How retailers can boost security through information sharing

Major U.S. retailers that have formed a group for sharing cyberthreat information will have to overcome a number of hurdles before security can be improved within the participating companies, experts say.

The Retail Cyber Intelligence Sharing Center (R-CISC), launched Wednesday, includes J.C. Penney, Gap, Lowe's, Nike, Safeway, Target, Walgreen, American Eagle Outfitters, and VF Corp., which owns more than a dozen brands.

At least four of the members, including Walgreen, J.C. Penney, Lowe's and Target, have been the victims of major data breaches, which experts believe has added urgency to forming the group.

During last year's holiday shopping season, Target had 10s of millions of customer accounts and credit-card numbers siphoned off its computer systems. Target CEO Gregg Steinhafel resigned this month, in part, because of the breach. In addition, the company could face more than $1 billion in costs, according to Jeffries retail analyst Daniel Binder.

The centerpiece of the center's strategy for bolstering security is the Retail Information Sharing and Analysis Center (Retail-ISAC), which will be responsible for "identifying real-time threats and sharing actionable intelligence to mitigate the risk of cyberattacks."

How all that will be done is not clear. The Retail Industry Leaders Association, the trade group that's a part of the effort, did not respond to a request for an interview.

Nevertheless, such information-sharing initiatives are not new, so what needs to be done is known. A successful example is the Financial Services Information Sharing and Analysis Center (FS-ISAC), which co-ordinates security collaboration among banks.

For retailers, the first major hurdle will be to have a legal framework for sharing information among competitors. Frank discussions about how systems were hacked, vulnerabilities exploited and botched responses require guarantees that the information cannot be used for competitive advantage.

The R-CISC appears to have gotten around this problem initially by not having direct competitors in the group. However, that will have to change if the organization plans to grow.

Even with a legal framework, the participating companies will need time for their security people to get to know and trust each other, Rick Holland, analyst for Forrester Research, told CSOonline. Confidence is built through "getting people together, drink some beers, socialize and build up relationships."

"It's going to take some time to build up that circle of trust before people are really comfortable sharing high-fidelity information amongst themselves," Holland said.

On the technical side, the retailers will have to do extensive audits in order to get a clear understanding of where critical data is stored within a network infrastructure that can span several geographical regions, Christopher Strand, a retail expert at security vendor Bit9, said.

Once that is done, retailers can use the shared intelligence to test the defenses of important systems, he said.

The kind of intelligence that would be most useful to share include actual attack scenarios, hacker techniques and methods for getting useful intelligence from the terabytes of log data collected from network computers and security systems, Patrick Harbauer, senior security consultant for Neohapsis, said.

In addition, the companies should conduct exercises in responding to a breach, Harbauer said.

"If they can get the technical people that are actually defending their systems talking to each other, then I think there would be a ton of value in that," he said.

Finally, the retailers will need to build a central repository for all the collected information, so the companies, law enforcement and federal agencies, such as the Department of Homeland Security, can access it. Some form of analytics to provide actionable intelligence from the data would also be helpful, experts say.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingapplicationsapplication securityJ.C. Penneyapplication security best practicesGapTargetLowe'ssecuritydata security breachesAccess control and authenticationsoftwareNikeinteldata protection

More about American Eagle OutfittersForrester ResearchNeohapsisNikeSafewayVF

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place