Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

03:35 PM
Connect Directly

Dual Retail Cyberthreat Intelligence-Sharing Efforts Emerge

The Retail Industry Leaders Association (RILA) rolls out a retail ISAC following the National Retail Federation's (NRF) announcement last month of an intel-sharing platform planned for June.

First, there was no official intelligence-sharing mechanism for the retail industry, and now there are two. The Retail Industry Leaders Association (RILA) announced the launch yesterday of the Retail Cyber Intelligence Sharing Center (R-CISC), an information sharing and analysis center (ISAC) with the backing of Target and other major retailers. The center is akin to what the financial services, defense, and other industries have in place today to help their members share and learn about the latest attacks and threats.

Last month, the National Retail Federation officially revealed its plans for establishing an intelligence-sharing mechanism to help the industry fight cyberthreats. David French, senior vice president for government relations for the NRF, told Dark Reading earlier this year that establishing a retail industry ISAC was on the table as an option.

In a second interview with Dark Reading last month, French said the NRF was sharing protocols and procedures that could be "transformed into an ISAC," though the organization was "not all in with an ISAC yet." The plan was for a sharing platform that would start out as a portal for the industry, he said.

Today the NRF praised the R-CISC announced by the RILA but said it has no plans to drop its own intelligence-sharing initiative, which it developed in consultation with the financial services industry's FS-ISAC.

"The National Retail Federation applauds the announcement made by the Retail Industry Leaders Association regarding the establishment of a Retail Cyber Intelligence Sharing Center," said Bill Thorne, senior vice president for communications and public affairs for the NRF. "For a number of years, NRF has been working with all of the stakeholders to ensure that the broad spectrum of our industry -- large and small, online, grocery and restaurants -- have access to the tools and information they need to combat and stop these crimes."

Thorne told Dark Reading there won't be two retail ISACs, but there may well be multiple intelligence-sharing platforms. "Where it makes sense, we will integrate efforts, but at this time I do not see two retail ISACs. That does not mean, however, that there could not be multiple information sharing platforms, education, and training programs or research needs," he said. "To make it work requires a high degree of collaboration and communication between all parties engaged in this space. Please keep in mind, RILA and NRF share an industry but have a very different membership base. With those differences comes levels of sophistication, resources, need, and category of retail. Cyber security is not a 'one size fits all' proposition.

"This is a complex problem for which there is no single answer. The important thing is to insure the widest access to information by the broadest cross section of the retail industry. The effort by RILA enhances that mission, adding to the greater arsenal of tools," Thorne said. "It does not in way diminish our commitment to creating programs and opportunities that provide additional value to retailers."

The NRF has contracted the Chertoff Group "to ensure that this effort maximizes current tools and technologies that meets the needs for the full range of retailers," he said. "We support any effort that will help protect our members and their customers, and as an industry we look forward to working together to reach our shared goals."

Calls for an official intel-sharing mechanism for the retail industry intensified in the wake of Target's epic data breach late last year. The retail industry to date has not had a formal threat and attack intelligence-sharing mechanism, like other major industries do.

In addition to Target, the retailers participating in the RILA's new R-CISC include American Eagle Outfitter, Gap, JC Penney, Lowe's, Nike, Safeway, VF, and Walgreens. The R-CISC will share threat information with the US Department of Homeland Security, the US Secret Service, and the Federal Bureau of Investigation. It will also provide training and education to the industry on cyberthreats.

"Retailers place extremely high priority on finding solutions to combat cyberattacks and protect customers. In the face of persistent cyber criminals with increasingly sophisticated methods of attack, the R-CISC is a comprehensive resource for retailers to receive and share threat information, advance leading practices and develop research relevant to fighting cybercrimes," said RILA president Sandy Kennedy.

It's unclear why the two associations initially came at this initiative separately. The retail industry, unlike the defense contractor or financial services industries, is relatively new to being victimized by targeted attacks. So it could be more a result of growing pains as the industry rushes to get up to speed, experts say. Targeted threats "have not traditionally been a huge concern for them," says Chris Strand, senior director of compliance for Bit9.

There also are natural worries among competing companies about sharing attack information with your competitor, but experts say that worry ultimately fades as the advantages of staying abreast of new threats to your industry begins to pay off.

"Some don't want to share information with one another," says Strand, who has been on both sides of the fence as a retailer and a QSA. "It's both a good and bad thing that several [retail organizations] stepped forward" on the intel-sharing initiative. "But if you were to have two separate ones not talking to one another, that would probably not be the best" situation.

The NRF and RILA had been working together under an official alliance of retail trade associations to explore information-sharing options. That alliance includes the the Financial Services Roundtable, the American Bankers Association, the American Hotel & Lodging Association, Independent Community Bankers of America, the National Grocers Association, and the National Restaurant Association.

A recent Ponemon Institute study found that, for most organizations in general, intel-sharing is informal and ad hoc, and therefore not necessarily always useful. More than half of organizations get this information via phone calls, emails, or in-person meetings. The information then must be converted into some sort of rule or security measure, and time is of the essence: Nearly 70% of organizations say this information expires within seconds or minutes.

"Hearing from leaders and experts that have experienced such attacks first hand and stepped up to modernize their data security strategy to turn the tables on the attackers can be a fast track for others to follow with big pay-offs," says Mark Bower, vice president of of product management and solution architecture for Voltage Security.

Target, meanwhile, said it is playing "an active role" in RILA's R-CISC. "Target believes that protecting consumers from cyber threats is a shared responsibility. We applaud the efforts of RILA to help coordinate industry efforts around cyber security and data privacy," a Target spokesperson said.


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/17/2014 | 11:53:26 PM
Dual Efforts
I agree this is good news. Threat intel sharing is good. Still to Kelly's point, it seems like those organizations should be working together closely on something like this. The findings of the Ponemon study are interesting, and to me underscore that there needs to be a solid mechanism in place for people to share relevant information so that  companies can react promptly. Will be interesting to see how and if it all comes together.

Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
5/16/2014 | 8:42:28 AM
Dual or Duel?
The good news here is that the retail industry now has a formal way to share threat intelligence/attack information, but I have to wonder if having dual efforts is more of a dueling efforts issue. 
Ed Moyle
Ed Moyle,
User Rank: Apprentice
5/16/2014 | 8:40:27 AM
Great Move
So this is a really good idea and I'm glad to see this emerge.  For industries in the "critical infrastructure" bucket, intelligence-sharing efforts have been around for a while, but it's exactly retail where it's most needed.  Why?  Because security organizations in retail tend to have tighter budgets than industries like financial services, energy, or even (if you can believe it) healthcare.  This is true despite the fact that they're a tempting target of attack for a financially-motivated adversary.  It's an artifact of the business that they're in and the fact that they need to (for business purposes) operate at a very tight margin.  

From a PCI compliance standpoint, it's also helpful to the extent that it can help them address DSS 6.1, which is a known "pain point", particularly for the mid-market.  Anyway, longwinded way of saying that this is fantastic news.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).