Threat-Intel Sharing Services Emerge, But Challenges Remain

Six years ago, when Mike Hamilton, the chief information security officer for the City of Seattle, wanted to collaborate with other local municipalities, the federal government and critical-infrastructure providers to exchange threat information, no platform existed through which to share threat intelligence.

Instead, the City of Seattle, along with the U.S. Department of Homeland Security and the University of Washington, created a system based on a security information and event management (SIEM) system. Dubbed the Public Regional Information Security Event Management (PRISEM) system, not to be confused with the National Security Agency's controversial PRISM project, the platform allows the City of Seattle's information security team to collect threat information from federal agencies and security firms, develop indicators of compromise, and look for malicious activity across the networks of PRISEM members.

Using the system, analysts "can search all the monitored jurisdictions for the indicators of compromise in a number of ways, and we can notify them when we see them talking to bad places," Hamilton says. "As a whole, we are able to get in front of threats a lot faster than if everyone was operating independently."

The City of Seattle is one of the few successful collaborations between organizations to share information on online threats, attacks and compromises. Fear of liability, a lack of trust between business rivals and a still-developing standards have slowed the adoption of collaborative threat-intelligence platforms. In addition, the threat intelligence gained from the system was not actionable, but a firehose stream of data through which an analyst was required to sift.

Yet, that may be changing. Last week, Hewlett Packard refreshed its security offerings, among them a threat-intelligence sharing environment known as Threat Central. Customers who subscribe to the system will be able to upload threat data from their HP ArcSight devices or any database compliant with the Structured Threat Information Expression (STIX) standard created by government contractor MITRE.

Working together is the only way to defend against the widespread attacks that companies, government agencies and educational institutions are seeing today, says Ted Ross, director of field intelligence for HP Security Research.

"The adversary figured this out a long time ago," he says. "And if we don't collaborate effectively as a community then, we will be attacked in ways that people are not expecting."

HP's Threat Central is only the latest threat-intelligence collaboration platform to arrive. A wide variety of other platforms have been created by large companies, small startups and even academic research groups.

Georgia Tech, for example, has created a system for malware analysis and threat-data sharing called Apiary, which can quickly analyze malware and return information to the more than 100 organizations working with the university on the beta project. Malware-analysis-as-service firm ThreatGRID has its own system for analyzing binaries and creating indicators of compromise from the files. The service, which processes up to 500,000 suspect files every day, allows teams to collaborate and share their findings with teams from other companies.

The Open Threat Exchange, a community driven project managed by unified-security provider AlienVault, allows anyone using the Open-Source Security Information Manager (OSSIM) or Alien Vault's own product to upload threat data, investigate threats and download indicators of compromise.

Threat Connect, a threat analysis and collaboration environment created by security services firm Cyber Squared, pulls data from a number of sources to allow security analysts to more quickly triage and analyze threats.

"Threat intelligence is a really complicated area, so everyone has a different approach to providing a customer a solution for threat intelligence," says Adam Vincent, CEO of Cyber Squared. "Collaboration is definitely a main part of that, but each company has a different perspective on the problem."

Yet, all the firms face two common problems. When a threat information-sharing platform is small, the participants know each other and are more likely to share. But as they grown, distrust sets in and fewer companies share and more just consumer information, says Dean De Beer, chief technology officer of ThreatGRID.

"The majority of companies are consumers," he says. "You have people who are giving up a lot of data, and they will get tired of not getting much back."

In those cases, the companies who run the services have to step up and add at least a baseline value to the service to keep the most productive customers coming back, De Beer says.

[Companies participating in threat-intelligence programs have suffered from too much information, and they struggle to deal with information that is neither actionable nor relevant. See Dolloping Out Threat Intelligence.]

While the disparate levels of benefit that each customer gets is one problem, another issue is the lack of trust. Both the City of Seattle and another threat-information sharing system run by the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) have been successful because their constituents are not competitors. In the business world, that is a harder sell.

For that reason, Cyber Squared, HP, and Georgia Tech allow every member to share or restrict any information and do it anonymously.

"A big part of the challenge is getting commercial entities to cooperate," says Lars Harvey, CEO of Internet Identity, which released a study on the challenges facing threat-intelligence sharing this week. "We have to figure out a way to get larger and broader exchanges going on."

The industry also has to change the perception that it is taking information, creating a product or service, and not giving enough back, says Barmak Meftah, CEO of AlienVault. The security-management provider made its platform free to make customers more confident in their motives.

"The Achilles' Heels of the industry is that it is very vendor driven, and each vendor has a myopic view of these attacks," he says. Intrusion detection vendors look for signatures, vulnerability management providers look for weak points in the network, and next-generation firewalls look for signs of malware on the network. "The concept of threat capture has been very myopic and very closed and captive."

Yet, companies have to solve these problems and find ways to work together better, says Seattle's CISO Hamilton. The attackers are benefiting from exchanging information on attack strategies, vulnerabilities and better ways of monetizing compromises. Defenders have to do it to, he says.

"From a 30,000-foot level, this is the way that the world needs to work," Hamilton says. "The one-stop shop for sending all you threat information to a vendor, looking to boil that ocean—that doesn't scale. But done regionally like we are doing it—that can scale."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.