Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

03:35 PM
Connect Directly

Dual Retail Cyberthreat Intelligence-Sharing Efforts Emerge

The Retail Industry Leaders Association (RILA) rolls out a retail ISAC following the National Retail Federation's (NRF) announcement last month of an intel-sharing platform planned for June.

First, there was no official intelligence-sharing mechanism for the retail industry, and now there are two. The Retail Industry Leaders Association (RILA) announced the launch yesterday of the Retail Cyber Intelligence Sharing Center (R-CISC), an information sharing and analysis center (ISAC) with the backing of Target and other major retailers. The center is akin to what the financial services, defense, and other industries have in place today to help their members share and learn about the latest attacks and threats.

Last month, the National Retail Federation officially revealed its plans for establishing an intelligence-sharing mechanism to help the industry fight cyberthreats. David French, senior vice president for government relations for the NRF, told Dark Reading earlier this year that establishing a retail industry ISAC was on the table as an option.

In a second interview with Dark Reading last month, French said the NRF was sharing protocols and procedures that could be "transformed into an ISAC," though the organization was "not all in with an ISAC yet." The plan was for a sharing platform that would start out as a portal for the industry, he said.

Today the NRF praised the R-CISC announced by the RILA but said it has no plans to drop its own intelligence-sharing initiative, which it developed in consultation with the financial services industry's FS-ISAC.

"The National Retail Federation applauds the announcement made by the Retail Industry Leaders Association regarding the establishment of a Retail Cyber Intelligence Sharing Center," said Bill Thorne, senior vice president for communications and public affairs for the NRF. "For a number of years, NRF has been working with all of the stakeholders to ensure that the broad spectrum of our industry -- large and small, online, grocery and restaurants -- have access to the tools and information they need to combat and stop these crimes."

Thorne told Dark Reading there won't be two retail ISACs, but there may well be multiple intelligence-sharing platforms. "Where it makes sense, we will integrate efforts, but at this time I do not see two retail ISACs. That does not mean, however, that there could not be multiple information sharing platforms, education, and training programs or research needs," he said. "To make it work requires a high degree of collaboration and communication between all parties engaged in this space. Please keep in mind, RILA and NRF share an industry but have a very different membership base. With those differences comes levels of sophistication, resources, need, and category of retail. Cyber security is not a 'one size fits all' proposition.

"This is a complex problem for which there is no single answer. The important thing is to insure the widest access to information by the broadest cross section of the retail industry. The effort by RILA enhances that mission, adding to the greater arsenal of tools," Thorne said. "It does not in way diminish our commitment to creating programs and opportunities that provide additional value to retailers."

The NRF has contracted the Chertoff Group "to ensure that this effort maximizes current tools and technologies that meets the needs for the full range of retailers," he said. "We support any effort that will help protect our members and their customers, and as an industry we look forward to working together to reach our shared goals."

Calls for an official intel-sharing mechanism for the retail industry intensified in the wake of Target's epic data breach late last year. The retail industry to date has not had a formal threat and attack intelligence-sharing mechanism, like other major industries do.

In addition to Target, the retailers participating in the RILA's new R-CISC include American Eagle Outfitter, Gap, JC Penney, Lowe's, Nike, Safeway, VF, and Walgreens. The R-CISC will share threat information with the US Department of Homeland Security, the US Secret Service, and the Federal Bureau of Investigation. It will also provide training and education to the industry on cyberthreats.

"Retailers place extremely high priority on finding solutions to combat cyberattacks and protect customers. In the face of persistent cyber criminals with increasingly sophisticated methods of attack, the R-CISC is a comprehensive resource for retailers to receive and share threat information, advance leading practices and develop research relevant to fighting cybercrimes," said RILA president Sandy Kennedy.

It's unclear why the two associations initially came at this initiative separately. The retail industry, unlike the defense contractor or financial services industries, is relatively new to being victimized by targeted attacks. So it could be more a result of growing pains as the industry rushes to get up to speed, experts say. Targeted threats "have not traditionally been a huge concern for them," says Chris Strand, senior director of compliance for Bit9.

There also are natural worries among competing companies about sharing attack information with your competitor, but experts say that worry ultimately fades as the advantages of staying abreast of new threats to your industry begins to pay off.

"Some don't want to share information with one another," says Strand, who has been on both sides of the fence as a retailer and a QSA. "It's both a good and bad thing that several [retail organizations] stepped forward" on the intel-sharing initiative. "But if you were to have two separate ones not talking to one another, that would probably not be the best" situation.

The NRF and RILA had been working together under an official alliance of retail trade associations to explore information-sharing options. That alliance includes the the Financial Services Roundtable, the American Bankers Association, the American Hotel & Lodging Association, Independent Community Bankers of America, the National Grocers Association, and the National Restaurant Association.

A recent Ponemon Institute study found that, for most organizations in general, intel-sharing is informal and ad hoc, and therefore not necessarily always useful. More than half of organizations get this information via phone calls, emails, or in-person meetings. The information then must be converted into some sort of rule or security measure, and time is of the essence: Nearly 70% of organizations say this information expires within seconds or minutes.

"Hearing from leaders and experts that have experienced such attacks first hand and stepped up to modernize their data security strategy to turn the tables on the attackers can be a fast track for others to follow with big pay-offs," says Mark Bower, vice president of of product management and solution architecture for Voltage Security.

Target, meanwhile, said it is playing "an active role" in RILA's R-CISC. "Target believes that protecting consumers from cyber threats is a shared responsibility. We applaud the efforts of RILA to help coordinate industry efforts around cyber security and data privacy," a Target spokesperson said.


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ed Moyle
Ed Moyle,
User Rank: Apprentice
5/16/2014 | 8:40:27 AM
Great Move
So this is a really good idea and I'm glad to see this emerge.  For industries in the "critical infrastructure" bucket, intelligence-sharing efforts have been around for a while, but it's exactly retail where it's most needed.  Why?  Because security organizations in retail tend to have tighter budgets than industries like financial services, energy, or even (if you can believe it) healthcare.  This is true despite the fact that they're a tempting target of attack for a financially-motivated adversary.  It's an artifact of the business that they're in and the fact that they need to (for business purposes) operate at a very tight margin.  

From a PCI compliance standpoint, it's also helpful to the extent that it can help them address DSS 6.1, which is a known "pain point", particularly for the mid-market.  Anyway, longwinded way of saying that this is fantastic news.  
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
5/16/2014 | 8:42:28 AM
Dual or Duel?
The good news here is that the retail industry now has a formal way to share threat intelligence/attack information, but I have to wonder if having dual efforts is more of a dueling efforts issue. 
User Rank: Ninja
5/17/2014 | 11:53:26 PM
Dual Efforts
I agree this is good news. Threat intel sharing is good. Still to Kelly's point, it seems like those organizations should be working together closely on something like this. The findings of the Ponemon study are interesting, and to me underscore that there needs to be a solid mechanism in place for people to share relevant information so that  companies can react promptly. Will be interesting to see how and if it all comes together.

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the fir...
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...