Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/23/2015
08:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

DHS Courts Private Sector For Threat Intelligence-Sharing

Homeland Security NCCIC now STIX- and TAXII-enabled for automated machine-to-machine sharing of intel, agency officials told attendees at the RSA Conference.

RSA CONFERENCE -- San Francisco -- The US Department of Homeland Security doesn't want to "cannibalize" existing cyberthreat-intelligence services and operations, but rather work with and help them thrive, DHS undersecretary for cybersecurity and communications Phyllis Schneck said here yesterday.

Schneck, who works with the National Protection and Programs Directorate of the DHS, in a presentation here, outlined how the DHS National Cybersecurity and Communications Integration Center (NCCIC) will operate as a central repository for threat intel-sharing under the new Executive Order encouraging more sharing of intelligence in the federal government, and between the feds and private industry.

Meanwhile, Congress this week inched closer to delivering cyber security legislation that encourages private industry threat intel-sharing: the US House of Representatives passed two bills in the past two days on cyberthreat-sharing, the Protecting Cyber Networks Act, and the National Cybersecurity Protection Advancement Act, which also provide liability protections to companies and organizations in the private sector that swap threat data with the feds. The Senate is expected to vote on similar legislation next month.  

DHS is on the lookout for security talent as well. DHS Secretary Jeh C. Johnson announced in a keynote here that the agency will open a satellite office in Silicon Valley to tap the technology talent in the region and strengthen ties to the security industry. (Federal law enforcement also was recruiting here: At the FBI booth on the conference show floor, officials were distributing information about cybersecurity job opportunities in the agency's cyber division.)

Schneck said the DHS wants to build trust with the private sector, and leveraging the private sector's talents and views into the threatscape provides the best defense against cyber attackers, she said. But she acknowledged that earning the trust of the business world is no easy feat for the government these days. "This is the hardest time ever for most companies to share with the US government, especially those who have [operations] overseas" as well, she said.

DHS NCCIC officially serves as the central portal for threat intel-sharing. DHS Secretary Johnson announced the that the NCCIC now can deliver and automate threat indicators in machine-readable format.

"Today we are sharing indicators with an initial set of companies and are in the process of adding others. Later this year, we will be in a position to begin to accept cyber threat indicators from the private sector in automated near real-time format," he said. "We have set up the NCCIC as your primary pathway to provide cyber threat indicators to the U.S. government. Yes, the government is trying to make it easy for you." 

[How some intelligence-sharing organizations operate in the face of today's threat landscape. Read ISACs Demystified.]

Schneck noted that DHS is mindful of privacy issues of participants. "The NCCIC is the core of where the cyber raw materials are, not private information. We work closely with privacy experts … which is why we collect enough data to protect and still do it right."

But to truly provide this full picture of the threats, government and the private sector need to share and pool their intelligence data. "The more tools we can put in there, the better awareness we get. We can then use those indicators and push them out, block [threats] and make more educated decisions on what to block and where," she said.

"We cannot do this by ourselves," she said. "You are our customers and also our providers" of intelligence, she said.

The NCCIC now offers machine-to-machine transmission of intel, via the STIX format language protocol and the TAXII delivery protocol. One way to make it harder on the bad guys is having this level of timely situational awareness, according to Schneck.

"We're not just sending a pretty PDF. We're going from PDF-to-person [delivery] to machine-to-machine," she said.

The NCCIC will also provide a barometer and thermometer of the threat "weather," not just flashing lights, she said. "I want to make sure … everyone has access to what the government can bring," even small organizations, which she noted also provide valuable data about adversaries their systems are facing.

ISACs and the new ISAOs will provide aggregated indicators that NCCIC can correlate with its partners to build a bigger picture of the threats. 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
kbannan100
50%
50%
kbannan100,
User Rank: Moderator
4/24/2015 | 2:19:57 PM
Great news
This is truly great news for the entire security world. It will be interesting to see how it all plays out in the end, but it's certainly a good start. 

--KB
Karen J. Bannan, commenting on behalf of IDG and FireEye.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
4/27/2015 | 12:55:33 PM
Tit for Tat
I'm curious what would be required for an individual or business to gain access to this database, and whether it will be a free model or if this get commercialized. 

Only if the information remains free and open, and the organization itself transparent, will this fully succeed. 

The reason I raise the question of commercialization is that DHS has been sorely underfunded, with something like ~20 DHS projects identified by Congressional investigators as likely to fail or have poor outcomes.

If I recall correctly, a recent report from the Government Accountability Office documented DHS as planning to invest $10+ billion in acquisition programs.  With what money?

Look, if the Snowden effect means a little healthy distrust for Government, that's OK as long as the return on that is a more open Government willing to do tit-for-tat.  Let's see if this program is on the right track in two years and whether the database allows InfoSec as a whole in the US to make noticeable strides against cybercrime.

A good story and one we should all follow closely with great interest.
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3200
PUBLISHED: 2021-05-18
Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service
CVE-2021-32305
PUBLISHED: 2021-05-18
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
CVE-2020-20951
PUBLISHED: 2021-05-18
In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files.
CVE-2020-23861
PUBLISHED: 2021-05-18
A heap-based buffer overflow vulnerability exists in LibreDWG 0.10.1 via the read_system_page function at libredwg-0.10.1/src/decode_r2007.c:666:5, which causes a denial of service by submitting a dwg file.
CVE-2020-24740
PUBLISHED: 2021-05-18
An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage