Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
9/27/2016
11:01 AM
Matthew Rosenquist
Matthew Rosenquist
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Sharing Cybersecurity Threat Intelligence Is The Only Way We Win

Security organizations must leverage each other's information in order to better predict, prevent, detect, and respond to threats their customers and organizations face.

Cybersecurity is a team sport. The bad guys share information, expertise, code, and help one another. The good guys must do the same to keep pace. Sharing threat intelligence is a key aspect where knowledge gained by owners of sensor networks can share data in a collective way to the security analysis community. This give the necessary breadth of data to understand trends, new infections, how botnets are communicating, if directed targeting is occurring, and even if different attackers are collaborating. 

Sadly, this is not the norm. Many security companies look at this data as a competitive advantage to sell their products and services. They keep it to themselves in hopes they can find a nugget and market it in a way to win over new customers. But the cost is losing the bigger picture of overall effectiveness.

This is slowly changing. Some security firms are stepping up and sharing more and more data that is redacted of personal information and contains only attack characteristics. The combined aspects are like pieces to a massive puzzle for analysts looking for trends. It is hugely important to everyone.

I am glad to see major security vendors and researchers beginning to share insights and data. Consortiums such as the Cyber Threat Alliance and sites such as VirusTotal are leading the way. The Information Sharing and Analysis Organization (ISAO), established as part of a US presidential order in 2015, is developing voluntary standards for private and public data sharing.

But more sharing must happen. Attacks are occurring at a phenomenal rate. Malware alone is out of control, with about 44,000 new unique samples being discovered every day. Security organizations must leverage each other’s information in order to better predict, prevent, detect, and respond to threats their customers and organizations face. 

The battle that should be fought is not between security vendors, but rather between the threats and collective defensive organizations that stand between these threats and their victims. We must work together to stem the tide of cyberattacks. Public sentiment is important. If we desire our technology to be safe, we must send a clear message to our security vendors: Share threat data or we will patronize a different supplier of security products and services. We have a voice and a vote (with our wallets). 

Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and to learn about what is going on in cybersecurity.

Matthew Rosenquist is a cybersecurity strategist who actively advises global businesses, academia, and governments to identify emerging risks and opportunities.  Formerly the cybersecurity strategist for Intel Corp., he benefits from 30 years in the security field. He ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jcavery
50%
50%
jcavery,
User Rank: Moderator
9/28/2016 | 2:33:10 PM
Dare to Share
There is a key difference between the good guys sharing intelligence and the bad guys sharing it. The bad guys tend to share it in underground forums, only among eachother, and if they aren't doing that, they're keeping it for themselves or selling it for money. The good guys (and media) tend to blast every vulnerability on the front page for some reason. Yes, it's important to share the intelligence, but not like that, not publicly. Once it gets shared publicly, it's more of a race to see who can exploit it before they fix it, instead of an umbrella announcement to everyone. The good guys should become more efficient at tactfully informing companies.

I have made money from bug bounties just by browsing the latest "good guy" public vulns, why is that? Wasn't the logic supposed to be that the more public the announcement, the more fixes will happen? Sometimes a company is actually safer before those public announcements are made than the days following it. There might only be 1 or 2 hackers aware of a vuln (but not able to exploit it yet) whereas after the "share", you now have 1,000 hackers looking at it, with hundreds able to exploit it. Great article, great topic, just need to drill down more details on how to execute this whole sharing thing.
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29741
PUBLISHED: 2021-08-02
IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user to exploit a vulnerability in Korn Shell (ksh) to gain root privileges. IBM X-Force ID: 201478.
CVE-2021-37840
PUBLISHED: 2021-08-02
aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking (CSWH) involving OS commands within WebSocket messages at a ws:// URL for /webssh (the victim must have configured Terminal with at least one host). Successful exploitation depends on the browser used by a potential victim (e.g., exploitat...
CVE-2021-20332
PUBLISHED: 2021-08-02
Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. ...
CVE-2021-37160
PUBLISHED: 2021-08-02
A firmware validation issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. There is no firmware validation (e.g., cryptographic signature validation) during a File Upload for a firmware update.
CVE-2021-37161
PUBLISHED: 2021-08-02
A buffer overflow issue was discovered in the HMI3 Control Panel contained within the Swisslog Healthcare Nexus Panel, operated by released versions of software before Nexus Software 7.2.5.7. A buffer overflow allows an attacker to overwrite an internal queue data structure and can lead to remote co...