Every year at the RSA Conference, an industry trend becomes the buzzword of the week as vendors and some speakers rally around a term that's catching fire: this year, the buzz was threat intelligence-sharing.
But are companies and organizations really sharing much firsthand intelligence, or mostly gathering and ingesting intel from outside sources such as vendors and intelligence-sharing and analysis centers (ISACs) and information-sharing and analysis organizations (ISAOs)? A new study by Enterprise Strategy Group (ESG) found that 37% of North American organizations share their intel regularly, while some 45% do so from time to time but not regularly.
ESG surveyed more than 300 organizations in the financial, business services, manufacturing, and retail industry with 1,000 or more employees and both an internal threat intel program and an external threat intel feed. Of those organizations that currently don’t share intel, only10% plan to do so in the next 12- to 24 months, 5% sometime in the future, and just 2% have no plans to do so.
"A lot of sharing is CYA," says Jon Oltsik, principal analyst with ESG. "They're hoping [to] get that one pearl of wisdom from someone, that isn't in the open-source [intel threat data] world."
But the missing link is making threat-intel sharing a regular process and function. "They haven't figured out how to operationalize this," Oltsik says. "It's [mostly] done on an ad-hoc basis, with some partners and not others. Some intel is shared instantly, and some is not shared consistently. How do you operationalize this" in an automated and consistent way, he says.
It's been a big year for threat intel-sharing developments: in February, President Obama rolled out a new Cyber Threat Intelligence Integration Center aimed at supporting and providing a central repository for threat intelligence for government and private industry, and signed an Executive Order to promote sharing among private sector organizations as well as between the private and public sectors. Meantime, some vertical industry sectors have launched their own intel-sharing organizations, including the retail and oil & gas industries.
The goal is for companies and government agencies to gather and share as much relevant and timely intel about new or ongoing cyberattacks and threats as possible to avoid major breaches -- or at the least, to minimize the damage from an attack.
While 2014 was "the year of pipes for information-sharing," now it's about getting the "plumbing" in place to make it all work, Chris Blask, chair of the ICS-ISAC, the industrial control system/SCADA group, told Dark Reading earlier this yar.
The overall volume of organizations sharing firsthand intel remains relatively modest, with high-profile industries such as the defense industrial base and financial services leading the way with mature mechanisms and organizations for swapping that intel.
And most seasoned intel-sharing organizations will admit the bulk of sharing still occurs face-to-face, by phone, or via email with a trusted counterpart. "People share now with people they trust, offline," says Anne Bonaparte, CEO of threat intelligence platform provider Vorstack, which commissioned the ESG study.
Some 72% of organizations say they plan to gather and analyze "significantly or somewhat" more internal intel in the next 12- to 24 months, and 55% plan to do the same with external intel. Three-fourths of them expect threat intel spending to increase in the next 12- to 18 months.
The hurdles to properly gathering, analyzing, and applying this information include a lack of a holistic view of the threats; inadvertently blocking legitimate traffic in response to an identified threat; workflow and integration glitches; and stale information that can't be acted upon quickly, according to the report.
[New intelligence-sharing groups/ISACs emerge, software tools arrive and the White House adds a coordinating agency -- but not all of the necessary intel-sharing 'plumbing' is in place just yet. Read Efforts To Team Up And Fight Off Hackers Intensify.]
The Holy Grail of integrating and automating threat intel are the emerging STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) standards, which are supported by the major players in threat intel-sharing, including the financial services' FS-ISAC.
STIX is basically a lingua franca for threat information, while TAXII defines the protocol for transporting the information.
"But there hasn't been a killer app yet," ESG's Oltsik says. "How do we apply STIX and TAXII to accelerate threat identification, or get down to the IOCs [indicators of compromise] that really matter to us?" for example, he says.
Mark Clancy, CEO of Soltra and CISO of DTCC, which offers the SoltraEdge threat-intel platform based on STIX and TAXII now used by multiple intel-sharing groups, says about a dozen security tools support STIX and TAXII standards today. "You're going to see the security community really [start to] adopt STIX and TAXII," says Clancy, who is also a board member of the FS-ISAC, which initially developed the SoltraEdge platform.
Clancy says while today's STIX-based threat intel use is mainly "consumption," he's starting to see more organizations "publish, subscribe, and publish back."
More significantly, some organizations are beginning to share which vulnerabilities--not just IOCs--are being exploited in new attack campaigns. "That focus efforts on what is actually being exploited," he says, so organizations can patch accordingly.