Just as the bad guys can use the distributed power of millions of compromised computers within their botnets, the good guys can use collective intelligence to prevent, detect and respond to those attacks.
Sharing security information -- such as a recently discovered malicious IP address, new malware variant or a never before seen attack vector -- outside of one's organization can often be taboo. While the lack of sharing is often attributed to failures that may have been avoided, for example, “if we had only known about that attack method or that domain we could have blocked it,” the perceived issues of engaging in such activities sometimes has a stigma of unacceptable risk. One area where this topic has gained a lot of visibility is the communication between federal, state and local governments since 9/11.
Following 9/11 many state and local government agencies were critical of the volume, velocity and variety of information being shared with them by the federal government. Even federal agencies sited problems that prevented agile communication between disparate federal agencies. While well known, these problems are not specific to the public sector. Issues surrounding the sharing of information in the private sector are highly debated amongst security executives.
Academically it just makes good sense to share, right? You've got some information and I've got some information, so we all share it and we're all more secure because of it. The devil is in the details.
- What do we share
- How do we share
- When do we share
- With whom do we share
- What are the risks
- What are the rewards
- How are we assured that we're not sharing with the bad guys
I spend a great deal of time with government organizations and Fortune 500s. Amongst these groups there are very few ideas about information sharing that they all agree with. This results in fragmented approaches that aren't able to take advantage of a global network effect.
I was recently meeting with a telecommunications company that told me they wanted to share information about security discoveries with their telecom industry peers. They even went so far as to put together monthly meetings. According to them, while some organizations opted in, most opted out. For those that joined there was a surge of activity the first couple meetings, followed by abrupt and sustained apathy. Some companies felt they showed up with their "A players" ready to share the latest and greatest attacks and mitigation strategies while the others simply consumed and "brought nothing to the table."
There are industry groups that have had success. Certain financial services industry groups have been very successful in identifying and sharing malicious account information and related details around fraud. There are also public/private sector organizations such as the FBI's InfraGard that offer membership in hopes of increasing awareness through sharing information and learning how to leverage the federal government when they need help. While getting together monthly or quarterly for a lunch-and-learn holds value, it's not even close to where we need to be to mitigate today's threats.
Based on what is being shared and how anonymous I can remain, I'm a big believer in selecting "yes" when given the option to share security information from my solutions back into the cloud for the greater good. My hope is that others are doing the same and we are helping the defense outrun the offense through shared intelligence. To do this requires a level of trust with the vendor and an understanding of what is being pushed into the cloud, how it is being used, who has access, etc.
For me it's not much more technical work than a checkbox to get the sharing started. I may need to configure my systems to take advantage of services offered through the cloud, on premise or a hybrid approach depending on the solution and the vendor.
When there is time and I feel like it, I still might attend regional chapter meetings for security groups and industry consortiums but these are quickly becoming networking events. By the time I might hear about something during a dinner it is likely a month too late at best. I need to know now. I need to get automated updates and I need my security solutions to take advantage of the threat intelligence gleaned through my information sharing service ASAP. For example, I need to know these things when I access content:
- IP of a webpage is part of a botnet
- URL is known to be malicious
- Email content that is known to be tied to phishing
- A file is malware or has a hash close enough to malware to be suspicious
- A domain that has only been registered for 24 hours
- The item is coming from a country I typically don't do business with
These are just to a few intelligence items I need to have my security solutions enriched with so they can operate more efficiently and effectively.
This information helps me take advantage of the network effect, be part of the network effect, and ultimately reduce risk for all involved.
From my perspective, if the license agreement from the vendor is inline with your organizational policies - get involved - push and pull intelligence. The bad guys take advantage of the collective - we should too. With most compromises being measured in seconds or hours, and most breach discovery and remediation actions being measured in weeks or months, it only makes sense to take advantage of proactive information sharing.
Every organization will have a different perspective on sharing. And every vendor will have a different license agreement regarding the sharing details. Ultimately however, I think it's a forgone conclusion that most organizations will be involved in some way in the near future.
I'm curious to hear other opinions on this topic - especially from those that have decided not to engage in information sharing. I would like to understand what types of measures are taken, if any, to mimic the network effect and how you are being proactive in the face of a morphing attack surface.
This article is published as part of the IDG Contributor Network. Want to Join?