Facebook’s Threat Intelligence Sharing Potential

Data management, scale, and algorithmic strengths may give Facebook an advantage in the threat intelligence platform sharing platforms market

Enterprise organizations are actively consuming external threat intelligence, purchasing additional threat intelligence feeds, and sharing internally-derived threat intelligence with small circles of trusted third-parties.  Based upon these trends, it certainly seems like the threat intelligence market is well- established but in this case, appearances are far from reality.

In my humble opinion, threat intelligence consumption and sharing is extremely immature today with the market divided by a few haves (i.e. large banks, defense contractors, large IT vendors, intelligence agencies) and a large majority of have-nots – everyone else.

This immaturity is illustrated by some recent ESG research (note: I am an ESG employee).  A panel of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) were asked to identify weaknesses associated with their firm’s threat intelligence consumption and sharing programs.  The data indicates:

  • 28% of organizations claim that threat intelligence isn’t as timely or as actionable as they need it to be.  This may mean that they haven’t found the right threat intelligence feeds or sharing partners.
  • 26% of organizations say that threat intelligence contains too many false positive alerts.  This is an indictment of raw threat intelligence and speaks to weaknesses with threat intelligence vetting and quality metrics.
  • 26% of organizations indicate that threat intelligence does not come in a standard format so the cybersecurity staff is required to develop tools or use manual processes to normalize the data.  So like other areas of cybersecurity, operational complexity is getting in the way of efficiency.
  • 26% of organizations state that threat intelligence sharing is immature and requires too much manual labor and customization to gain maximum value out of the sharing process.  Simply stated, it is just too hard to share threat intelligence in an efficient and scalable way.
Based upon this and lots of other data from the ESG Threat Intelligence research report, the current state of threat intelligence sharing is hamstrung by inaccurate data, immature processes, and operational overhead.  Sure, the good people in Washington could pass some type of public/private threat intelligence sharing legislation (i.e. CISPA, CISA, etc.) sometime this year, but new laws won’t do diddly squat to solve these basic problems.  As of now, we are light years away from benefitting from the potential of threat intelligence sharing.

Now how can this situation get rectified?  Hmm, what may be helpful here is some type of cloud-based organization that knows how to collect, process, analyze, refer, and distribute massive amounts of data.  A firm like this can act as a threat intelligence sharing hub, take a leadership and innovative position, and create some type of intuitive yet intelligent threat intelligence sharing portal for the masses.

Enter Facebook and its ThreatExchange platform announced this past February.  According to a blog by Mark Hammell, manager of Facebook’s threat infrastructure team (described here by the WSJ), more than 90 organizations are now sharing threat intelligence via ThreatExchange, including Dropbox, PayPal, Microsoft, Yahoo, and other firms financial services, IT, etc.

Now I know that there are numerous threat intelligence sharing platforms competing in this burgeoning but nascent space, but Facebook’s skill set may give it some market advantages:

1.       Facebook knows how to collect, process, and categorize massive quantities of data.  This is really the foundation of threat intelligence sharing so Facebook could easily offload a lot of the heavy lifting for enterprise organizations.  ThreatExchange will only increase its usefulness here when it adopts STIX and TAXII support later this year.

2.       Facebook is built on managing dynamic communities of interest.  This is important to me since the current threat intelligence sharing model is tightly-coupled around vertical industries – a good start but the same cyber adversaries attacking big banks are hacking into other industries as well.  Given today’s threat landscape we need a more flexible approach designed for ad-hoc peer-to-peer threat intelligence sharing relationships based upon real-time changes associated with threats in-the-wild and software vulnerabilities.

3.       Facebook algorithms are designed to see patterns related to data consumption, user behavior, and changes within the data itself.  This is critical as we need to supplement the basic manual exchange of threat intelligence data with artificial intelligence that detects anomalous behaviors that typical security analysts and forensic investigators miss.

Now I admit that given Facebook’s track record on privacy, I am as skeptical as anyone about Facebook’s direct participation in threat intelligence sharing.  To succeed, Facebook must convince the cybersecurity community that ThreatExchange is a different use case for the company’s infrastructure and that its threat intelligence sharing platform aligns Facebook’s technical chops with a (legal) commitment to confidentiality, privacy, and trust.

Given its history and business model, it would be easy to dismiss ThreatExchange but I suggest that the cybersecurity community maintain an open mind.  If you really think about what’s needed to achieve the potential benefits of threat intelligence sharing, Facebook’s infrastructure and expertise fits hand-in-glove.

Ten years ago, no one ever imagined that a retailer like Amazon would reinvent how computing is done.  If Facebook marries its technology prowess with a true cybersecurity commitment, it could achieve a similar leadership position by reinventing threat intelligence sharing.  If this happens, everyone could benefit.

Join the CSO newsletter!

Error: Please check your email address.

More about DropboxFacebookMicrosoftPayPalThreat IntelligenceYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jon Oltsik

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts