Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:20 PM
Connect Directly

A Threat Intelligence-Sharing Reality-Check

Many organizations employ sharing one-way (gathering) and mainly for 'CYA,' experts say.

Every year at the RSA Conference, an industry trend becomes the buzzword of the week as vendors and some speakers rally around a term that's catching fire:  this year, the buzz was threat intelligence-sharing.

But are companies and organizations really sharing much firsthand intelligence, or mostly gathering and ingesting intel from outside sources such as vendors and intelligence-sharing and analysis centers (ISACs) and information-sharing and analysis organizations (ISAOs)?  A new study by Enterprise Strategy Group (ESG) found that 37% of North American organizations share their intel regularly, while some 45% do so from time to time but not regularly.

ESG surveyed more than 300 organizations in the financial, business services, manufacturing, and retail industry with 1,000 or more employees and both an internal threat intel program and an external threat intel feed.  Of those organizations that currently don’t share intel, only10% plan to do so in the next 12- to 24 months, 5% sometime in the future, and just 2% have no plans to do so.

"A lot of sharing is CYA," says Jon Oltsik, principal analyst with ESG. "They're hoping [to] get that one pearl of wisdom from someone, that isn't in the open-source [intel threat data] world."

But the missing link is making threat-intel sharing a regular process and function. "They haven't figured out how to operationalize this," Oltsik says. "It's [mostly] done on an ad-hoc basis, with some partners and not others. Some intel is shared instantly, and some is not shared consistently. How do you operationalize this" in an automated and consistent way, he says.

It's been a big year for threat intel-sharing developments: in February, President Obama rolled out a new Cyber Threat Intelligence Integration Center aimed at supporting and providing a central repository for threat intelligence for government and private industry, and signed an Executive Order to promote sharing among private sector organizations as well as between the private and public sectors. Meantime, some vertical industry sectors have launched their own intel-sharing organizations, including the retail and oil & gas industries.

The goal is for companies and government agencies to gather and share as much relevant and timely intel about new or ongoing cyberattacks and threats as possible to avoid major breaches -- or at the least, to minimize the damage from an attack.

While 2014 was "the year of pipes for information-sharing," now it's about getting the "plumbing" in place to make it all work, Chris Blask, chair of the ICS-ISAC, the industrial control system/SCADA group, told Dark Reading earlier this yar.

The overall volume of organizations sharing firsthand intel remains relatively modest, with high-profile industries such as the defense industrial base and financial services leading the way with mature mechanisms and organizations for swapping that intel.

And most seasoned intel-sharing organizations will admit the bulk of sharing still occurs face-to-face, by phone, or via email with a trusted counterpart. "People share now with people they trust, offline," says Anne Bonaparte, CEO of threat intelligence platform provider Vorstack, which commissioned the ESG study.

Some 72% of organizations say they plan to gather and analyze "significantly or somewhat" more internal intel in the next 12- to 24 months, and 55% plan to do the same with external intel. Three-fourths of them expect threat intel spending to increase in the next 12- to 18 months.

The hurdles to properly gathering, analyzing, and applying this information include a lack of a holistic view of the threats; inadvertently blocking legitimate traffic in response to an identified threat; workflow and integration glitches; and stale information that can't be acted upon quickly, according to the report.

[New intelligence-sharing groups/ISACs emerge, software tools arrive and the White House adds a coordinating agency -- but not all of the necessary intel-sharing 'plumbing' is in place just yet. Read Efforts To Team Up And Fight Off Hackers Intensify.]

The Holy Grail of integrating and automating threat intel are the emerging STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) standards, which are supported by the major players in threat intel-sharing, including the financial services' FS-ISAC.

STIX is basically a lingua franca for threat information, while TAXII defines the protocol for transporting the information.

"But there hasn't been a killer app yet," ESG's Oltsik says. "How do we apply STIX and TAXII to accelerate threat identification, or get down to the IOCs [indicators of compromise] that really matter to us?" for example, he says.

Mark Clancy, CEO of Soltra and CISO of DTCC, which offers the SoltraEdge threat-intel platform based on STIX and TAXII now used by multiple intel-sharing groups, says about a dozen security tools support STIX and TAXII standards today. "You're going to see the security community really [start to] adopt STIX and TAXII," says Clancy, who is also a board member of the FS-ISAC, which initially developed the SoltraEdge platform.

Clancy says while today's STIX-based threat intel use is mainly "consumption," he's starting to see more organizations "publish, subscribe, and publish back."

More significantly, some organizations are beginning to share which vulnerabilities--not just IOCs--are being exploited in new attack campaigns. "That focus efforts on what is actually being exploited," he says, so organizations can patch accordingly.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Moderator
5/28/2015 | 8:54:19 AM
Over complicated
Re: Soltra Edge

This technology is just too over-complicated for the average Security Analyst to deal with.  The instructions for setting it up need significant attention as they were written by one of the products developers resulting in huge gaps, assumptions, and general lack of user friendliness.  The spelling and grammar in the instructions need some serious love as well. 

Here is why I am being so critical...

I've had two of my analysts at two different companies go through the process of setting up Soltra Edge.  It was very, very painful.  Both are very sharp cookies and highly skilled in all things Linux.  It was not a skill issue.  They have been well trained and are very experienced in Security Operations (SecOps).  It was not a knowledge issue.  They did get the product running in the end only to sit there and say "now what".  It was sad because the closer they got to finishing the set up the instructions became less and less useable.  Very poorly written.

It's a product immaturity issue...

The last but most important issue is time.  The vast majority of SecOps teams do not have staff just sitting around waiting for something to do.  Show me such a place and I will show you failed leadership.  SecOps staff are very overwhelmed these days and when you throw such an immature product at them, describing it as the next best thing since sliced bread, only to waste that Security Analysts time trying to get it working, even minimally, then you have lost all those hours spent working on it.  Those hours would have been better spent working on real world threat analysis and response.

Again, it's a product immaturity issue with a very strong dose of marketing spin added in.

I really dislike what marketing has done to SecOps programs these past few years.  The marketing spin and effort to convince Security Managers to "buy this, buy this" by vendors, product marketing, and even open source stuff like Soltra Edge, adds an unnecessary burden, a layer of noise that take SecOps staff away from what really matters.  Stopping the bad guy, here and now.

All this being said...  I agree we need much better, faster delivered and shareable threat intel.  No argument.  But stop pushing an immature product/capability down SecOps throats, especially via regulatory bodies who have no technical clue into what it takes to really protect against the bad guys, but are all hyped up on this new slice of bread.

Slow it down.  Do it right!  And for heaven's sake never, ever let a developer create the user interface OR the setup instructions!

Rgr Out!
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...