Analytics
4/23/2014
06:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Intelligence-Sharing Suffers Growing Pains

For most organizations, intelligence-sharing remains mainly ad-hoc and informal -- and thus fraught with frustration and pitfalls, new report from Ponemon finds.

Target's epic data breach was the final push the retail industry needed to finally formalize threat and attack intelligence-sharing within its community. Retail until recently was one of the last high-profile holdouts to create its own official intelligence-sharing mechanism and the end product is likely to mirror the model of existing Information Sharing and Analysis Centers (ISACs) in other industries.

"We're not all in with an ISAC yet. We are sharing protocols and procedures we expect could be transformed into an ISAC," says David French, senior vice president for government relations at the National Retail Federation (NRF), who confirmed with Dark Reading last month that the retail industry was considering its own ISAC. "We've opened a sharing platform that will serve as a portal for the time being. It's not the same [model] as the FS-ISAC uses," but we are investigating that option, says French, whose organization last week announced the industry was making it official and going with its own intel-sharing model.

To date, some retailers have informally shared threat and attack experience and information among one another, and law enforcement and government entities haven't had a central place to share with retail their intel about active attacks and other types of threat information. "Our members told us they'd like to have information in real-time... [a central model] would give them a better understanding of what the threats are," says NRF's French. The plan is to stand up an intel-sharing platform or ISAC this summer, he says.

Most organizations consider intelligence-sharing crucial for fighting back against the bad guys: new data from the Ponemon Institute shows that 61% of organizations say threat intel could have prevented the cyberattacks they have experienced in the past 24 months. Only 30% of the organizations say they are "satisfied" or "very satisfied" with their current method of gathering threat intelligence.

When a company hit by a cyberattack shares some details of the attack with another firm, it typically gives them a call or shoots them an email with some intelligence on the malware or other fingerprints of the attack. It's then up to the recipient to manually translate that information into a format it can use to automatically protect itself from falling prey to that attack.

More than half of the respondents in the Ponemon survey get threat intel informally -- the most common method for many organizations -- via phone, email, or in-person meetings, and these methods can be too slow, inconsistent, and not to mention, far from secure. That gap of time between receiving the intel and converting it into something useful can make all the difference in deflecting or mitigating an attack. Nearly 70% of them say intel actually expires within seconds or minutes, and more than 50% have gotten this information in days, weeks, or months, rendering much of it useless.

Lars Harvey, CEO of IID, which commissioned the Ponemon report, says the most useful information is that which arrives within microseconds. "And they have to immediately apply it to their infrastructure – that is the most useful [approach] and helped prevent things [attacks] from happening," says Harvey of IID, a threat intelligence firm. "As time goes by, the value of the information diminishes."

Harvey says many organizations hesitate to enter into intel-sharing for legal reasons. "The doomsday scenario is someone misusing the information they share and causing harm, and the harmed party comes back to the original source looking" for compensation, for instance he says, even though the source had no control over how that information was shared. "That's what attorneys are most afraid of," he says. "Scaling trust is a big challenge."

Receiving information with context, rather than raw data, also is crucial, and there are plenty of interoperability challenges to automating a response to a threat within the organization, for example, he says. That's where emerging standards like Structured Threat Information eXpression, or STIX, and Trusted Automated eXchange of Indicator Information (TAXII) come into play. STIX is the intel-sharing language architecture and TAXII is the protocol for transporting that information.  The two are seen as the future of creating a standard machine-readable language and transport for incorporating the latest threat information into an organization's security infrastructure.

Nearly 70% of the respondents in the Ponemon survey give real-time, machine-to-machine exchange of intelligence, a thumbs up.  Sixty-two percent say current sharing relationships are typically limited by industry, geography, or community.

ISACs provide an official mechanism for sharing information about the latest malware and cybercrime activity spotted targeting specific industries and others. They also include databases of those threats and vulnerabilities for their members. There are some 16 ISACs to date for specific industries, including the financial industry's FS-ISAC, as well as ISACs in the electricity, water, supply chain, and research and education sectors. The goal is to help the industries better team in the face of cybercrime and cyberespionage.

The financial services industry's FS-ISAC and the Defense industry's ISAC both are considered the gold standard for intel-sharing. "We've seen in a few industries, such as financial services and education, very effective programs for exchanging threat information. Other ISACs are not as mature and not as effective," IID's Harvey says.

"Information sharing and analysis centers (ISACs) are a proven way for organizations to hear from peer organizations about emerging advanced threats to data, criminal behavior patterns, best practices to manage risk, and as a forum to learn about how new technologies, like data-centric encryption and tokenization, can mitigate them economically," says Mark Bower, vice president of product management and solution architecture for Voltage Security. "Extending this to retail entities makes a lot of sense and facilitates a no-nonsense vehicle to solve problems quickly across industry participants."

Bower says getting firsthand perspective from victims who have suffered an attack is especially useful. "While advanced technology can solve big risk issues, one of the biggest gaps industry faces today is education and understanding the true cost and risk of advanced threats when they hit vulnerable entities," he says. That's where ISACs come in.

IID's Harvey echoed that: "The first key is identifying [activity] as an attack. Has anyone seen behavior like this? The more you know," the better, Harvey says.

"What was clear in our findings is that businesses and government agencies know that exchanging cyber threat intelligence will help secure the Internet more so than any other method or technology," says Larry Ponemon, Chairman and Founder of the Ponemon Institute, which surveyed 700+ IT and security professionals in enterprises and government agencies. "Yet what is really confounding is that while most of the people participating in the survey are clearly sharing cyberattack information, they know they aren’t doing it correctly or effectively."

The full Ponemon report, "Exchanging Cyber Threat Intelligence: There Has to Be a Better Way," is available here for download.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 4:21:58 PM
Re: Intel-sharing -- seems like a no brainer for retail
On fire, probably, I would imagine. It will be interesting to see what they come up with up. Looking forward to your reporting about it, Kelly.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/24/2014 | 4:18:00 PM
Re: Intel-sharing -- seems like a no brainer for retail
It's not clear why they were laggards in this, but they will have something in place soon. The heat is on.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 3:55:35 PM
Intel-sharing -- seems like a no brainer for retail
It's hard for me to understand why -- after the recent spate of data breaches at Target, Michaels etc.. -- the retail industry isn't rushing forward to create industry-wide intelligence-sharing mechanisms. I suppose a baby step is better than standing still....
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.