Cloud

5/26/2015
03:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

A Threat Intelligence-Sharing Reality-Check

Many organizations employ sharing one-way (gathering) and mainly for 'CYA,' experts say.

Every year at the RSA Conference, an industry trend becomes the buzzword of the week as vendors and some speakers rally around a term that's catching fire:  this year, the buzz was threat intelligence-sharing.

But are companies and organizations really sharing much firsthand intelligence, or mostly gathering and ingesting intel from outside sources such as vendors and intelligence-sharing and analysis centers (ISACs) and information-sharing and analysis organizations (ISAOs)?  A new study by Enterprise Strategy Group (ESG) found that 37% of North American organizations share their intel regularly, while some 45% do so from time to time but not regularly.

ESG surveyed more than 300 organizations in the financial, business services, manufacturing, and retail industry with 1,000 or more employees and both an internal threat intel program and an external threat intel feed.  Of those organizations that currently don’t share intel, only10% plan to do so in the next 12- to 24 months, 5% sometime in the future, and just 2% have no plans to do so.

"A lot of sharing is CYA," says Jon Oltsik, principal analyst with ESG. "They're hoping [to] get that one pearl of wisdom from someone, that isn't in the open-source [intel threat data] world."

But the missing link is making threat-intel sharing a regular process and function. "They haven't figured out how to operationalize this," Oltsik says. "It's [mostly] done on an ad-hoc basis, with some partners and not others. Some intel is shared instantly, and some is not shared consistently. How do you operationalize this" in an automated and consistent way, he says.

It's been a big year for threat intel-sharing developments: in February, President Obama rolled out a new Cyber Threat Intelligence Integration Center aimed at supporting and providing a central repository for threat intelligence for government and private industry, and signed an Executive Order to promote sharing among private sector organizations as well as between the private and public sectors. Meantime, some vertical industry sectors have launched their own intel-sharing organizations, including the retail and oil & gas industries.

The goal is for companies and government agencies to gather and share as much relevant and timely intel about new or ongoing cyberattacks and threats as possible to avoid major breaches -- or at the least, to minimize the damage from an attack.

While 2014 was "the year of pipes for information-sharing," now it's about getting the "plumbing" in place to make it all work, Chris Blask, chair of the ICS-ISAC, the industrial control system/SCADA group, told Dark Reading earlier this yar.

The overall volume of organizations sharing firsthand intel remains relatively modest, with high-profile industries such as the defense industrial base and financial services leading the way with mature mechanisms and organizations for swapping that intel.

And most seasoned intel-sharing organizations will admit the bulk of sharing still occurs face-to-face, by phone, or via email with a trusted counterpart. "People share now with people they trust, offline," says Anne Bonaparte, CEO of threat intelligence platform provider Vorstack, which commissioned the ESG study.

Some 72% of organizations say they plan to gather and analyze "significantly or somewhat" more internal intel in the next 12- to 24 months, and 55% plan to do the same with external intel. Three-fourths of them expect threat intel spending to increase in the next 12- to 18 months.

The hurdles to properly gathering, analyzing, and applying this information include a lack of a holistic view of the threats; inadvertently blocking legitimate traffic in response to an identified threat; workflow and integration glitches; and stale information that can't be acted upon quickly, according to the report.

[New intelligence-sharing groups/ISACs emerge, software tools arrive and the White House adds a coordinating agency -- but not all of the necessary intel-sharing 'plumbing' is in place just yet. Read Efforts To Team Up And Fight Off Hackers Intensify.]

The Holy Grail of integrating and automating threat intel are the emerging STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) standards, which are supported by the major players in threat intel-sharing, including the financial services' FS-ISAC.

STIX is basically a lingua franca for threat information, while TAXII defines the protocol for transporting the information.

"But there hasn't been a killer app yet," ESG's Oltsik says. "How do we apply STIX and TAXII to accelerate threat identification, or get down to the IOCs [indicators of compromise] that really matter to us?" for example, he says.

Mark Clancy, CEO of Soltra and CISO of DTCC, which offers the SoltraEdge threat-intel platform based on STIX and TAXII now used by multiple intel-sharing groups, says about a dozen security tools support STIX and TAXII standards today. "You're going to see the security community really [start to] adopt STIX and TAXII," says Clancy, who is also a board member of the FS-ISAC, which initially developed the SoltraEdge platform.

Clancy says while today's STIX-based threat intel use is mainly "consumption," he's starting to see more organizations "publish, subscribe, and publish back."

More significantly, some organizations are beginning to share which vulnerabilities--not just IOCs--are being exploited in new attack campaigns. "That focus efforts on what is actually being exploited," he says, so organizations can patch accordingly.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Paladium
100%
0%
Paladium,
User Rank: Moderator
5/28/2015 | 8:54:19 AM
Over complicated
Re: Soltra Edge

This technology is just too over-complicated for the average Security Analyst to deal with.  The instructions for setting it up need significant attention as they were written by one of the products developers resulting in huge gaps, assumptions, and general lack of user friendliness.  The spelling and grammar in the instructions need some serious love as well. 

Here is why I am being so critical...

I've had two of my analysts at two different companies go through the process of setting up Soltra Edge.  It was very, very painful.  Both are very sharp cookies and highly skilled in all things Linux.  It was not a skill issue.  They have been well trained and are very experienced in Security Operations (SecOps).  It was not a knowledge issue.  They did get the product running in the end only to sit there and say "now what".  It was sad because the closer they got to finishing the set up the instructions became less and less useable.  Very poorly written.

It's a product immaturity issue...

The last but most important issue is time.  The vast majority of SecOps teams do not have staff just sitting around waiting for something to do.  Show me such a place and I will show you failed leadership.  SecOps staff are very overwhelmed these days and when you throw such an immature product at them, describing it as the next best thing since sliced bread, only to waste that Security Analysts time trying to get it working, even minimally, then you have lost all those hours spent working on it.  Those hours would have been better spent working on real world threat analysis and response.

Again, it's a product immaturity issue with a very strong dose of marketing spin added in.

I really dislike what marketing has done to SecOps programs these past few years.  The marketing spin and effort to convince Security Managers to "buy this, buy this" by vendors, product marketing, and even open source stuff like Soltra Edge, adds an unnecessary burden, a layer of noise that take SecOps staff away from what really matters.  Stopping the bad guy, here and now.

All this being said...  I agree we need much better, faster delivered and shareable threat intel.  No argument.  But stop pushing an immature product/capability down SecOps throats, especially via regulatory bodies who have no technical clue into what it takes to really protect against the bad guys, but are all hyped up on this new slice of bread.

Slow it down.  Do it right!  And for heaven's sake never, ever let a developer create the user interface OR the setup instructions!

Rgr Out!
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0243
PUBLISHED: 2018-07-19
Check_MK through 1.2.5i2p1 allows local users to read arbitrary files via a symlink attack to a file in /var/lib/check_mk_agent/job.
CVE-2014-2302
PUBLISHED: 2018-07-19
The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org.
CVE-2018-7602
PUBLISHED: 2018-07-19
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Rem...
CVE-2018-14332
PUBLISHED: 2018-07-19
An issue was discovered in Clementine Music Player 1.3.1. Clementine.exe is vulnerable to a user mode write access violation due to a NULL pointer dereference in the Init call in the MoodbarPipeline::NewPadCallback function in moodbar/moodbarpipeline.cpp. The vulnerability is triggered when the user...
CVE-2018-1529
PUBLISHED: 2018-07-19
IBM Rational DOORS Next Generation 5.0 through 5.0.2, 6.0 through 6.0.5 and IBM Rational Requirements Composer 5.0 through 5.0.2 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potential...