Threat intelligence sharing has become the "new black" in the world of enterprise security, a trendy buzzword that has become ubiquitous at industry conferences and in vendor marketing pitches. But what exactly is threat intelligence sharing and are we using it effectively to defend against cyberattacks?While there are many paths available \u2014customer-to-vendor, vendor-to-customer, customer-to-customer, vendor-to-vendor\u2014the core of threat intelligence sharing is typically information gathered from the customer by the vendor in order to help the customer respond to threats or attacks.+ ALSO ON NETWORK WORLD: Old school antivirus vendors learn new tricks +Another sharing situation involves this same intelligence being re-purposed by the vendor to produce new and\/or improved detection signatures, blocking rules, or other forms of protection. This protection information is used in the vendor\u2019s commercial product or service so it can be leveraged by the vendor\u2019s other customers.The problem is that \u201csome customers are asking for their organization\u2019s own threat intelligence to remain private and that it not be used by the vendor for mass commercial use,\u201d says Candace Worley, senior vice president and general manager, Endpoint Security Business Unit at Intel Security. This is understandable, but it leads down a path where only a select set of affluent customers receive the white security glove treatment, leaving the rest of the world to fend for themselves.\u201cOnly the top 1%\u2014specifically, the top financial, healthcare and insurance companies\u2014are effectively using threat intelligence,\u201d says Richard Struse, chief advanced technology officer at the Department of Homeland Security. And, at the other end of the spectrum, at least 35% of companies are not using threat intelligence at all, according to Symantec.This raises several questions: What are the middle 64% of companies doing with their threat intelligence to be categorized as using it \u201cineffectively?\u201d Why are the bottom 35% not using threat intelligence at all? And, most importantly, are these two groups doomed to fail when it comes to identifying and responding to attacks that the top 1% is uniquely protected against?Increasing effectiveness of threat intelligence dataNate Lesser, deputy director, National Cybersecurity Center of Excellence, National Institute of Standards and Technology (NIST), says, \u201cThose that can ingest and analyze the data are those that are successful. For smaller companies, their ingestion and analysis happens through the use of vendor products and services. I\u2019m not sure how we get the trickle down effect from the top 1% of the pyramid to the rest so they, too, can be effective.\u201dMaybe the solution is to help the middle 64% become more effective with their use of threat intelligence, regardless of the quantity, source, and delivery mechanism for the data. This would require the organization to grow in maturity as opposed to merely the number of products, services, and feeds.+ ALSO ON NETWORK WORLD: Threat Intelligence Sharing Momentum and Needs +Threat intelligence sharing shouldn\u2019t be a one-way street between two isolated parties. Here are a few examples of how and where threat intelligence can be shared and used:Vendor-to-Vendor: Sharon Vardi, chief marketing officer at Securonix, claims that they pull in as many as 15 commercial and open source threat intelligence feeds, which they use to map known bad sites.Vendor-to-Customer: To avoid tipping off the bad guys, Verisign has set up a service that simulates various types of companies\u2014by industry, country, size, user profiles, and relevant documents, for example. \u201cWe can see what time the attacker came in, where they succeeded, where they ran into trouble, how they overcome blocks,\u201d says Kyle Maxwell, iDefense senior cyber crime researcher, Verisign. Sharing this specialized hacker behavior with customers can make all the difference for the customer\u2019s security.Customer-to-Customer: Industry-specific details are important. According to James Luby, product marketing manager at BalaBit IT Security, \u201cWe\u2019ve seen energy firms tune their use of intelligence differently from a financial institution or even an oil field operator\u2014sharing this information with their peers helps the industry reduce the risk of a breach targeting their environment.\u201dCustomer-to-Vendor: Verizon Enterprise Solutions has leveraged the information they\u2019ve gathered from customer-generated threat intelligence to produce a yearly Data Breach Investigations Report.Info sharing is only part of the answerPeople seem to be focused so much on the actual sharing of information that they\u2019ve lost sight of the advantages gained from doing so. \u201cIntelligence sharing is just a means to an end,\u201d says Struse. \u201cThe real goal is to proactively detect and block malicious activity from succeeding while limiting its impact if and when it does.\u201d In other words, having more data doesn\u2019t necessarily make us smarter or better equipped.You can employ the top minds in security and ingest the most threat intelligence data imaginable, but the bottom line is you can\u2019t patch stupid.Rick Holland, principal analyst at Forrester ResearchTo further this point, Rick Holland, principal analyst at Forrester Research, says it is \u201cbetter to use your own internal feeds first before spending hundreds of thousands [of dollars] on a commercial feed.\u201d Organizations can bring in all the intelligence data they want, but if they don\u2019t have the core security measures in place to act on it, it won\u2019t matter. You can employ the top minds in security and ingest the most threat intelligence data imaginable, but the bottom line is you can\u2019t patch stupid.\u201dReducing the risk of two-tier breachesThere are other troubling issues. The Verizon Data Breach Investigation Report shows that 70% of successful breaches indicate that a secondary victim was involved before hackers went after the ultimate target.\u201cThe majority of these two-tier breaches are being executed via phishing attacks where the attackers are going after valid credentials that connect the two organizations,\u201d says Bob Rudis, security data scientist, Cybersecurity Research & Innovation at Verizon Enterprise Solutions. \u201cOur data shows that 25% of those attacks could have been stopped with two-factor authentication\u2014or by simply forcing the attacker to do something different.\u201dDatum Securitys CEO Jonathan Niednagel adds that \u201csomething as simple as sharing vulnerability information with your approved vendors and helping each other remedy known weaknesses could reduce the risk of these two-tier breaches such as the one we saw with Target via their approved HVAC vendor.\u201dWhat\u2019s stopping us from sharing?Vendors and companies are sharing information all over the place\u2014some with, but most without success. But, as Niednagel and others have pointed out, even with the hype behind the need to share, it\u2019s just not happening en masse.According to Struse, \u201cIntelligence sharing could be an antitrust\u00a0concern.\u201d Organizations that share intelligence with a closed group that excludes some companies could find that they are in trouble for preventing others from benefiting from the intelligence. \u201cIn the past, exclusivity in intelligence sharing could be seen as two companies colluding,\u201d adds ThreatStream CEO Hugh Njemanze.It seems that the government-oversight groups found in FS-ISAC (for finance) and NH-ISAC (for healthcare) have overcome this antitrust\/collusion challenge. But what about commercial entities that want to share information with each other in a closed group? Could they be faced with additional legal risks?Anti-sharing may lie within the legalese contained in our business agreements, as binding contracts with one or more clients may actually prevent information from being shared with other clients. Says Leonid Shtilman CTO at ViewFinity, \u201cEven when the value of sharing is clearly identified by our clients, and while some of these clients allow us to selectively share tidbits of information\u2014such as application black lists\u2014our non-disclosure agreements prevent us from fully sharing our gathered intelligence on a grand scale.\u201dFinal thoughtsWhether or not intelligence sharing is taking place across the board, it is a topic that is quickly growing in relevancy and importance.If the 1% want to keep their threat intelligence private, there\u2019s not much anyone can do. The solution lies with the remaining 99% who need to work together and find a way to share their collective threat intelligence, rather than attempt to implement security measures from a place of ignorance. The irony is that the attacker community understands the advantage of sharing information and is well ahead of the defenders.As Ken Westin, senior security analyst, Office of the CTO at Tripwire, says, \u201cOrganizations must begin with crystal clear visibility into their own environment in order to make threat intelligence work.\u201dSean Martin is a four-term CISSP and 25-year information technology and information security veteran. Write to him at firstname.lastname@example.org.