Threat Intelligence Sharing Momentum and Needs

Threat intelligence sharing is certainly riding a wave of momentum as we head into the RSA Conference next week.  Over the past 6 months, we’ve seen things like:

• Lots of federal activity.  To consolidate and distribute threat intelligence amongst federal agencies and with the private sector, Washington created the National Cybersecurity and Communications Integration Center (NCCIC) and the Cybersecurity Intelligence and Integration Center (NCIIC).  The feds have also kept busy with President Obama’s executive order and pending legislation in the House and Senate.
• Further adoption of threat intelligence standards.  FS-ISAC took the lead in promoting STIX and TAXII while other vendors like ThreatStream and Vorstack are pushing a similar agenda.  Now the retail ISAC is following this lead by establishing a threat intelligence sharing portal managed by FS-ISAC.  In addition to this industry effort, many enterprises continue to expand their use of Mandiant’s OpenIOC.
• Industry actions.  Security vendors like iSight Partners, Norse, and Webroot offer their threat intelligence to users while others like Fortinet, Intel Security, Palo Alto Networks, and Symantec have established their own sharing group called the Threat Intelligence Alliance.  Others like Facebook and Microsoft have also proposed threat sharing collaboration using their cloud services.

Yup, threat intelligence is already red hot and the RSA conference will only fan these flames.  This is good news but there are still a few underlying problems here.  Threat intelligence sharing is extremely immature, a lot of enterprise activity is still associated with static information distributed and shared via email, file hashes, and manual processes.  Many firms also struggle with threat intelligence processing, correlation, and analytics, often depending upon homegrown tools in this area.  Finally, security professionals complain that it is still quite difficult to operationalize threat intelligence programs so they can prioritize actions and measure success.

In my humble opinion, there is still a lot of work ahead to maximize the full potential of threat intelligence sharing.  Given this need, I suggest the following next steps:

1. Threat intelligence sharing centers should align with cybersecurity training and education.  NCCIC, NCIIC, and all of the ISACs should establish relationships with leading cybersecurity training organizations like ISC2 and SANS as well as leading University cybersecurity programs at schools like Carnegie Mellon, MIT, and Stanford.  The goal?  Educate and train the next-generation of cybersecurity professionals on threat intelligence sharing just as collaboration platforms and processes mature.
2. MITRE and the ISACs should publish threat intelligence standards use cases.  STIX and TAXII are extremely flexible and extensible.  So what’s the problem?  Many threat intelligence professionals report that they don’t know where to get started or how to best use these standards.  What’s needed here are a few “killer apps” – use cases that deliver a lot of cybersecurity value to a wide assortment of organizations.  MITRE, the ISACs, and anyone else who can guide the industry should take the lead here.  This effort could help transform threat intelligence standards from interesting concept to required technology. 
3. The creation and proliferation of threat intelligence sharing professional services.  Too many organizations say that threat intelligence sharing is an exercise in lengthy on-the-job-training.  Why?  Threat intelligence immaturity has resulted in a dearth of best practices and available expertise.  Cybersecurity professional services leaders like Accuvant, IBM, HP, RSA Security, and Unisys have an opportunity to bridge this gap, help organizations professionalize their threat sharing programs, and make a fair amount of dough along the way.