The goal of sharing attack information and intelligence among victim organizations and other organizations that also could become targets was part of a new set of recommendations issued today by security executives from major global firms including ABN Amro, ADP, BP, Coca-Cola, eBay, Genzyme, HSBC Holdings, Johnson & Johnson, JPMorgan Chase, Nokia, Northrop Grumman, SAP, T-Mobile, and RSA parent company EMC. Their recommendations were included in a report published under the auspices of the Security for Business Innovation Council (SBIC) and facilitated by RSA.
But getting business rivals as well as federal agencies and the private industry to join hands and share their attack experiences, logs, and artifacts is not so simple. Aside from competitiveness, privacy, and technical issues, there are legal ramifications that typically limit or altogether prevent businesses from helping one another.
Even so, experts say it’s time for organizations to come out of the shadows and team up against the common enemy of cybercrime and cyberespionage. That’s the only way to get a leg up on the bad guys, they say.
But so far the sharing has been either industry-specific or very much ad-hoc: The Defense Security Information Exchange is an online portal for Defense contractors to swap attack information, and some local organizations, such as the Bay Area CSO Council, which includes chief security officers from Adobe, eBay, Gap, eTrade, Symantec, SAIC, Lawrence Livermore Laboratory, PayPal, Cisco-WebEx, Yahoo, and Intel, confidentially share their attack information.
There’s also InfraGuard, the FBI-led association of local businesses, academic institutions, and state and local law enforcement agencies that meet regionally to share attack and threat information.
Lately, there have been more signs of cooperation: Key financial institutions, including Morgan Stanley and Goldman Sachs, earlier this month took some of the first steps toward possibly establishing a central site to gather and analyze attack trends for the financial services industry. They met with researchers at the Polytechnic Institute of New York University to noodle about the possibility of such a center, while the Bank of America has also been holding informal meetings with banks on coming up with solutions to deter the latest threats.
Meanwhile, Congress is currently floating multiple pieces of legislation that call for information-sharing with and among the feds, including a bill that would set up a national information-sharing organization as a way to protect critical infrastructure.
But there’s still no official go-to place for sharing this type of information, and experts say it’s unclear if there ever will be.
[Banks and financial institutions are looking at ways to share security information in order to improve their defenses. See Financial Companies Sharing Information About Security.]
Art Coviello, executive chairman of RSA Security, says a hierarchical model for victim organizations to share their threat information isn’t likely to emerge. “It’s never going to be a top-down thing,” he says.
“I foresee a future where there are networks of networks, until from the grassroots up we develop more of an online information-sharing facility -- this whole idea of a neighborhood watched, expanded on a worldwide basis,” Coviello says.
Both the legal and overall scope of such a model have thus far been some of the biggest hurdles. It’s the smaller, more focused models like that of the Bay Area CSO Council that have found success.
“The [Bay Area CSO] Council worked because it was formed with a prerequisite trust in the network. It was small enough, and the value and benefit was very clear,” says Jacques Francoeur, former executive director of the Bay Area CSO Council and founder of the Union of Concerned Cybersecurity Leaders.
The SBIC report says information-sharing among organizations requires the investment of manpower and technologies.
“If something happens at your organization, the first question you’ll ask is, ‘Is it just me or is everybody else getting hit with this attack?’” said Renee Guttmann, chief information security officer for The Coca-Cola Company, a member of the SBIC in a statement. “You can't answer that for yourself. And it takes too long to call 20 of your closest friends. You’ve got to be part of a larger gene pool to get an immediate answer to that question.”
And other companies need to be willing to do the same, SBIC members say. "As cyber attacks continue to threaten enterprises and governments, more organizations will likely be motivated to invest in information sharing. An important factor paving the way is that organizations have the people, processes, and technologies in place to effectively participate in intelligence exchange," the report says.
RSA’s Coviello says he has previously tried to pull together service providers, telcos, and security organizations to see how to construct such an entity. "We can’t get past the lawyers," Coviello says.
It's the legal downsides that overshadow some of the possible benefits of getting an inside track on a new targeted attack campaign out of China, or a look at the latest malware variant going after corporate user accounts. "At the end of the day, there are a lot of legal downsides and not a lot of perceived upsides," the Union of Concerned Cybersecurity Leaders’ Francoeur says.
CSOs get frustrated when they share attack intelligence with the FBI, for example, and never hear back. Or they only get intelligence that's expired or they can’t take action on, Francoeur says.
And in many cases, when the general counsel is brought in, it’s game over for any information-sharing about a breach. Even if new legislation legalizes the liability issues that block this sharing, there’s no guarantee organizations will suddenly clamor to spill their guts about breaches.
RSA's Coviello says the current ad-hoc groups may just eventually coalesce into something bigger. "I am really encouraged by ... the ISACS and industry groups taking it on themselves," he says. They could eventually start connecting among one another, he says, and expand into a network of networks from there, for example.
But once you get the green light to share your breach data with others, then what?
"Sharing information is not the end state. The end state is to get actionable information that will help improve corporations’ and governments' cyber-security posture and continually raise the bar," said William Pelgrin, who is president and CEO for the Center for Internet Security, chair of the Multi-State Information Sharing and Analysis Center, and chair of the National Council of ISACs, in a statement.
At the heart of the SBIC’s recommendations is what it calls an "intelligence-driven information security" approach, where businesses gather reliable security information from government, industry, and internal sources to get a full picture of the threat and their exposures to it, and a process for analyzing it and taking action.
"An intelligence-driven approach to information security can deliver comprehensive situational awareness, enabling organizations to more effectively detect and mitigate cyber attacks. Developing a cyber-risk intelligence capability will take investments in people, process, and technology. It will challenge the information-security team to grow beyond the current skill set and to commit to a change in mind-set. And it will require not only the steadfast efforts of the security team but also broad organizational support," the SBIC report says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.