Analytics
4/23/2014
06:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Intelligence-Sharing Suffers Growing Pains

For most organizations, intelligence-sharing remains mainly ad-hoc and informal -- and thus fraught with frustration and pitfalls, new report from Ponemon finds.

Target's epic data breach was the final push the retail industry needed to finally formalize threat and attack intelligence-sharing within its community. Retail until recently was one of the last high-profile holdouts to create its own official intelligence-sharing mechanism and the end product is likely to mirror the model of existing Information Sharing and Analysis Centers (ISACs) in other industries.

"We're not all in with an ISAC yet. We are sharing protocols and procedures we expect could be transformed into an ISAC," says David French, senior vice president for government relations at the National Retail Federation (NRF), who confirmed with Dark Reading last month that the retail industry was considering its own ISAC. "We've opened a sharing platform that will serve as a portal for the time being. It's not the same [model] as the FS-ISAC uses," but we are investigating that option, says French, whose organization last week announced the industry was making it official and going with its own intel-sharing model.

To date, some retailers have informally shared threat and attack experience and information among one another, and law enforcement and government entities haven't had a central place to share with retail their intel about active attacks and other types of threat information. "Our members told us they'd like to have information in real-time... [a central model] would give them a better understanding of what the threats are," says NRF's French. The plan is to stand up an intel-sharing platform or ISAC this summer, he says.

Most organizations consider intelligence-sharing crucial for fighting back against the bad guys: new data from the Ponemon Institute shows that 61% of organizations say threat intel could have prevented the cyberattacks they have experienced in the past 24 months. Only 30% of the organizations say they are "satisfied" or "very satisfied" with their current method of gathering threat intelligence.

When a company hit by a cyberattack shares some details of the attack with another firm, it typically gives them a call or shoots them an email with some intelligence on the malware or other fingerprints of the attack. It's then up to the recipient to manually translate that information into a format it can use to automatically protect itself from falling prey to that attack.

More than half of the respondents in the Ponemon survey get threat intel informally -- the most common method for many organizations -- via phone, email, or in-person meetings, and these methods can be too slow, inconsistent, and not to mention, far from secure. That gap of time between receiving the intel and converting it into something useful can make all the difference in deflecting or mitigating an attack. Nearly 70% of them say intel actually expires within seconds or minutes, and more than 50% have gotten this information in days, weeks, or months, rendering much of it useless.

Lars Harvey, CEO of IID, which commissioned the Ponemon report, says the most useful information is that which arrives within microseconds. "And they have to immediately apply it to their infrastructure – that is the most useful [approach] and helped prevent things [attacks] from happening," says Harvey of IID, a threat intelligence firm. "As time goes by, the value of the information diminishes."

Harvey says many organizations hesitate to enter into intel-sharing for legal reasons. "The doomsday scenario is someone misusing the information they share and causing harm, and the harmed party comes back to the original source looking" for compensation, for instance he says, even though the source had no control over how that information was shared. "That's what attorneys are most afraid of," he says. "Scaling trust is a big challenge."

Receiving information with context, rather than raw data, also is crucial, and there are plenty of interoperability challenges to automating a response to a threat within the organization, for example, he says. That's where emerging standards like Structured Threat Information eXpression, or STIX, and Trusted Automated eXchange of Indicator Information (TAXII) come into play. STIX is the intel-sharing language architecture and TAXII is the protocol for transporting that information.  The two are seen as the future of creating a standard machine-readable language and transport for incorporating the latest threat information into an organization's security infrastructure.

Nearly 70% of the respondents in the Ponemon survey give real-time, machine-to-machine exchange of intelligence, a thumbs up.  Sixty-two percent say current sharing relationships are typically limited by industry, geography, or community.

ISACs provide an official mechanism for sharing information about the latest malware and cybercrime activity spotted targeting specific industries and others. They also include databases of those threats and vulnerabilities for their members. There are some 16 ISACs to date for specific industries, including the financial industry's FS-ISAC, as well as ISACs in the electricity, water, supply chain, and research and education sectors. The goal is to help the industries better team in the face of cybercrime and cyberespionage.

The financial services industry's FS-ISAC and the Defense industry's ISAC both are considered the gold standard for intel-sharing. "We've seen in a few industries, such as financial services and education, very effective programs for exchanging threat information. Other ISACs are not as mature and not as effective," IID's Harvey says.

"Information sharing and analysis centers (ISACs) are a proven way for organizations to hear from peer organizations about emerging advanced threats to data, criminal behavior patterns, best practices to manage risk, and as a forum to learn about how new technologies, like data-centric encryption and tokenization, can mitigate them economically," says Mark Bower, vice president of product management and solution architecture for Voltage Security. "Extending this to retail entities makes a lot of sense and facilitates a no-nonsense vehicle to solve problems quickly across industry participants."

Bower says getting firsthand perspective from victims who have suffered an attack is especially useful. "While advanced technology can solve big risk issues, one of the biggest gaps industry faces today is education and understanding the true cost and risk of advanced threats when they hit vulnerable entities," he says. That's where ISACs come in.

IID's Harvey echoed that: "The first key is identifying [activity] as an attack. Has anyone seen behavior like this? The more you know," the better, Harvey says.

"What was clear in our findings is that businesses and government agencies know that exchanging cyber threat intelligence will help secure the Internet more so than any other method or technology," says Larry Ponemon, Chairman and Founder of the Ponemon Institute, which surveyed 700+ IT and security professionals in enterprises and government agencies. "Yet what is really confounding is that while most of the people participating in the survey are clearly sharing cyberattack information, they know they aren’t doing it correctly or effectively."

The full Ponemon report, "Exchanging Cyber Threat Intelligence: There Has to Be a Better Way," is available here for download.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 4:21:58 PM
Re: Intel-sharing -- seems like a no brainer for retail
On fire, probably, I would imagine. It will be interesting to see what they come up with up. Looking forward to your reporting about it, Kelly.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/24/2014 | 4:18:00 PM
Re: Intel-sharing -- seems like a no brainer for retail
It's not clear why they were laggards in this, but they will have something in place soon. The heat is on.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 3:55:35 PM
Intel-sharing -- seems like a no brainer for retail
It's hard for me to understand why -- after the recent spate of data breaches at Target, Michaels etc.. -- the retail industry isn't rushing forward to create industry-wide intelligence-sharing mechanisms. I suppose a baby step is better than standing still....
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?