Risk

9/6/2018
10:30 AM
Jonathan Couch
Jonathan Couch
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Understanding & Solving the Information-Sharing Challenge

Why cybersecurity threat feeds from intel-sharing groups diminish in value and become just another source of noise. (And what to do about it.)

Cybersecurity information sharing is not a new topic. In fact, we've been talking about it for years. We know we should share information and we expect others to as well. We even see pockets of success, typically among peers who are in the same industry and have a personal or long-term business relationship. They have established a level of trust that allows them to feel comfortable exchanging information that is truly useful.

However, when we try to scale that type of exchange through government and industry groups that exist to promote and facilitate information sharing, we're less successful. At a corporate level, because of real or perceived liabilities, organizations often aren't as willing as individuals are to share as individuals, so information sharing on a broader scale in a way that really benefits larger communities of defenders hasn't taken off. The quantity of active participants and the quality of information shared simply are not there to allow many of these exchanges to work as effectively as intended.

Quality and Quantity: A Cycle of Diminishing Value
Many organizations treat information sharing as another check box. They want to be part of an industry-specific Information Sharing and Analysis Center (ISAC) or a government sharing group, such the Department of Homeland Security's Automated Indicator Sharing capability or the UK's Cyber Security Information Sharing Partnership. But they haven't set up an internal program to identify the type of information their organization can share and how they will share it. Instead, they are focused on receiving information that others share. Eventually, and because sharing groups have guidelines they enforce, organizations will begin to share. But this raises the issue of quality.

As group membership grows, trust weakens, and many organizations are less comfortable sharing information that they have personally found to be of value — for example, from a breach they faced. Instead, organizations tend to share indicators of compromise such as IP addresses and domains. Information sharing becomes automated, with little or no context and sometimes regurgitated from another source. Without context, other participants don't know if the information is relevant to their organization and should be prioritized. This creates a waning interest in the sharing group as members become overwhelmed with quantity and lack of quality. The threat feed from this intelligence-sharing group diminishes in value and becomes another source of noise.

Groups that can overcome the quality hurdle and find ways to share rich, contextual threat intelligence within communities of interest often rely on the largest members to initially fill the queue with shared intelligence. The hope is that as time goes on, the smaller companies will begin to share as well. This rarely happens, though. Only the more progressive, smaller companies with more developed threat operations programs are able to share high-value information, with the remainder acting primarily as consumers. As a feeling of inequality spreads, the entire sharing construct eventually falls apart.

Breaking the Cycle: 3 Steps
But it isn't all gloom and doom. In fact, there are three areas where we can focus to strengthen information sharing and allow it to deliver value at scale as intended.

Step 1. Establish information sharing and consumption programs.
Organizations need to understand what they can share from a legal and compliance perspective. This will allow them to strike a balance so they don't over react and shut down sharing but also don't inadvertently share something that is proprietary or protected under privacy laws. With clear guidelines, security teams can do better at providing high-quality information with context and relevance. They also need to understand what they are going to consume and how they will use it. This will ensure they're doing their part to derive value from the intelligence they receive and not suffer from data overload and waste valuable resources. 

Step 2. Monitor for quality.
As information-sharing groups have grown, a surge in automated sharing of tactical information has become their downfall. Sharing groups must monitor information for quality. It must be curated to ensure there is value in passing it along to other members, either as "known bad" or packaged with context so that recipients can determine relevancy within their own environments.

Step 3. Devise ways for all to participate.
The writing is on the wall: Measuring success by numbers isn't the path to more effective information sharing. To maintain quality and balance quantity, we need to consider forming subgroups with trust built into them. At the same time, smaller organizations also need access to high-value threat information. We must accept that at least initially, they may not be able to contribute much information and will mostly be consumers.

A two-pronged approach can help to address their needs. First, smaller organizations should join or create their own industry-specific sharing community and then actively participate in sharing contextual, relevant intelligence that they have seen on their network. In turn, this will help larger industry sharing groups be more successful at protecting the industry as a whole — including the smaller companies that are part of their ecosystem. Second, small organizations that contract with managed security service providers (MSSPs) should rely on their providers to offer such intelligence. This community defense model is often part of the promise MSSPs make to their customers, so smaller companies should make sure their vendor is delivering.

As we break the cycle of diminishing value by getting a handle on the quantity/quality challenge, information exchanges will begin to thrive. Finally, we'll be able to do less talking and more sharing.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

As Senior VP of Strategy of ThreatQuotient, Jonathan Couch utilizes his 20+ years of experience in information security, information warfare, and intelligence collection to focus on the development of people, process, and technology within client organizations to assist in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/7/2018 | 1:47:20 PM
Quality and Quantity
Great point about the disparity between the quantity of active participants and the quality of information they share and how important for the industry to devise ways where all organizationns -- large and small - can particiapte. 
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: In Russia, application hangs YOU!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...
CVE-2018-16515
PUBLISHED: 2018-09-18
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVE-2018-16794
PUBLISHED: 2018-09-18
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.
CVE-2018-16819
PUBLISHED: 2018-09-18
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests.
CVE-2018-16820
PUBLISHED: 2018-09-18
admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests.