention: How can we join forces and use crowd intelligence to employ better security defense strategies against growing cyber-attack threats?

From virus databases through reputation sources and others – many security collaboration projects are receiving support and backing from both commercial and governmental entities. Here’s a partial list, and I apologize in advance for omitting other initiatives and projects. 

Application and OS vulnerabilities, such as CVE, “the ultimate security vulnerability datasource.”

Open attack pattern databases such as Snort, which includes patterns of attack intrusion, i.e., network patterns of exploitation attempts. Snort also includes an open regex language to represents attack patterns.  

Open malware databases, such as Virus total, which enable searching and sharing malware samples to facilitate the detection of viruses, Trojans and other types of malware.  

Malware research data, such as Yara – a tool aimed at helping malware researchers to identify and classify malware types. This is similar to the snort tool and language, but with a focus on malware classification rather than on intrusion network patterns (traffic patterns).

Reputation sources – open information about bad reputation sites (URLs, domain and IP addresses) that are associated with malware infection, phishing campaigns and C&C activities. Some examples include OTX, Virus Total, and Zeus Tracker.

STIX/TAXII – An initiative or more recent years for describing and classifying cyber-attack campaigns in a standardized manner and share data about techniques used in a campaign (i.e., with a wider context) rather than individual attack vectors.

Is Sharing and Classifying Attack Data Good Enough?

What do the majority of collaboration projects have in common? Almost all are focused on attack-side information – classification and sharing of vulnerabilities and attack techniques, or identifying single vector attacks such as an individual malware or specific intrusion pattern.

STIX/TAXII takes a more relevant (up to date) approach since it focuses on advanced attack campaigns, which are the most difficult challenge that large organization are facing today.

Advanced attack campaigns include multiple attack phases (kill-chains) and exploit multiple vulnerabilities including exploitation of human weaknesses in order for the attack to succeed. They are typically prolonged and adapt to the defenses they encounter – so in that sense, the STIX structured language is able to characterize the course of attack behavior.

However, what’s still missing is how to share security solutions (rather than the analysis of attacks) – or shared methods to detect, investigate and mitigate advanced attacks. Put differently, a shared security orchestration model. While STIX/TAXII analyzes and classifies attack campaigns, it does not teach the best way to defend against them.

Sharing Security Orchestration Models

Protecting against advanced attack campaigns involves multiple security technologies such as network security (network IDS and IPS, Anti-malware (e.g., sandbox), Network and user behavior analysis, DLP, WAF, Mail security, Firewalls), endpoint security (client firewalls, AV, anti-malware), threat intelligence (URL and IP reputation, malware databases), and others. All security solutions must work in synch to be effective.

Each of the security technologies must be provisioned with the right policy in order to ensure it complements the neighboring solution, and must also be activated in the right sequence.  So essentially what’s needed is the ability to share a security orchestration model(s) that can manage the above tasks.

Diagram of shared security orchestration model

This immediately raises several issues, the first of which is that collaboration or sharing of orchestration models doesn’t really exist yet.

Next, to be shared, an orchestration model must be vendor agnostic. Organizations deploy different security tools from a wide range of vendors – so that an orchestration model should work transparently without any change, each time using different security products.  It should essentially be able to “translate” the same model into a language understood by security tools from different vendors as well as analyze and correlate the logs of vendor-specific functions.  A few early bird companies are addressing this issue in different ways and should be under the radar of any large network organization.

Attackers share their ideas including attack tools, attack techniques etc. and thus can innovate rapidly. Similarly, defenders should be able to accelerate the pace of innovation of security solutions – and have the ability to share security orchestration models.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...