Cloud

5/26/2015
03:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

A Threat Intelligence-Sharing Reality-Check

Many organizations employ sharing one-way (gathering) and mainly for 'CYA,' experts say.

Every year at the RSA Conference, an industry trend becomes the buzzword of the week as vendors and some speakers rally around a term that's catching fire:  this year, the buzz was threat intelligence-sharing.

But are companies and organizations really sharing much firsthand intelligence, or mostly gathering and ingesting intel from outside sources such as vendors and intelligence-sharing and analysis centers (ISACs) and information-sharing and analysis organizations (ISAOs)?  A new study by Enterprise Strategy Group (ESG) found that 37% of North American organizations share their intel regularly, while some 45% do so from time to time but not regularly.

ESG surveyed more than 300 organizations in the financial, business services, manufacturing, and retail industry with 1,000 or more employees and both an internal threat intel program and an external threat intel feed.  Of those organizations that currently don’t share intel, only10% plan to do so in the next 12- to 24 months, 5% sometime in the future, and just 2% have no plans to do so.

"A lot of sharing is CYA," says Jon Oltsik, principal analyst with ESG. "They're hoping [to] get that one pearl of wisdom from someone, that isn't in the open-source [intel threat data] world."

But the missing link is making threat-intel sharing a regular process and function. "They haven't figured out how to operationalize this," Oltsik says. "It's [mostly] done on an ad-hoc basis, with some partners and not others. Some intel is shared instantly, and some is not shared consistently. How do you operationalize this" in an automated and consistent way, he says.

It's been a big year for threat intel-sharing developments: in February, President Obama rolled out a new Cyber Threat Intelligence Integration Center aimed at supporting and providing a central repository for threat intelligence for government and private industry, and signed an Executive Order to promote sharing among private sector organizations as well as between the private and public sectors. Meantime, some vertical industry sectors have launched their own intel-sharing organizations, including the retail and oil & gas industries.

The goal is for companies and government agencies to gather and share as much relevant and timely intel about new or ongoing cyberattacks and threats as possible to avoid major breaches -- or at the least, to minimize the damage from an attack.

While 2014 was "the year of pipes for information-sharing," now it's about getting the "plumbing" in place to make it all work, Chris Blask, chair of the ICS-ISAC, the industrial control system/SCADA group, told Dark Reading earlier this yar.

The overall volume of organizations sharing firsthand intel remains relatively modest, with high-profile industries such as the defense industrial base and financial services leading the way with mature mechanisms and organizations for swapping that intel.

And most seasoned intel-sharing organizations will admit the bulk of sharing still occurs face-to-face, by phone, or via email with a trusted counterpart. "People share now with people they trust, offline," says Anne Bonaparte, CEO of threat intelligence platform provider Vorstack, which commissioned the ESG study.

Some 72% of organizations say they plan to gather and analyze "significantly or somewhat" more internal intel in the next 12- to 24 months, and 55% plan to do the same with external intel. Three-fourths of them expect threat intel spending to increase in the next 12- to 18 months.

The hurdles to properly gathering, analyzing, and applying this information include a lack of a holistic view of the threats; inadvertently blocking legitimate traffic in response to an identified threat; workflow and integration glitches; and stale information that can't be acted upon quickly, according to the report.

[New intelligence-sharing groups/ISACs emerge, software tools arrive and the White House adds a coordinating agency -- but not all of the necessary intel-sharing 'plumbing' is in place just yet. Read Efforts To Team Up And Fight Off Hackers Intensify.]

The Holy Grail of integrating and automating threat intel are the emerging STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) standards, which are supported by the major players in threat intel-sharing, including the financial services' FS-ISAC.

STIX is basically a lingua franca for threat information, while TAXII defines the protocol for transporting the information.

"But there hasn't been a killer app yet," ESG's Oltsik says. "How do we apply STIX and TAXII to accelerate threat identification, or get down to the IOCs [indicators of compromise] that really matter to us?" for example, he says.

Mark Clancy, CEO of Soltra and CISO of DTCC, which offers the SoltraEdge threat-intel platform based on STIX and TAXII now used by multiple intel-sharing groups, says about a dozen security tools support STIX and TAXII standards today. "You're going to see the security community really [start to] adopt STIX and TAXII," says Clancy, who is also a board member of the FS-ISAC, which initially developed the SoltraEdge platform.

Clancy says while today's STIX-based threat intel use is mainly "consumption," he's starting to see more organizations "publish, subscribe, and publish back."

More significantly, some organizations are beginning to share which vulnerabilities--not just IOCs--are being exploited in new attack campaigns. "That focus efforts on what is actually being exploited," he says, so organizations can patch accordingly.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Paladium
100%
0%
Paladium,
User Rank: Moderator
5/28/2015 | 8:54:19 AM
Over complicated
Re: Soltra Edge

This technology is just too over-complicated for the average Security Analyst to deal with.  The instructions for setting it up need significant attention as they were written by one of the products developers resulting in huge gaps, assumptions, and general lack of user friendliness.  The spelling and grammar in the instructions need some serious love as well. 

Here is why I am being so critical...

I've had two of my analysts at two different companies go through the process of setting up Soltra Edge.  It was very, very painful.  Both are very sharp cookies and highly skilled in all things Linux.  It was not a skill issue.  They have been well trained and are very experienced in Security Operations (SecOps).  It was not a knowledge issue.  They did get the product running in the end only to sit there and say "now what".  It was sad because the closer they got to finishing the set up the instructions became less and less useable.  Very poorly written.

It's a product immaturity issue...

The last but most important issue is time.  The vast majority of SecOps teams do not have staff just sitting around waiting for something to do.  Show me such a place and I will show you failed leadership.  SecOps staff are very overwhelmed these days and when you throw such an immature product at them, describing it as the next best thing since sliced bread, only to waste that Security Analysts time trying to get it working, even minimally, then you have lost all those hours spent working on it.  Those hours would have been better spent working on real world threat analysis and response.

Again, it's a product immaturity issue with a very strong dose of marketing spin added in.

I really dislike what marketing has done to SecOps programs these past few years.  The marketing spin and effort to convince Security Managers to "buy this, buy this" by vendors, product marketing, and even open source stuff like Soltra Edge, adds an unnecessary burden, a layer of noise that take SecOps staff away from what really matters.  Stopping the bad guy, here and now.

All this being said...  I agree we need much better, faster delivered and shareable threat intel.  No argument.  But stop pushing an immature product/capability down SecOps throats, especially via regulatory bodies who have no technical clue into what it takes to really protect against the bad guys, but are all hyped up on this new slice of bread.

Slow it down.  Do it right!  And for heaven's sake never, ever let a developer create the user interface OR the setup instructions!

Rgr Out!
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.