Analytics // Threat Intelligence
5/15/2014
03:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Dual Retail Cyberthreat Intelligence-Sharing Efforts Emerge

The Retail Industry Leaders Association (RILA) rolls out a retail ISAC following the National Retail Federation's (NRF) announcement last month of an intel-sharing platform planned for June.

First, there was no official intelligence-sharing mechanism for the retail industry, and now there are two. The Retail Industry Leaders Association (RILA) announced the launch yesterday of the Retail Cyber Intelligence Sharing Center (R-CISC), an information sharing and analysis center (ISAC) with the backing of Target and other major retailers. The center is akin to what the financial services, defense, and other industries have in place today to help their members share and learn about the latest attacks and threats.

Last month, the National Retail Federation officially revealed its plans for establishing an intelligence-sharing mechanism to help the industry fight cyberthreats. David French, senior vice president for government relations for the NRF, told Dark Reading earlier this year that establishing a retail industry ISAC was on the table as an option.

In a second interview with Dark Reading last month, French said the NRF was sharing protocols and procedures that could be "transformed into an ISAC," though the organization was "not all in with an ISAC yet." The plan was for a sharing platform that would start out as a portal for the industry, he said.

Today the NRF praised the R-CISC announced by the RILA but said it has no plans to drop its own intelligence-sharing initiative, which it developed in consultation with the financial services industry's FS-ISAC.

"The National Retail Federation applauds the announcement made by the Retail Industry Leaders Association regarding the establishment of a Retail Cyber Intelligence Sharing Center," said Bill Thorne, senior vice president for communications and public affairs for the NRF. "For a number of years, NRF has been working with all of the stakeholders to ensure that the broad spectrum of our industry -- large and small, online, grocery and restaurants -- have access to the tools and information they need to combat and stop these crimes."

Thorne told Dark Reading there won't be two retail ISACs, but there may well be multiple intelligence-sharing platforms. "Where it makes sense, we will integrate efforts, but at this time I do not see two retail ISACs. That does not mean, however, that there could not be multiple information sharing platforms, education, and training programs or research needs," he said. "To make it work requires a high degree of collaboration and communication between all parties engaged in this space. Please keep in mind, RILA and NRF share an industry but have a very different membership base. With those differences comes levels of sophistication, resources, need, and category of retail. Cyber security is not a 'one size fits all' proposition.

"This is a complex problem for which there is no single answer. The important thing is to insure the widest access to information by the broadest cross section of the retail industry. The effort by RILA enhances that mission, adding to the greater arsenal of tools," Thorne said. "It does not in way diminish our commitment to creating programs and opportunities that provide additional value to retailers."

The NRF has contracted the Chertoff Group "to ensure that this effort maximizes current tools and technologies that meets the needs for the full range of retailers," he said. "We support any effort that will help protect our members and their customers, and as an industry we look forward to working together to reach our shared goals."

Calls for an official intel-sharing mechanism for the retail industry intensified in the wake of Target's epic data breach late last year. The retail industry to date has not had a formal threat and attack intelligence-sharing mechanism, like other major industries do.

In addition to Target, the retailers participating in the RILA's new R-CISC include American Eagle Outfitter, Gap, JC Penney, Lowe's, Nike, Safeway, VF, and Walgreens. The R-CISC will share threat information with the US Department of Homeland Security, the US Secret Service, and the Federal Bureau of Investigation. It will also provide training and education to the industry on cyberthreats.

"Retailers place extremely high priority on finding solutions to combat cyberattacks and protect customers. In the face of persistent cyber criminals with increasingly sophisticated methods of attack, the R-CISC is a comprehensive resource for retailers to receive and share threat information, advance leading practices and develop research relevant to fighting cybercrimes," said RILA president Sandy Kennedy.

It's unclear why the two associations initially came at this initiative separately. The retail industry, unlike the defense contractor or financial services industries, is relatively new to being victimized by targeted attacks. So it could be more a result of growing pains as the industry rushes to get up to speed, experts say. Targeted threats "have not traditionally been a huge concern for them," says Chris Strand, senior director of compliance for Bit9.

There also are natural worries among competing companies about sharing attack information with your competitor, but experts say that worry ultimately fades as the advantages of staying abreast of new threats to your industry begins to pay off.

"Some don't want to share information with one another," says Strand, who has been on both sides of the fence as a retailer and a QSA. "It's both a good and bad thing that several [retail organizations] stepped forward" on the intel-sharing initiative. "But if you were to have two separate ones not talking to one another, that would probably not be the best" situation.

The NRF and RILA had been working together under an official alliance of retail trade associations to explore information-sharing options. That alliance includes the the Financial Services Roundtable, the American Bankers Association, the American Hotel & Lodging Association, Independent Community Bankers of America, the National Grocers Association, and the National Restaurant Association.

A recent Ponemon Institute study found that, for most organizations in general, intel-sharing is informal and ad hoc, and therefore not necessarily always useful. More than half of organizations get this information via phone calls, emails, or in-person meetings. The information then must be converted into some sort of rule or security measure, and time is of the essence: Nearly 70% of organizations say this information expires within seconds or minutes.

"Hearing from leaders and experts that have experienced such attacks first hand and stepped up to modernize their data security strategy to turn the tables on the attackers can be a fast track for others to follow with big pay-offs," says Mark Bower, vice president of of product management and solution architecture for Voltage Security.

Target, meanwhile, said it is playing "an active role" in RILA's R-CISC. "Target believes that protecting consumers from cyber threats is a shared responsibility. We applaud the efforts of RILA to help coordinate industry efforts around cyber security and data privacy," a Target spokesperson said.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/17/2014 | 11:53:26 PM
Dual Efforts
I agree this is good news. Threat intel sharing is good. Still to Kelly's point, it seems like those organizations should be working together closely on something like this. The findings of the Ponemon study are interesting, and to me underscore that there needs to be a solid mechanism in place for people to share relevant information so that  companies can react promptly. Will be interesting to see how and if it all comes together.

BP
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/16/2014 | 8:42:28 AM
Dual or Duel?
The good news here is that the retail industry now has a formal way to share threat intelligence/attack information, but I have to wonder if having dual efforts is more of a dueling efforts issue. 
Ed Moyle
50%
50%
Ed Moyle,
User Rank: Apprentice
5/16/2014 | 8:40:27 AM
Great Move
So this is a really good idea and I'm glad to see this emerge.  For industries in the "critical infrastructure" bucket, intelligence-sharing efforts have been around for a while, but it's exactly retail where it's most needed.  Why?  Because security organizations in retail tend to have tighter budgets than industries like financial services, energy, or even (if you can believe it) healthcare.  This is true despite the fact that they're a tempting target of attack for a financially-motivated adversary.  It's an artifact of the business that they're in and the fact that they need to (for business purposes) operate at a very tight margin.  

From a PCI compliance standpoint, it's also helpful to the extent that it can help them address DSS 6.1, which is a known "pain point", particularly for the mid-market.  Anyway, longwinded way of saying that this is fantastic news.  
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.