Analytics
4/23/2014
06:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Intelligence-Sharing Suffers Growing Pains

For most organizations, intelligence-sharing remains mainly ad-hoc and informal -- and thus fraught with frustration and pitfalls, new report from Ponemon finds.

Target's epic data breach was the final push the retail industry needed to finally formalize threat and attack intelligence-sharing within its community. Retail until recently was one of the last high-profile holdouts to create its own official intelligence-sharing mechanism and the end product is likely to mirror the model of existing Information Sharing and Analysis Centers (ISACs) in other industries.

"We're not all in with an ISAC yet. We are sharing protocols and procedures we expect could be transformed into an ISAC," says David French, senior vice president for government relations at the National Retail Federation (NRF), who confirmed with Dark Reading last month that the retail industry was considering its own ISAC. "We've opened a sharing platform that will serve as a portal for the time being. It's not the same [model] as the FS-ISAC uses," but we are investigating that option, says French, whose organization last week announced the industry was making it official and going with its own intel-sharing model.

To date, some retailers have informally shared threat and attack experience and information among one another, and law enforcement and government entities haven't had a central place to share with retail their intel about active attacks and other types of threat information. "Our members told us they'd like to have information in real-time... [a central model] would give them a better understanding of what the threats are," says NRF's French. The plan is to stand up an intel-sharing platform or ISAC this summer, he says.

Most organizations consider intelligence-sharing crucial for fighting back against the bad guys: new data from the Ponemon Institute shows that 61% of organizations say threat intel could have prevented the cyberattacks they have experienced in the past 24 months. Only 30% of the organizations say they are "satisfied" or "very satisfied" with their current method of gathering threat intelligence.

When a company hit by a cyberattack shares some details of the attack with another firm, it typically gives them a call or shoots them an email with some intelligence on the malware or other fingerprints of the attack. It's then up to the recipient to manually translate that information into a format it can use to automatically protect itself from falling prey to that attack.

More than half of the respondents in the Ponemon survey get threat intel informally -- the most common method for many organizations -- via phone, email, or in-person meetings, and these methods can be too slow, inconsistent, and not to mention, far from secure. That gap of time between receiving the intel and converting it into something useful can make all the difference in deflecting or mitigating an attack. Nearly 70% of them say intel actually expires within seconds or minutes, and more than 50% have gotten this information in days, weeks, or months, rendering much of it useless.

Lars Harvey, CEO of IID, which commissioned the Ponemon report, says the most useful information is that which arrives within microseconds. "And they have to immediately apply it to their infrastructure – that is the most useful [approach] and helped prevent things [attacks] from happening," says Harvey of IID, a threat intelligence firm. "As time goes by, the value of the information diminishes."

Harvey says many organizations hesitate to enter into intel-sharing for legal reasons. "The doomsday scenario is someone misusing the information they share and causing harm, and the harmed party comes back to the original source looking" for compensation, for instance he says, even though the source had no control over how that information was shared. "That's what attorneys are most afraid of," he says. "Scaling trust is a big challenge."

Receiving information with context, rather than raw data, also is crucial, and there are plenty of interoperability challenges to automating a response to a threat within the organization, for example, he says. That's where emerging standards like Structured Threat Information eXpression, or STIX, and Trusted Automated eXchange of Indicator Information (TAXII) come into play. STIX is the intel-sharing language architecture and TAXII is the protocol for transporting that information.  The two are seen as the future of creating a standard machine-readable language and transport for incorporating the latest threat information into an organization's security infrastructure.

Nearly 70% of the respondents in the Ponemon survey give real-time, machine-to-machine exchange of intelligence, a thumbs up.  Sixty-two percent say current sharing relationships are typically limited by industry, geography, or community.

ISACs provide an official mechanism for sharing information about the latest malware and cybercrime activity spotted targeting specific industries and others. They also include databases of those threats and vulnerabilities for their members. There are some 16 ISACs to date for specific industries, including the financial industry's FS-ISAC, as well as ISACs in the electricity, water, supply chain, and research and education sectors. The goal is to help the industries better team in the face of cybercrime and cyberespionage.

The financial services industry's FS-ISAC and the Defense industry's ISAC both are considered the gold standard for intel-sharing. "We've seen in a few industries, such as financial services and education, very effective programs for exchanging threat information. Other ISACs are not as mature and not as effective," IID's Harvey says.

"Information sharing and analysis centers (ISACs) are a proven way for organizations to hear from peer organizations about emerging advanced threats to data, criminal behavior patterns, best practices to manage risk, and as a forum to learn about how new technologies, like data-centric encryption and tokenization, can mitigate them economically," says Mark Bower, vice president of product management and solution architecture for Voltage Security. "Extending this to retail entities makes a lot of sense and facilitates a no-nonsense vehicle to solve problems quickly across industry participants."

Bower says getting firsthand perspective from victims who have suffered an attack is especially useful. "While advanced technology can solve big risk issues, one of the biggest gaps industry faces today is education and understanding the true cost and risk of advanced threats when they hit vulnerable entities," he says. That's where ISACs come in.

IID's Harvey echoed that: "The first key is identifying [activity] as an attack. Has anyone seen behavior like this? The more you know," the better, Harvey says.

"What was clear in our findings is that businesses and government agencies know that exchanging cyber threat intelligence will help secure the Internet more so than any other method or technology," says Larry Ponemon, Chairman and Founder of the Ponemon Institute, which surveyed 700+ IT and security professionals in enterprises and government agencies. "Yet what is really confounding is that while most of the people participating in the survey are clearly sharing cyberattack information, they know they aren’t doing it correctly or effectively."

The full Ponemon report, "Exchanging Cyber Threat Intelligence: There Has to Be a Better Way," is available here for download.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 4:21:58 PM
Re: Intel-sharing -- seems like a no brainer for retail
On fire, probably, I would imagine. It will be interesting to see what they come up with up. Looking forward to your reporting about it, Kelly.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/24/2014 | 4:18:00 PM
Re: Intel-sharing -- seems like a no brainer for retail
It's not clear why they were laggards in this, but they will have something in place soon. The heat is on.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 3:55:35 PM
Intel-sharing -- seems like a no brainer for retail
It's hard for me to understand why -- after the recent spate of data breaches at Target, Michaels etc.. -- the retail industry isn't rushing forward to create industry-wide intelligence-sharing mechanisms. I suppose a baby step is better than standing still....
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

CVE-2014-4449
Published: 2014-10-22
iCloud Data Access in Apple iOS before 8.1 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4450
Published: 2014-10-22
The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discover credentials by reading credential values within unintended DOM input elements.

CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.