Partner Perspectives  Connecting marketers to our tech communities.
9/27/2016
11:01 AM
Matthew Rosenquist
Matthew Rosenquist
Partner Perspectives
50%
50%

Sharing Cybersecurity Threat Intelligence Is The Only Way We Win

Security organizations must leverage each other's information in order to better predict, prevent, detect, and respond to threats their customers and organizations face.

Cybersecurity is a team sport. The bad guys share information, expertise, code, and help one another. The good guys must do the same to keep pace. Sharing threat intelligence is a key aspect where knowledge gained by owners of sensor networks can share data in a collective way to the security analysis community. This give the necessary breadth of data to understand trends, new infections, how botnets are communicating, if directed targeting is occurring, and even if different attackers are collaborating. 

Sadly, this is not the norm. Many security companies look at this data as a competitive advantage to sell their products and services. They keep it to themselves in hopes they can find a nugget and market it in a way to win over new customers. But the cost is losing the bigger picture of overall effectiveness.

This is slowly changing. Some security firms are stepping up and sharing more and more data that is redacted of personal information and contains only attack characteristics. The combined aspects are like pieces to a massive puzzle for analysts looking for trends. It is hugely important to everyone.

I am glad to see major security vendors and researchers beginning to share insights and data. Consortiums such as the Cyber Threat Alliance and sites such as VirusTotal are leading the way. The Information Sharing and Analysis Organization (ISAO), established as part of a US presidential order in 2015, is developing voluntary standards for private and public data sharing.

But more sharing must happen. Attacks are occurring at a phenomenal rate. Malware alone is out of control, with about 44,000 new unique samples being discovered every day. Security organizations must leverage each other’s information in order to better predict, prevent, detect, and respond to threats their customers and organizations face. 

The battle that should be fought is not between security vendors, but rather between the threats and collective defensive organizations that stand between these threats and their victims. We must work together to stem the tide of cyberattacks. Public sentiment is important. If we desire our technology to be safe, we must send a clear message to our security vendors: Share threat data or we will patronize a different supplier of security products and services. We have a voice and a vote (with our wallets). 

Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and to learn about what is going on in cybersecurity.

Matthew Rosenquist is a cybersecurity strategist for Intel and benefits from 25 years in the field of security. He specializes in strategy, measuring value, and developing cost-effective capabilities and organizations that deliver optimal levels of security. Matthew helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jcavery
50%
50%
jcavery,
User Rank: Moderator
9/28/2016 | 2:33:10 PM
Dare to Share
There is a key difference between the good guys sharing intelligence and the bad guys sharing it. The bad guys tend to share it in underground forums, only among eachother, and if they aren't doing that, they're keeping it for themselves or selling it for money. The good guys (and media) tend to blast every vulnerability on the front page for some reason. Yes, it's important to share the intelligence, but not like that, not publicly. Once it gets shared publicly, it's more of a race to see who can exploit it before they fix it, instead of an umbrella announcement to everyone. The good guys should become more efficient at tactfully informing companies.

I have made money from bug bounties just by browsing the latest "good guy" public vulns, why is that? Wasn't the logic supposed to be that the more public the announcement, the more fixes will happen? Sometimes a company is actually safer before those public announcements are made than the days following it. There might only be 1 or 2 hackers aware of a vuln (but not able to exploit it yet) whereas after the "share", you now have 1,000 hackers looking at it, with hundreds able to exploit it. Great article, great topic, just need to drill down more details on how to execute this whole sharing thing.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3483
PUBLISHED: 2019-03-25
Mitigates a potential information leakage issue in ArcSight Logger versions prior to 6.7.
CVE-2019-3484
PUBLISHED: 2019-03-25
Mitigates a remote code execution issue in ArcSight Logger versions prior to 6.7.
CVE-2019-6240
PUBLISHED: 2019-03-25
An issue was discovered in GitLab Community and Enterprise Edition before 11.4. It allows Directory Traversal.
CVE-2015-3953
PUBLISHED: 2019-03-25
Hard-coded accounts may be used to access Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospi...
CVE-2015-3954
PUBLISHED: 2019-03-25
Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user could issue commands to the pump. Hospira recommen...