Can collaborative security work?

Many IT security pros say sharing is good, but with government, not so much.

At a web conference meeting with IT security professionals in early December, IT advisory services firm Wisegate polled the small group about how comfortable they were with sharing cyberthreat information with industry peers and with government agencies.

When “sharing” included giving information to the government, about half of the group thought it was a bad idea. But when 'government' was taken out of the sharing equation, some 80 percent of respondents were at least 'somewhat comfortable' with sharing their knowledge.

[ ALSO ON CSO: Silicon Valley wary of U.S. push for cyber security info sharing ]

Their mixed feelings about collaborating on security issues are common. Almost two years after President Obama's executive order on cybersecurity, a document that has shaped the cyber policy landscape, and one year after he signed an executive action aimed at increasing private sector information sharing on cyberthreats, questions remain regarding whether we can truly make collaborative security work.

Most recently, the Cybersecurity Information Sharing Act, a bill designed to shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another to fight cybercrime, was added to a consolidated spending bill in the U.S. House on Dec. 15. Some view it as a surveillance bill in disguise or think that it will complicate relations with foreign assets that forbid passing data to third parties.

U.S. businesses often have technical clues that could help thwart or limit the damage from a cyber attack – whether it's a nation-state sponsored act of aggression or a criminal hack – but they’re often reluctant to share what they know, fearing possible legal liability.

On the flipside, the government often has information on looming cybersecurity threats, but struggles to quickly push it out to the private sector amid legal and national security constraints.

Luckily, many industries and organizations have been collecting and disseminating threat information among themselves for years – some through industry groups, others by peer group crowdsourcing, and others through vendors that sell the information. Most of these organizations agree that information sharing is working, but there are still many challenges.

Financial services lead the way

Financial Services Information Sharing and Analysis Center, one of the oldest and largest ISACs, is a private, non-profit group with 6,700 member organizations worldwide.

“We have [government] partners that might share intelligence with us, but we’re not as much about providing information back to the government. That’s not what we do,” says Andrew Hoerner, an FS-ISAC spokesperson, adding that it took time to build relationships and trust among its members.

While he can’t talk about specific attacks that were thwarted because of information sharing, Hoerner could point to instances where one large bank will share information about an imminent cyberattack with another bank. If that bank has seen that same threat, they work together on a patch. If a bank’s competitors haven’t seen a similar attack, then they know they’re experiencing a targeted attack specific to their environment and have to react differently, Hoerner says.

More recently, midsize banks have been targeted by attackers as a testing ground or pathway to big banks, so FS-ISAC is working with smaller banks to identify and stop those attacks, he says.

The center is also sharing its Soltra Edge software with all industries to automate and speed the flow of threat intelligence between entities. The software is jointly backed by the Depository Trust and Clearing Corp.– a mega clearing house for transactions processing. FS-ISAC offers the software free to all industries sectors, and so far health care, energy, manufacturing and government entities have used it.

“It replicates all the protocols and controls you have for sharing,” Hoerner says. Instead of relying on several sources for cyberthreat information, “It just makes things faster and more efficient.”

Building relationships

The retail industry is just beginning its information sharing journey. The Retail Cyber Intelligence Sharing Center was launched in May as an independent organization by the Retail Industry Leaders Association.

“The biggest and most universal problem [with information sharing] is that trust tends to happen between individuals, and not between organizations,” says Wendy Nather, R-CISC research director. “When we talk to people, we find that they already have information sharing going on – it’s just with individuals that they trust. Getting them to shift that trust to an organizational relationship and keeping that going when the original person moves on (which happens a lot in security) is the biggest challenge.”

R-CISC already has about 50 corporate members, and some of them come from outside the retail industry, Nather says. Oil and gas companies have joined the retail group, for instance, because most gas stations also operate convenience stores. Some financial institutions that are FS-ISAC member also joined the retail group because of POS and credit card cyberthreats. Fast food restaurants, automotive companies, hospitality groups and even casinos have joined the R-CISC.

The center is also protective of the data it shares with federal agencies. “In general, we don’t share anything outside of our retail circle unless a member submitter agrees to it,” Nather says.

R-CISC provides members with weekly cyber-information briefings, and it is working with vendors to provide free resources, such as reversing labs for members during the holiday shopping season, where they can set up cloud-based instances and upload malware samples for examination.

The center also launched a project with George Mason University to research the obstacles to threat intelligence sharing among retailers. Longer term, R-CISC is working on ways to monitor the supply chain security of its members. “There’s a huge ecosystem out there and not everybody is looking at the security of suppliers,” Nather says.

Crowdsourcing speeds info sharing

Information sharing doesn’t have to run along industry lines. At Wisegate, information is shared among IT security professionals from many different types of companies.

“The old information-sharing model of relying on an ‘expert’ to aggregate and disseminate information doesn’t match the pace today of cybersecurity challenges,” says Sara Gates, founder and CEO of Wisegate, which helps security professionals collaborate on security issues using crowdsourced IT research. “The timeframe we have to react and respond won’t work” with this model. Gates says peer information sharing takes advantage of the speed of information -- from issue to discussion to solution.

Members pose questions on their latest security issues to Wisegate, and the firm uses a matching algorithm to identify the most pressing issues. Within 48 hours, the firm holds live roundtable discussions with interested members, whose identities and companies have been vetted, but remain anonymous in discussions. More importantly, “members can go back to their management and say ‘this is what our peer group is doing,’” she adds.

Too much information?

With dozens of information-sharing organizations popping up – along with private sector vendors, open source, and government entities that disseminate cyber threat information – finding the most accurate, targeted information could get more difficult.

“If you’ve got 20 people feeding you threat intel and some of it conflicts, how do you make a choice?” says Hugh Thompson, program committee chair and advisory board member to RSA Conference, which brings together thousands of IT professionals annually to discuss information security.

Many of the topics being batted around for the 2016 conference focus on the new challenges of information sharing. The 2014 conference focused on encouraging companies to share information, Thompson says. By 2015, topics moved to the mechanics of sharing, such as industry standards for capturing a threat, codifying it and writing it in XML.

“This coming year, folks are getting down to the most mature questions. What, at the end of the day, is our policy for sharing information? When is it a good idea for us to share it? That has all kinds of interesting complications -- most of it being legal. Is it OK to talk about this vulnerability? Will it expose a third party? Will it alert an attacker to an ongoing investigation? Will it open us up to liability by our customers?” Thompson says.

Join the CSO newsletter!

Error: Please check your email address.

More about CSORSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place