Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:20 PM
Connect Directly

A Threat Intelligence-Sharing Reality-Check

Many organizations employ sharing one-way (gathering) and mainly for 'CYA,' experts say.

Every year at the RSA Conference, an industry trend becomes the buzzword of the week as vendors and some speakers rally around a term that's catching fire:  this year, the buzz was threat intelligence-sharing.

But are companies and organizations really sharing much firsthand intelligence, or mostly gathering and ingesting intel from outside sources such as vendors and intelligence-sharing and analysis centers (ISACs) and information-sharing and analysis organizations (ISAOs)?  A new study by Enterprise Strategy Group (ESG) found that 37% of North American organizations share their intel regularly, while some 45% do so from time to time but not regularly.

ESG surveyed more than 300 organizations in the financial, business services, manufacturing, and retail industry with 1,000 or more employees and both an internal threat intel program and an external threat intel feed.  Of those organizations that currently don’t share intel, only10% plan to do so in the next 12- to 24 months, 5% sometime in the future, and just 2% have no plans to do so.

"A lot of sharing is CYA," says Jon Oltsik, principal analyst with ESG. "They're hoping [to] get that one pearl of wisdom from someone, that isn't in the open-source [intel threat data] world."

But the missing link is making threat-intel sharing a regular process and function. "They haven't figured out how to operationalize this," Oltsik says. "It's [mostly] done on an ad-hoc basis, with some partners and not others. Some intel is shared instantly, and some is not shared consistently. How do you operationalize this" in an automated and consistent way, he says.

It's been a big year for threat intel-sharing developments: in February, President Obama rolled out a new Cyber Threat Intelligence Integration Center aimed at supporting and providing a central repository for threat intelligence for government and private industry, and signed an Executive Order to promote sharing among private sector organizations as well as between the private and public sectors. Meantime, some vertical industry sectors have launched their own intel-sharing organizations, including the retail and oil & gas industries.

The goal is for companies and government agencies to gather and share as much relevant and timely intel about new or ongoing cyberattacks and threats as possible to avoid major breaches -- or at the least, to minimize the damage from an attack.

While 2014 was "the year of pipes for information-sharing," now it's about getting the "plumbing" in place to make it all work, Chris Blask, chair of the ICS-ISAC, the industrial control system/SCADA group, told Dark Reading earlier this yar.

The overall volume of organizations sharing firsthand intel remains relatively modest, with high-profile industries such as the defense industrial base and financial services leading the way with mature mechanisms and organizations for swapping that intel.

And most seasoned intel-sharing organizations will admit the bulk of sharing still occurs face-to-face, by phone, or via email with a trusted counterpart. "People share now with people they trust, offline," says Anne Bonaparte, CEO of threat intelligence platform provider Vorstack, which commissioned the ESG study.

Some 72% of organizations say they plan to gather and analyze "significantly or somewhat" more internal intel in the next 12- to 24 months, and 55% plan to do the same with external intel. Three-fourths of them expect threat intel spending to increase in the next 12- to 18 months.

The hurdles to properly gathering, analyzing, and applying this information include a lack of a holistic view of the threats; inadvertently blocking legitimate traffic in response to an identified threat; workflow and integration glitches; and stale information that can't be acted upon quickly, according to the report.

[New intelligence-sharing groups/ISACs emerge, software tools arrive and the White House adds a coordinating agency -- but not all of the necessary intel-sharing 'plumbing' is in place just yet. Read Efforts To Team Up And Fight Off Hackers Intensify.]

The Holy Grail of integrating and automating threat intel are the emerging STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) standards, which are supported by the major players in threat intel-sharing, including the financial services' FS-ISAC.

STIX is basically a lingua franca for threat information, while TAXII defines the protocol for transporting the information.

"But there hasn't been a killer app yet," ESG's Oltsik says. "How do we apply STIX and TAXII to accelerate threat identification, or get down to the IOCs [indicators of compromise] that really matter to us?" for example, he says.

Mark Clancy, CEO of Soltra and CISO of DTCC, which offers the SoltraEdge threat-intel platform based on STIX and TAXII now used by multiple intel-sharing groups, says about a dozen security tools support STIX and TAXII standards today. "You're going to see the security community really [start to] adopt STIX and TAXII," says Clancy, who is also a board member of the FS-ISAC, which initially developed the SoltraEdge platform.

Clancy says while today's STIX-based threat intel use is mainly "consumption," he's starting to see more organizations "publish, subscribe, and publish back."

More significantly, some organizations are beginning to share which vulnerabilities--not just IOCs--are being exploited in new attack campaigns. "That focus efforts on what is actually being exploited," he says, so organizations can patch accordingly.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
5/28/2015 | 8:54:19 AM
Over complicated
Re: Soltra Edge

This technology is just too over-complicated for the average Security Analyst to deal with.  The instructions for setting it up need significant attention as they were written by one of the products developers resulting in huge gaps, assumptions, and general lack of user friendliness.  The spelling and grammar in the instructions need some serious love as well. 

Here is why I am being so critical...

I've had two of my analysts at two different companies go through the process of setting up Soltra Edge.  It was very, very painful.  Both are very sharp cookies and highly skilled in all things Linux.  It was not a skill issue.  They have been well trained and are very experienced in Security Operations (SecOps).  It was not a knowledge issue.  They did get the product running in the end only to sit there and say "now what".  It was sad because the closer they got to finishing the set up the instructions became less and less useable.  Very poorly written.

It's a product immaturity issue...

The last but most important issue is time.  The vast majority of SecOps teams do not have staff just sitting around waiting for something to do.  Show me such a place and I will show you failed leadership.  SecOps staff are very overwhelmed these days and when you throw such an immature product at them, describing it as the next best thing since sliced bread, only to waste that Security Analysts time trying to get it working, even minimally, then you have lost all those hours spent working on it.  Those hours would have been better spent working on real world threat analysis and response.

Again, it's a product immaturity issue with a very strong dose of marketing spin added in.

I really dislike what marketing has done to SecOps programs these past few years.  The marketing spin and effort to convince Security Managers to "buy this, buy this" by vendors, product marketing, and even open source stuff like Soltra Edge, adds an unnecessary burden, a layer of noise that take SecOps staff away from what really matters.  Stopping the bad guy, here and now.

All this being said...  I agree we need much better, faster delivered and shareable threat intel.  No argument.  But stop pushing an immature product/capability down SecOps throats, especially via regulatory bodies who have no technical clue into what it takes to really protect against the bad guys, but are all hyped up on this new slice of bread.

Slow it down.  Do it right!  And for heaven's sake never, ever let a developer create the user interface OR the setup instructions!

Rgr Out!
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...