Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/26/2013
05:03 PM
50%
50%

Threat-Intel Sharing Services Emerge, But Challenges Remain

A number of services to help companies analyze threats and share intelligence have popped up, but the services have to solve some key problems

Six years ago, when Mike Hamilton, the chief information security officer for the City of Seattle, wanted to collaborate with other local municipalities, the federal government and critical-infrastructure providers to exchange threat information, no platform existed through which to share threat intelligence.

Instead, the City of Seattle, along with the U.S. Department of Homeland Security and the University of Washington, created a system based on a security information and event management (SIEM) system. Dubbed the Public Regional Information Security Event Management (PRISEM) system, not to be confused with the National Security Agency's controversial PRISM project, the platform allows the City of Seattle's information security team to collect threat information from federal agencies and security firms, develop indicators of compromise, and look for malicious activity across the networks of PRISEM members.

Using the system, analysts "can search all the monitored jurisdictions for the indicators of compromise in a number of ways, and we can notify them when we see them talking to bad places," Hamilton says. "As a whole, we are able to get in front of threats a lot faster than if everyone was operating independently."

The City of Seattle is one of the few successful collaborations between organizations to share information on online threats, attacks and compromises. Fear of liability, a lack of trust between business rivals and a still-developing standards have slowed the adoption of collaborative threat-intelligence platforms. In addition, the threat intelligence gained from the system was not actionable, but a firehose stream of data through which an analyst was required to sift.

Yet, that may be changing. Last week, Hewlett Packard refreshed its security offerings, among them a threat-intelligence sharing environment known as Threat Central. Customers who subscribe to the system will be able to upload threat data from their HP ArcSight devices or any database compliant with the Structured Threat Information Expression (STIX) standard created by government contractor MITRE.

Working together is the only way to defend against the widespread attacks that companies, government agencies and educational institutions are seeing today, says Ted Ross, director of field intelligence for HP Security Research.

"The adversary figured this out a long time ago," he says. "And if we don't collaborate effectively as a community then, we will be attacked in ways that people are not expecting."

HP's Threat Central is only the latest threat-intelligence collaboration platform to arrive. A wide variety of other platforms have been created by large companies, small startups and even academic research groups.

Georgia Tech, for example, has created a system for malware analysis and threat-data sharing called Apiary, which can quickly analyze malware and return information to the more than 100 organizations working with the university on the beta project. Malware-analysis-as-service firm ThreatGRID has its own system for analyzing binaries and creating indicators of compromise from the files. The service, which processes up to 500,000 suspect files every day, allows teams to collaborate and share their findings with teams from other companies.

The Open Threat Exchange, a community driven project managed by unified-security provider AlienVault, allows anyone using the Open-Source Security Information Manager (OSSIM) or Alien Vault's own product to upload threat data, investigate threats and download indicators of compromise.

Threat Connect, a threat analysis and collaboration environment created by security services firm Cyber Squared, pulls data from a number of sources to allow security analysts to more quickly triage and analyze threats.

"Threat intelligence is a really complicated area, so everyone has a different approach to providing a customer a solution for threat intelligence," says Adam Vincent, CEO of Cyber Squared. "Collaboration is definitely a main part of that, but each company has a different perspective on the problem."

Yet, all the firms face two common problems. When a threat information-sharing platform is small, the participants know each other and are more likely to share. But as they grown, distrust sets in and fewer companies share and more just consumer information, says Dean De Beer, chief technology officer of ThreatGRID.

"The majority of companies are consumers," he says. "You have people who are giving up a lot of data, and they will get tired of not getting much back."

In those cases, the companies who run the services have to step up and add at least a baseline value to the service to keep the most productive customers coming back, De Beer says.

[Companies participating in threat-intelligence programs have suffered from too much information, and they struggle to deal with information that is neither actionable nor relevant. See Dolloping Out Threat Intelligence.]

While the disparate levels of benefit that each customer gets is one problem, another issue is the lack of trust. Both the City of Seattle and another threat-information sharing system run by the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) have been successful because their constituents are not competitors. In the business world, that is a harder sell.

For that reason, Cyber Squared, HP, and Georgia Tech allow every member to share or restrict any information and do it anonymously.

"A big part of the challenge is getting commercial entities to cooperate," says Lars Harvey, CEO of Internet Identity, which released a study on the challenges facing threat-intelligence sharing this week. "We have to figure out a way to get larger and broader exchanges going on."

The industry also has to change the perception that it is taking information, creating a product or service, and not giving enough back, says Barmak Meftah, CEO of AlienVault. The security-management provider made its platform free to make customers more confident in their motives.

"The Achilles' Heels of the industry is that it is very vendor driven, and each vendor has a myopic view of these attacks," he says. Intrusion detection vendors look for signatures, vulnerability management providers look for weak points in the network, and next-generation firewalls look for signs of malware on the network. "The concept of threat capture has been very myopic and very closed and captive."

Yet, companies have to solve these problems and find ways to work together better, says Seattle's CISO Hamilton. The attackers are benefiting from exchanging information on attack strategies, vulnerabilities and better ways of monetizing compromises. Defenders have to do it to, he says.

"From a 30,000-foot level, this is the way that the world needs to work," Hamilton says. "The one-stop shop for sending all you threat information to a vendor, looking to boil that ocean—that doesn't scale. But done regionally like we are doing it—that can scale."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18387
PUBLISHED: 2019-10-23
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
CVE-2019-18212
PUBLISHED: 2019-10-23
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
CVE-2019-18213
PUBLISHED: 2019-10-23
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response cap...
CVE-2019-18384
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring.
CVE-2019-18385
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.