Threat intel sharing: Security breakthrough or flavor of the month?

Threat intelligence sharing has become the “new black” in the world of enterprise security, a trendy buzzword that has become ubiquitous at industry conferences and in vendor marketing pitches. But what exactly is threat intelligence sharing and are we using it effectively to defend against cyberattacks?

While there are many paths available —customer-to-vendor, vendor-to-customer, customer-to-customer, vendor-to-vendor—the core of threat intelligence sharing is typically information gathered from the customer by the vendor in order to help the customer respond to threats or attacks.

+ ALSO ON NETWORK WORLD: Old school antivirus vendors learn new tricks +

Another sharing situation involves this same intelligence being re-purposed by the vendor to produce new and/or improved detection signatures, blocking rules, or other forms of protection. This protection information is used in the vendor’s commercial product or service so it can be leveraged by the vendor’s other customers.

The problem is that “some customers are asking for their organization’s own threat intelligence to remain private and that it not be used by the vendor for mass commercial use,” says Candace Worley, senior vice president and general manager, Endpoint Security Business Unit at Intel Security. This is understandable, but it leads down a path where only a select set of affluent customers receive the white security glove treatment, leaving the rest of the world to fend for themselves.

“Only the top 1%—specifically, the top financial, healthcare and insurance companies—are effectively using threat intelligence,” says Richard Struse, chief advanced technology officer at the Department of Homeland Security. And, at the other end of the spectrum, at least 35% of companies are not using threat intelligence at all, according to Symantec.

This raises several questions: What are the middle 64% of companies doing with their threat intelligence to be categorized as using it “ineffectively?” Why are the bottom 35% not using threat intelligence at all? And, most importantly, are these two groups doomed to fail when it comes to identifying and responding to attacks that the top 1% is uniquely protected against?

Increasing effectiveness of threat intelligence data

Nate Lesser, deputy director, National Cybersecurity Center of Excellence, National Institute of Standards and Technology (NIST), says, “Those that can ingest and analyze the data are those that are successful. For smaller companies, their ingestion and analysis happens through the use of vendor products and services. I’m not sure how we get the trickle down effect from the top 1% of the pyramid to the rest so they, too, can be effective.”

Maybe the solution is to help the middle 64% become more effective with their use of threat intelligence, regardless of the quantity, source, and delivery mechanism for the data. This would require the organization to grow in maturity as opposed to merely the number of products, services, and feeds.

+ ALSO ON NETWORK WORLD: Threat Intelligence Sharing Momentum and Needs +

Threat intelligence sharing shouldn’t be a one-way street between two isolated parties. Here are a few examples of how and where threat intelligence can be shared and used:

• Vendor-to-Vendor: Sharon Vardi, chief marketing officer at Securonix, claims that they pull in as many as 15 commercial and open source threat intelligence feeds, which they use to map known bad sites.

• Vendor-to-Customer: To avoid tipping off the bad guys, Verisign has set up a service that simulates various types of companies—by industry, country, size, user profiles, and relevant documents, for example. “We can see what time the attacker came in, where they succeeded, where they ran into trouble, how they overcome blocks,” says Kyle Maxwell, iDefense senior cyber crime researcher, Verisign. Sharing this specialized hacker behavior with customers can make all the difference for the customer’s security.

• Customer-to-Customer: Industry-specific details are important. According to James Luby, product marketing manager at BalaBit IT Security, “We’ve seen energy firms tune their use of intelligence differently from a financial institution or even an oil field operator—sharing this information with their peers helps the industry reduce the risk of a breach targeting their environment.”

• Customer-to-Vendor: Verizon Enterprise Solutions has leveraged the information they’ve gathered from customer-generated threat intelligence to produce a yearly Data Breach Investigations Report.

Info sharing is only part of the answer

People seem to be focused so much on the actual sharing of information that they’ve lost sight of the advantages gained from doing so. “Intelligence sharing is just a means to an end,” says Struse. “The real goal is to proactively detect and block malicious activity from succeeding while limiting its impact if and when it does.” In other words, having more data doesn’t necessarily make us smarter or better equipped.

Rick Holland, principal analyst at Forrester Research

To further this point, Rick Holland, principal analyst at Forrester Research, says it is “better to use your own internal feeds first before spending hundreds of thousands [of dollars] on a commercial feed.” Organizations can bring in all the intelligence data they want, but if they don’t have the core security measures in place to act on it, it won’t matter. You can employ the top minds in security and ingest the most threat intelligence data imaginable, but the bottom line is you can’t patch stupid.”

Reducing the risk of two-tier breaches

There are other troubling issues. The Verizon Data Breach Investigation Report shows that 70% of successful breaches indicate that a secondary victim was involved before hackers went after the ultimate target.

“The majority of these two-tier breaches are being executed via phishing attacks where the attackers are going after valid credentials that connect the two organizations,” says Bob Rudis, security data scientist, Cybersecurity Research & Innovation at Verizon Enterprise Solutions. “Our data shows that 25% of those attacks could have been stopped with two-factor authentication—or by simply forcing the attacker to do something different.”

Datum Securitys CEO Jonathan Niednagel adds that “something as simple as sharing vulnerability information with your approved vendors and helping each other remedy known weaknesses could reduce the risk of these two-tier breaches such as the one we saw with Target via their approved HVAC vendor.”

What’s stopping us from sharing?

Vendors and companies are sharing information all over the place—some with, but most without success. But, as Niednagel and others have pointed out, even with the hype behind the need to share, it’s just not happening en masse.

According to Struse, “Intelligence sharing could be an antitrust concern.” Organizations that share intelligence with a closed group that excludes some companies could find that they are in trouble for preventing others from benefiting from the intelligence. “In the past, exclusivity in intelligence sharing could be seen as two companies colluding,” adds ThreatStream CEO Hugh Njemanze.

It seems that the government-oversight groups found in FS-ISAC (for finance) and NH-ISAC (for healthcare) have overcome this antitrust/collusion challenge. But what about commercial entities that want to share information with each other in a closed group? Could they be faced with additional legal risks?

Anti-sharing may lie within the legalese contained in our business agreements, as binding contracts with one or more clients may actually prevent information from being shared with other clients. Says Leonid Shtilman CTO at ViewFinity, “Even when the value of sharing is clearly identified by our clients, and while some of these clients allow us to selectively share tidbits of information—such as application black lists—our non-disclosure agreements prevent us from fully sharing our gathered intelligence on a grand scale.”

Final thoughts

Whether or not intelligence sharing is taking place across the board, it is a topic that is quickly growing in relevancy and importance.

If the 1% want to keep their threat intelligence private, there’s not much anyone can do. The solution lies with the remaining 99% who need to work together and find a way to share their collective threat intelligence, rather than attempt to implement security measures from a place of ignorance. The irony is that the attacker community understands the advantage of sharing information and is well ahead of the defenders.

As Ken Westin, senior security analyst, Office of the CTO at Tripwire, says, “Organizations must begin with crystal clear visibility into their own environment in order to make threat intelligence work.”

Sean Martin is a four-term CISSP and 25-year information technology and information security veteran. Write to him at sean@imsmartinc.com.