Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:03 PM

Threat-Intel Sharing Services Emerge, But Challenges Remain

A number of services to help companies analyze threats and share intelligence have popped up, but the services have to solve some key problems

Six years ago, when Mike Hamilton, the chief information security officer for the City of Seattle, wanted to collaborate with other local municipalities, the federal government and critical-infrastructure providers to exchange threat information, no platform existed through which to share threat intelligence.

Instead, the City of Seattle, along with the U.S. Department of Homeland Security and the University of Washington, created a system based on a security information and event management (SIEM) system. Dubbed the Public Regional Information Security Event Management (PRISEM) system, not to be confused with the National Security Agency's controversial PRISM project, the platform allows the City of Seattle's information security team to collect threat information from federal agencies and security firms, develop indicators of compromise, and look for malicious activity across the networks of PRISEM members.

Using the system, analysts "can search all the monitored jurisdictions for the indicators of compromise in a number of ways, and we can notify them when we see them talking to bad places," Hamilton says. "As a whole, we are able to get in front of threats a lot faster than if everyone was operating independently."

The City of Seattle is one of the few successful collaborations between organizations to share information on online threats, attacks and compromises. Fear of liability, a lack of trust between business rivals and a still-developing standards have slowed the adoption of collaborative threat-intelligence platforms. In addition, the threat intelligence gained from the system was not actionable, but a firehose stream of data through which an analyst was required to sift.

Yet, that may be changing. Last week, Hewlett Packard refreshed its security offerings, among them a threat-intelligence sharing environment known as Threat Central. Customers who subscribe to the system will be able to upload threat data from their HP ArcSight devices or any database compliant with the Structured Threat Information Expression (STIX) standard created by government contractor MITRE.

Working together is the only way to defend against the widespread attacks that companies, government agencies and educational institutions are seeing today, says Ted Ross, director of field intelligence for HP Security Research.

"The adversary figured this out a long time ago," he says. "And if we don't collaborate effectively as a community then, we will be attacked in ways that people are not expecting."

HP's Threat Central is only the latest threat-intelligence collaboration platform to arrive. A wide variety of other platforms have been created by large companies, small startups and even academic research groups.

Georgia Tech, for example, has created a system for malware analysis and threat-data sharing called Apiary, which can quickly analyze malware and return information to the more than 100 organizations working with the university on the beta project. Malware-analysis-as-service firm ThreatGRID has its own system for analyzing binaries and creating indicators of compromise from the files. The service, which processes up to 500,000 suspect files every day, allows teams to collaborate and share their findings with teams from other companies.

The Open Threat Exchange, a community driven project managed by unified-security provider AlienVault, allows anyone using the Open-Source Security Information Manager (OSSIM) or Alien Vault's own product to upload threat data, investigate threats and download indicators of compromise.

Threat Connect, a threat analysis and collaboration environment created by security services firm Cyber Squared, pulls data from a number of sources to allow security analysts to more quickly triage and analyze threats.

"Threat intelligence is a really complicated area, so everyone has a different approach to providing a customer a solution for threat intelligence," says Adam Vincent, CEO of Cyber Squared. "Collaboration is definitely a main part of that, but each company has a different perspective on the problem."

Yet, all the firms face two common problems. When a threat information-sharing platform is small, the participants know each other and are more likely to share. But as they grown, distrust sets in and fewer companies share and more just consumer information, says Dean De Beer, chief technology officer of ThreatGRID.

"The majority of companies are consumers," he says. "You have people who are giving up a lot of data, and they will get tired of not getting much back."

In those cases, the companies who run the services have to step up and add at least a baseline value to the service to keep the most productive customers coming back, De Beer says.

[Companies participating in threat-intelligence programs have suffered from too much information, and they struggle to deal with information that is neither actionable nor relevant. See Dolloping Out Threat Intelligence.]

While the disparate levels of benefit that each customer gets is one problem, another issue is the lack of trust. Both the City of Seattle and another threat-information sharing system run by the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) have been successful because their constituents are not competitors. In the business world, that is a harder sell.

For that reason, Cyber Squared, HP, and Georgia Tech allow every member to share or restrict any information and do it anonymously.

"A big part of the challenge is getting commercial entities to cooperate," says Lars Harvey, CEO of Internet Identity, which released a study on the challenges facing threat-intelligence sharing this week. "We have to figure out a way to get larger and broader exchanges going on."

The industry also has to change the perception that it is taking information, creating a product or service, and not giving enough back, says Barmak Meftah, CEO of AlienVault. The security-management provider made its platform free to make customers more confident in their motives.

"The Achilles' Heels of the industry is that it is very vendor driven, and each vendor has a myopic view of these attacks," he says. Intrusion detection vendors look for signatures, vulnerability management providers look for weak points in the network, and next-generation firewalls look for signs of malware on the network. "The concept of threat capture has been very myopic and very closed and captive."

Yet, companies have to solve these problems and find ways to work together better, says Seattle's CISO Hamilton. The attackers are benefiting from exchanging information on attack strategies, vulnerabilities and better ways of monetizing compromises. Defenders have to do it to, he says.

"From a 30,000-foot level, this is the way that the world needs to work," Hamilton says. "The one-stop shop for sending all you threat information to a vendor, looking to boil that ocean—that doesn't scale. But done regionally like we are doing it—that can scale."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus, the attacker can watch live streams from the camera, rotate the camera, change some settings (brightn...
PUBLISHED: 2020-09-25
A Cleartext Transmission issue was discovered on Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339). Someone in the middle can intercept and modify the video data from the camera, which is transmitted in an unencrypted form. One can also modify responses from NTP and RTSP s...
PUBLISHED: 2020-09-25
The Telnet service of Rubetek cameras RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) could allow an remote attacker to take full control of the device with a high-privileged account. The vulnerability exists because a system account has a default and static password. The Telnet...
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization.
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow a remote attacker to conduct a SQL Injection attack and access user credentials due to improper input validation.