The formal security programs at most companies include a finite number of managers and staffers. But the fact is, everyone within an organization should be responsible on some level for contributing to efforts to protect information, physical assets and other property.
Indeed, many security executives have come to rely on a broad “team” within their enterprises to bolster cyber and physical security. But they’re also increasingly looking outside for help, through threat information sharing and other collaborative efforts. For a growing number of enterprises, this all adds up to a security “crowdsourcing” strategy that enables them to have a better chance at stopping attacks and minimizing damage.
Payroll services provider Automatic Data Processing (ADP) has been participating in shared intelligence programs for cyber defense for more than four years. This includes informal sharing of data directly with other organizations and more formalized commercial and collective data sharing, for areas such as cyber defense, fraud defense and public safety, says Roland Cloutier, CSO.
“We have dedicated full-time staff that manage our technology infrastructure that automates feed-based programs and utilizes context management technologies for automation of data infusion into our security intelligence data warehouse,” Cloutier says.
“The information we collect is consumed by analysts, engineers, investigators and technologies that infuse the data into automation threat management technologies, monitoring platforms, fraud prevention technology and incident handling workflow,” Cloutier says.
ADP continuously updates its providers and partnerships to adjust to different threats and operational needs.
“The results have been tremendous and have enabled us to be more effective and efficient,” Cloutier says. “For instance, through specific intelligence operations, we can see an on-the-horizon event that is happening in other industries, quickly evaluate our posture, and adjust resources to remediate the environment faster,” he says.
In addition, the company can use information to do historical analyses in its environment to have a higher level of certainty as to whether ADP was affected by an event.
ADP has also leveraged global and regional reporting systems and most recently has begun integrating reporting capabilities with businesses workflow platforms, allowing its employees to report security issues while inside the main applications they use every day, Cloutier says. This way, they don’t need to go to a portal, send an email, or even make a call.
“From a data push perspective, we manage an internal ‘tweet-like’ system integrated into our global employee social media platforms, and have enabled ‘security feeds’ that employees can elect to join in multiple formats,” Cloutier says. ADP also uses multimedia such as video and podcasts to keep employees up to date with important security information.”
Johnson & Johnson crowdsources
Consumer healthcare products provider Johnson & Johnson is also a big believer in security crowdsourcing. “Our company gathers intelligence feeds from various sources, internal and external,” says Mary Chaney, director of worldwide information security at Johnson & Johnson.
That includes its relationship with the Healthcare and Public Health Information Sharing and Analysis Center (NH-ISAC), which works to improve the resilience of the nation’s critical infrastructure against physical and cyber security threats.
Led by the healthcare industry, NH-ISAC is recognized by such entities as the U.S. Department of Health and Human Services, Health Sector-Coordinating Council, U.S. Department of Homeland Security, National Institute of Standards & Technology, as well as law enforcement agencies.
“Internally, we seek to engage physical, social media relations and other groups that are ‘listening’ for different types of information about the company but could offer insight on things that have a cybersecurity impact,” Chaney says.
The company has an Intelligence and Trending group within its Security Operations Center, whose sole responsibility is to gather intelligence sources and determine how incoming data might apply to Johnson & Johnson’s environment.
“They also maintain the necessary business partner relationships so that we have good points of contact to feed any information we may gather that may have an impact to them,” Chaney says. “By sharing information, it is our intention to become more precise about the threat actors attacking our company, so that we are not always responding to things but able to act proactively and protect ourselves.”
In addition, through trending, Johnson & Johnson is able to define patterns that are detrimentally affecting its environment. “We produce intelligence briefs that we share with our broader IT audience and then work with security awareness and communications to provide tips to our end users,” Chaney says. “Sharing intelligence information, internally and externally, is a continuous loop, and the more you devote time to digesting and understanding the information, the greater the rewards to your overall security effort.”
A broad approach to security has become vital at content delivery network services provider Akamai Technologies.
“We find that crowdsourcing is remarkably effective,” says Andy Ellis, CSO. “We started at the grassroots level around social engineering. We used to find that we’d get occasional reports to the security team around attempted social engineering.”
The company shares technical information both inside its technical teams and between its internal and customer-facing technical teams. “While most of the time we’ve seen these used to share news and information, they also get used tactically during incidents and vulnerability disclosures,” Ellis says.
Akamai has relationships with peer companies, often managed on an individual basis. “We find some of the most valuable intel we get comes through these relationships,” Ellis says. “They are often nurtured via hallway conversations at conferences.”
Some companies provide incentives for employees to recognize and report security incidents or suspicious behavior.
“Everyone is encouraged to immediately notify our help desk if a security incident is identified,” says Curtis Dalton, senior vice president and chief information risk and security officer at Pactera, an IT consulting and outsourcing provider.
Dalton created a security awareness game that publishes a monthly leaderboard and awards monthly prizes and an annual grand prize. “The security awareness game is driving big gains in awareness and participation within security via game play,” he says.
The sharing of data among many parties is clearly a positive trend in terms of strengthening security. But companies need to guard against information overload, says Darlene Libiszewski, senior vice president of IT at banking company Chicopee Savings.
“There is an overabundance of information shared among authorized parties who are interested in security threat data,” Libiszewski says. “In theory, if we at least know about threats, we have a better likelihood of defending ourselves. The challenge becomes information overload, and therefore we need to improve how to share the information effectively so we can decipher what is relevant versus what is not applicable.”
The adverse outcome is that too much unstructured information can become a distraction and potentially counter-productive, Libiszewski says.
“I think we’ll see some excellent developments in security crowdsourcing to help organizations navigate this vast sea of security intelligence as effectively as possible,” Libiszewski says. “My hope is that key players—whether security firms, software companies, law enforcement [local and national], government or hardware manufacturers—partner, and become more engaged to help us more proactively protect and defend against this significant risk we all are contending with.”
In the meantime, Chicopee Savings is making good use of shared information. IT communicates often with employees, typically via email, when certain threats seem relevant, imminent or could have a large impact if exploited.
“We also communicate with our customers, generally via email or our Web site as threats emerge and to communicate best practices,” Libiszewski says. “We also share a monthly security newsletter with our staff and customers on [cyber security] best practices.”