When a threat alert arrived about a new malware threat during a recent industry gathering of retailers, a group of them immediately left the room to check in with their home networks. The intel came in the form of an email via the retail industry's new intelligence-sharing program, the Retail Cyber Intelligence Sharing Center (R-CISC).
"We happened to be having a meeting... and someone got intel on some malware. Immediately, people got up [and left the room] and checked on their systems and detected it," says Suzie Squier, senior vice president of the Retail Industry Leaders Association (RILA), which spearheaded the formation of the R-CISC.
R-CISC, which RILA announced back in May, has been up and running for about four months now, gradually ramping up to 100 member retail organizations participating in the industry's information sharing and analysis center (ISAC). Target, American Eagle Outfitters, Gap, JC Penney, Lowe's Nike, Safeway, VF, Walgreens, and other major retailers, sit on the board of directors of the R-CISC, a portal-based threat intelligence-sharing platform for retailers that includes feeds from government and other industry sources, and provides threat analysis. It's open to all retailers -- not just RILA members -- including small merchants and online-only e-commerce sites.
R-CISC also offers education and training for participants, and shares threat information with the US Department of Homeland Security, the US Secret Service, and the FBI.
Calls for an official threat intel-sharing mechanism for the retail industry intensified in the wake of Target's epic data breach late last year. The retail industry at the time had no formal threat and attack intelligence-sharing mechanism like financial services, the defense industrial base, and other industries have, and concerns arose that the industry was being blindsided by attacks and malware.
[After the Year of the Retail Breach, retail's annual holiday shopping season "freeze" on new technology and some security patching is just around the corner. Read Retailers Facing Intensified Cyberthreat This Holiday Season.]
Another retail association, the National Retail Federation (NRF), earlier this year also began forming an intel-sharing platform, sparking concerns of dueling intel-sharing mechanisms. But the NRF, which represents many smaller retailers, grocery chains and restaurants, now says it plans to ultimately integrate its platform with the R-CISC.
NRF has been running a threat alert system since early June that's generating some 15 to 20 alerts per day, says Tom Litchford, vice president of retail technologies at NRF. The NRF's platform is linked to the financial services industry's ISAC, FS-ISAC. "We're connected at the hip with the financial services industry. US-CERT is providing stuff to us [as well]," Litchford says. There are also plans to link with private industry threat intelligence feeds, he says.
The government's July 31 alert about the notorious Backoff malware that struck multiple retailers' POS platforms that was sent to NRF members via the intel-sharing mechanism actually helped quell some attacks, he says. "One of our members used it to check and sure enough, found evidence of a [Backoff] breach. They were able to limit or mitigate it to less than one percent of their stores," Litchford says.
NRF is also working closely with RILA to integrate its platform with the R-CISC. Litchford, who sits on the R-CISC advisory board, says one big concern is to ensure the smallest retailers who can't afford the thousands of dollars in dues to join the R-CISC will also be able to participate.
R-CISC dues are based on corporate revenue and range from $2,000 per year for a company with less than $250 million in revenues to $35,000 for a company with greater than $10 billion in revenues.
"We have 12,000 members, down to the smallest mom and pop shop. They've got to have some level of information-sharing without spending thousands of dollars to join an ISAC," Litchford says. At the least they need to receive critical threat notifications, he says.
Law enforcement officials say small businesses, including small merchants are often ground zero for new malware variants. That makes them valuable members of the R-CISC, too. There currently are some small retailer members, and RILA is well aware that pricing has to be affordable for them to participate.
RILA's Squier says the R-CISC is working on outreach to smaller merchants, via other trade associations who represent them.
All sizes of retailers need to be sharing intel and working together against unprecedented levels of threats and attacks, says Nick Ahrens, vice president of cybersecurity and privacy at RILA.
No silver bullet
But no one expects the R-CISC to eradicate attacks on retailers.
"I don't think there are any guarantees, but we absolutely think this is a critical tool in the toolbox. This is a team sport... You can only win by all fighting together," Ahrens says, adding that retailers increasingly are sharing more and more intel, and their confidentiality concerns are starting to wane.
Ahrens says merely investing in security technology and resources isn't enough for a retailer today, especially at a time when even JP Morgan and the White House are also getting hit by cyberattacks.
One of the next phases of the R-CISC will be to automate the ingestion of the intelligence within members' networks. That's the Holy Grail of intel-sharing ISACs, and several industry standards are gradually becoming adopted that allow for machine-readable intel to go straight to security tools to defend against the latest threat.
“We absolutely have to get to that," Ahrens says. "You have to remember that the retail industry is broad and deep and has varying levels of [technology] sophistication among members. Some have the ability to integrate machine-readable information into their systems more than a smaller retailer would."
Ahrens says as the R-CISC evolves and begins collecting dues (its first few months have been gratis), its capabilities will be upgraded as well, including adding "real-time, machine-readable information."
RILA's Squier says the R-CISC has come a long way in a short time period. "The fact that in just four months we already have a very vigorous dialog going on is really a kudos to the industry. Not only [sharing] threat indicators, but leading practices," she says.