Analytics // Threat Intelligence
5/15/2014
03:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Dual Retail Cyberthreat Intelligence-Sharing Efforts Emerge

The Retail Industry Leaders Association (RILA) rolls out a retail ISAC following the National Retail Federation's (NRF) announcement last month of an intel-sharing platform planned for June.

First, there was no official intelligence-sharing mechanism for the retail industry, and now there are two. The Retail Industry Leaders Association (RILA) announced the launch yesterday of the Retail Cyber Intelligence Sharing Center (R-CISC), an information sharing and analysis center (ISAC) with the backing of Target and other major retailers. The center is akin to what the financial services, defense, and other industries have in place today to help their members share and learn about the latest attacks and threats.

Last month, the National Retail Federation officially revealed its plans for establishing an intelligence-sharing mechanism to help the industry fight cyberthreats. David French, senior vice president for government relations for the NRF, told Dark Reading earlier this year that establishing a retail industry ISAC was on the table as an option.

In a second interview with Dark Reading last month, French said the NRF was sharing protocols and procedures that could be "transformed into an ISAC," though the organization was "not all in with an ISAC yet." The plan was for a sharing platform that would start out as a portal for the industry, he said.

Today the NRF praised the R-CISC announced by the RILA but said it has no plans to drop its own intelligence-sharing initiative, which it developed in consultation with the financial services industry's FS-ISAC.

"The National Retail Federation applauds the announcement made by the Retail Industry Leaders Association regarding the establishment of a Retail Cyber Intelligence Sharing Center," said Bill Thorne, senior vice president for communications and public affairs for the NRF. "For a number of years, NRF has been working with all of the stakeholders to ensure that the broad spectrum of our industry -- large and small, online, grocery and restaurants -- have access to the tools and information they need to combat and stop these crimes."

Thorne told Dark Reading there won't be two retail ISACs, but there may well be multiple intelligence-sharing platforms. "Where it makes sense, we will integrate efforts, but at this time I do not see two retail ISACs. That does not mean, however, that there could not be multiple information sharing platforms, education, and training programs or research needs," he said. "To make it work requires a high degree of collaboration and communication between all parties engaged in this space. Please keep in mind, RILA and NRF share an industry but have a very different membership base. With those differences comes levels of sophistication, resources, need, and category of retail. Cyber security is not a 'one size fits all' proposition.

"This is a complex problem for which there is no single answer. The important thing is to insure the widest access to information by the broadest cross section of the retail industry. The effort by RILA enhances that mission, adding to the greater arsenal of tools," Thorne said. "It does not in way diminish our commitment to creating programs and opportunities that provide additional value to retailers."

The NRF has contracted the Chertoff Group "to ensure that this effort maximizes current tools and technologies that meets the needs for the full range of retailers," he said. "We support any effort that will help protect our members and their customers, and as an industry we look forward to working together to reach our shared goals."

Calls for an official intel-sharing mechanism for the retail industry intensified in the wake of Target's epic data breach late last year. The retail industry to date has not had a formal threat and attack intelligence-sharing mechanism, like other major industries do.

In addition to Target, the retailers participating in the RILA's new R-CISC include American Eagle Outfitter, Gap, JC Penney, Lowe's, Nike, Safeway, VF, and Walgreens. The R-CISC will share threat information with the US Department of Homeland Security, the US Secret Service, and the Federal Bureau of Investigation. It will also provide training and education to the industry on cyberthreats.

"Retailers place extremely high priority on finding solutions to combat cyberattacks and protect customers. In the face of persistent cyber criminals with increasingly sophisticated methods of attack, the R-CISC is a comprehensive resource for retailers to receive and share threat information, advance leading practices and develop research relevant to fighting cybercrimes," said RILA president Sandy Kennedy.

It's unclear why the two associations initially came at this initiative separately. The retail industry, unlike the defense contractor or financial services industries, is relatively new to being victimized by targeted attacks. So it could be more a result of growing pains as the industry rushes to get up to speed, experts say. Targeted threats "have not traditionally been a huge concern for them," says Chris Strand, senior director of compliance for Bit9.

There also are natural worries among competing companies about sharing attack information with your competitor, but experts say that worry ultimately fades as the advantages of staying abreast of new threats to your industry begins to pay off.

"Some don't want to share information with one another," says Strand, who has been on both sides of the fence as a retailer and a QSA. "It's both a good and bad thing that several [retail organizations] stepped forward" on the intel-sharing initiative. "But if you were to have two separate ones not talking to one another, that would probably not be the best" situation.

The NRF and RILA had been working together under an official alliance of retail trade associations to explore information-sharing options. That alliance includes the the Financial Services Roundtable, the American Bankers Association, the American Hotel & Lodging Association, Independent Community Bankers of America, the National Grocers Association, and the National Restaurant Association.

A recent Ponemon Institute study found that, for most organizations in general, intel-sharing is informal and ad hoc, and therefore not necessarily always useful. More than half of organizations get this information via phone calls, emails, or in-person meetings. The information then must be converted into some sort of rule or security measure, and time is of the essence: Nearly 70% of organizations say this information expires within seconds or minutes.

"Hearing from leaders and experts that have experienced such attacks first hand and stepped up to modernize their data security strategy to turn the tables on the attackers can be a fast track for others to follow with big pay-offs," says Mark Bower, vice president of of product management and solution architecture for Voltage Security.

Target, meanwhile, said it is playing "an active role" in RILA's R-CISC. "Target believes that protecting consumers from cyber threats is a shared responsibility. We applaud the efforts of RILA to help coordinate industry efforts around cyber security and data privacy," a Target spokesperson said.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/17/2014 | 11:53:26 PM
Dual Efforts
I agree this is good news. Threat intel sharing is good. Still to Kelly's point, it seems like those organizations should be working together closely on something like this. The findings of the Ponemon study are interesting, and to me underscore that there needs to be a solid mechanism in place for people to share relevant information so that  companies can react promptly. Will be interesting to see how and if it all comes together.

BP
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/16/2014 | 8:42:28 AM
Dual or Duel?
The good news here is that the retail industry now has a formal way to share threat intelligence/attack information, but I have to wonder if having dual efforts is more of a dueling efforts issue. 
Ed Moyle
50%
50%
Ed Moyle,
User Rank: Apprentice
5/16/2014 | 8:40:27 AM
Great Move
So this is a really good idea and I'm glad to see this emerge.  For industries in the "critical infrastructure" bucket, intelligence-sharing efforts have been around for a while, but it's exactly retail where it's most needed.  Why?  Because security organizations in retail tend to have tighter budgets than industries like financial services, energy, or even (if you can believe it) healthcare.  This is true despite the fact that they're a tempting target of attack for a financially-motivated adversary.  It's an artifact of the business that they're in and the fact that they need to (for business purposes) operate at a very tight margin.  

From a PCI compliance standpoint, it's also helpful to the extent that it can help them address DSS 6.1, which is a known "pain point", particularly for the mid-market.  Anyway, longwinded way of saying that this is fantastic news.  
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant