Analytics // Threat Intelligence
9/26/2013
05:03 PM
Connect Directly
RSS
E-Mail
50%
50%

Threat-Intel Sharing Services Emerge, But Challenges Remain

A number of services to help companies analyze threats and share intelligence have popped up, but the services have to solve some key problems

Six years ago, when Mike Hamilton, the chief information security officer for the City of Seattle, wanted to collaborate with other local municipalities, the federal government and critical-infrastructure providers to exchange threat information, no platform existed through which to share threat intelligence.

Instead, the City of Seattle, along with the U.S. Department of Homeland Security and the University of Washington, created a system based on a security information and event management (SIEM) system. Dubbed the Public Regional Information Security Event Management (PRISEM) system, not to be confused with the National Security Agency's controversial PRISM project, the platform allows the City of Seattle's information security team to collect threat information from federal agencies and security firms, develop indicators of compromise, and look for malicious activity across the networks of PRISEM members.

Using the system, analysts "can search all the monitored jurisdictions for the indicators of compromise in a number of ways, and we can notify them when we see them talking to bad places," Hamilton says. "As a whole, we are able to get in front of threats a lot faster than if everyone was operating independently."

The City of Seattle is one of the few successful collaborations between organizations to share information on online threats, attacks and compromises. Fear of liability, a lack of trust between business rivals and a still-developing standards have slowed the adoption of collaborative threat-intelligence platforms. In addition, the threat intelligence gained from the system was not actionable, but a firehose stream of data through which an analyst was required to sift.

Yet, that may be changing. Last week, Hewlett Packard refreshed its security offerings, among them a threat-intelligence sharing environment known as Threat Central. Customers who subscribe to the system will be able to upload threat data from their HP ArcSight devices or any database compliant with the Structured Threat Information Expression (STIX) standard created by government contractor MITRE.

Working together is the only way to defend against the widespread attacks that companies, government agencies and educational institutions are seeing today, says Ted Ross, director of field intelligence for HP Security Research.

"The adversary figured this out a long time ago," he says. "And if we don't collaborate effectively as a community then, we will be attacked in ways that people are not expecting."

HP's Threat Central is only the latest threat-intelligence collaboration platform to arrive. A wide variety of other platforms have been created by large companies, small startups and even academic research groups.

Georgia Tech, for example, has created a system for malware analysis and threat-data sharing called Apiary, which can quickly analyze malware and return information to the more than 100 organizations working with the university on the beta project. Malware-analysis-as-service firm ThreatGRID has its own system for analyzing binaries and creating indicators of compromise from the files. The service, which processes up to 500,000 suspect files every day, allows teams to collaborate and share their findings with teams from other companies.

The Open Threat Exchange, a community driven project managed by unified-security provider AlienVault, allows anyone using the Open-Source Security Information Manager (OSSIM) or Alien Vault's own product to upload threat data, investigate threats and download indicators of compromise.

Threat Connect, a threat analysis and collaboration environment created by security services firm Cyber Squared, pulls data from a number of sources to allow security analysts to more quickly triage and analyze threats.

"Threat intelligence is a really complicated area, so everyone has a different approach to providing a customer a solution for threat intelligence," says Adam Vincent, CEO of Cyber Squared. "Collaboration is definitely a main part of that, but each company has a different perspective on the problem."

Yet, all the firms face two common problems. When a threat information-sharing platform is small, the participants know each other and are more likely to share. But as they grown, distrust sets in and fewer companies share and more just consumer information, says Dean De Beer, chief technology officer of ThreatGRID.

"The majority of companies are consumers," he says. "You have people who are giving up a lot of data, and they will get tired of not getting much back."

In those cases, the companies who run the services have to step up and add at least a baseline value to the service to keep the most productive customers coming back, De Beer says.

[Companies participating in threat-intelligence programs have suffered from too much information, and they struggle to deal with information that is neither actionable nor relevant. See Dolloping Out Threat Intelligence.]

While the disparate levels of benefit that each customer gets is one problem, another issue is the lack of trust. Both the City of Seattle and another threat-information sharing system run by the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) have been successful because their constituents are not competitors. In the business world, that is a harder sell.

For that reason, Cyber Squared, HP, and Georgia Tech allow every member to share or restrict any information and do it anonymously.

"A big part of the challenge is getting commercial entities to cooperate," says Lars Harvey, CEO of Internet Identity, which released a study on the challenges facing threat-intelligence sharing this week. "We have to figure out a way to get larger and broader exchanges going on."

The industry also has to change the perception that it is taking information, creating a product or service, and not giving enough back, says Barmak Meftah, CEO of AlienVault. The security-management provider made its platform free to make customers more confident in their motives.

"The Achilles' Heels of the industry is that it is very vendor driven, and each vendor has a myopic view of these attacks," he says. Intrusion detection vendors look for signatures, vulnerability management providers look for weak points in the network, and next-generation firewalls look for signs of malware on the network. "The concept of threat capture has been very myopic and very closed and captive."

Yet, companies have to solve these problems and find ways to work together better, says Seattle's CISO Hamilton. The attackers are benefiting from exchanging information on attack strategies, vulnerabilities and better ways of monetizing compromises. Defenders have to do it to, he says.

"From a 30,000-foot level, this is the way that the world needs to work," Hamilton says. "The one-stop shop for sending all you threat information to a vendor, looking to boil that ocean—that doesn't scale. But done regionally like we are doing it—that can scale."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.