Cybersecurity information sharing is not a new topic. In fact, we've been talking about it for years. We know we should share information and we expect others to as well. We even see pockets of success, typically among peers who are in the same industry and have a personal or long-term business relationship. They have established a level of trust that allows them to feel comfortable exchanging information that is truly useful.
However, when we try to scale that type of exchange through government and industry groups that exist to promote and facilitate information sharing, we're less successful. At a corporate level, because of real or perceived liabilities, organizations often aren't as willing as individuals are to share as individuals, so information sharing on a broader scale in a way that really benefits larger communities of defenders hasn't taken off. The quantity of active participants and the quality of information shared simply are not there to allow many of these exchanges to work as effectively as intended.
Quality and Quantity: A Cycle of Diminishing Value
Many organizations treat information sharing as another check box. They want to be part of an industry-specific Information Sharing and Analysis Center (ISAC) or a government sharing group, such the Department of Homeland Security's Automated Indicator Sharing capability or the UK's Cyber Security Information Sharing Partnership. But they haven't set up an internal program to identify the type of information their organization can share and how they will share it. Instead, they are focused on receiving information that others share. Eventually, and because sharing groups have guidelines they enforce, organizations will begin to share. But this raises the issue of quality.
As group membership grows, trust weakens, and many organizations are less comfortable sharing information that they have personally found to be of value — for example, from a breach they faced. Instead, organizations tend to share indicators of compromise such as IP addresses and domains. Information sharing becomes automated, with little or no context and sometimes regurgitated from another source. Without context, other participants don't know if the information is relevant to their organization and should be prioritized. This creates a waning interest in the sharing group as members become overwhelmed with quantity and lack of quality. The threat feed from this intelligence-sharing group diminishes in value and becomes another source of noise.
Groups that can overcome the quality hurdle and find ways to share rich, contextual threat intelligence within communities of interest often rely on the largest members to initially fill the queue with shared intelligence. The hope is that as time goes on, the smaller companies will begin to share as well. This rarely happens, though. Only the more progressive, smaller companies with more developed threat operations programs are able to share high-value information, with the remainder acting primarily as consumers. As a feeling of inequality spreads, the entire sharing construct eventually falls apart.
Breaking the Cycle: 3 Steps
But it isn't all gloom and doom. In fact, there are three areas where we can focus to strengthen information sharing and allow it to deliver value at scale as intended.
Step 1. Establish information sharing and consumption programs.
Organizations need to understand what they can share from a legal and compliance perspective. This will allow them to strike a balance so they don't over react and shut down sharing but also don't inadvertently share something that is proprietary or protected under privacy laws. With clear guidelines, security teams can do better at providing high-quality information with context and relevance. They also need to understand what they are going to consume and how they will use it. This will ensure they're doing their part to derive value from the intelligence they receive and not suffer from data overload and waste valuable resources.
Step 2. Monitor for quality.
As information-sharing groups have grown, a surge in automated sharing of tactical information has become their downfall. Sharing groups must monitor information for quality. It must be curated to ensure there is value in passing it along to other members, either as "known bad" or packaged with context so that recipients can determine relevancy within their own environments.
Step 3. Devise ways for all to participate.
The writing is on the wall: Measuring success by numbers isn't the path to more effective information sharing. To maintain quality and balance quantity, we need to consider forming subgroups with trust built into them. At the same time, smaller organizations also need access to high-value threat information. We must accept that at least initially, they may not be able to contribute much information and will mostly be consumers.
A two-pronged approach can help to address their needs. First, smaller organizations should join or create their own industry-specific sharing community and then actively participate in sharing contextual, relevant intelligence that they have seen on their network. In turn, this will help larger industry sharing groups be more successful at protecting the industry as a whole — including the smaller companies that are part of their ecosystem. Second, small organizations that contract with managed security service providers (MSSPs) should rely on their providers to offer such intelligence. This community defense model is often part of the promise MSSPs make to their customers, so smaller companies should make sure their vendor is delivering.
As we break the cycle of diminishing value by getting a handle on the quantity/quality challenge, information exchanges will begin to thrive. Finally, we'll be able to do less talking and more sharing.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.