Private-sector security leaders must leverage threat-intelligence sharing better, CISO warns

Stop just profiling online cybercrims and start using actionable intelligence against them

Empowered by high-level endorsement of their collaboration, Australia's businesses and government bodies need to proactively leverage their growing body of threat intelligence into new defensive and offensive cybercrime strategies, one regional CISO has advised in the wake of his growing engagement with the country's cybersecurity community.

While it had taken some time for comfort levels with increased threat-sharing practices to grow, increasing familiarity with threat-exchange formats like STIX and TAXII had taken the complexity out of the actual processes of data sharing, Palo Alto Networks vice president and APAC chief security officer Sean Duca recently told CSO Australia.

Duca, whose remit includes protecting the almost continuously-attacked systems of a worldwide security vendor, has embraced the emerging culture of threat sharing, particularly in countries like Australia where an explicit government mandate around cybersecurity has promoted the productive sharing and use of threat information as part of its Australian Cyber Security Strategy (ACSS).

Calling the strategy “a great thing”, Duca called for more action by business leaders in its wake – particularly from large companies – “who are driving a large part of the economy of Australia” and have extensive experience and investments in cybersecurity capabilities.

“Whilst we would like to see a lot more, this is a step in the right direction,” Duca said. “Collectively it's up to us to make it work – and it's now time that we start to consider, collectively, how we can really start to get a lot of leverage here.” Rather than simply cataloguing online nasties and the depredations of the seemingly ceasless flow of online actors, Duca advocates the joint creation of 'adversary dossiers' that draw on growing bodies of threat intelligence to draw up collections of 'campaign plans' that outline not only what hacker groups are doing, but why and how. “We need to start thinking about how we map what we do to that lifecycle,” he said, noting the importance of fleshing out the widely-referenced ' cyber attack kill chain' for key cybersecurity threats.

“We can pick up on the very indicators focus on reconnaissance, and other organiastions are picking up on other indicators. We will eventually have maybe 100 threat indicators that we can put together, enrich that information and get to a point where we have very good information about what the adversary is trying to do.” “It's not enough just saying 'there is something bad out there',” he added. “The more that we share this information in a way that allows us to get that timely information into everyone's hands, it is actionable and we can decide what to do with it.

There needs to be contextual threat intelligence, where everyone can act on it as quickly as they possibly can.” Duca's support of increased threat-sharing practices has been echoed by other players in Australia's information-security market in the wake of damning assessments by the likes of the Australian Centre for Cyber Security (ACCS), which in June slammed “a relative lack of attention” to persistent gaps in cybersecurity capabilities.

Recent changes to the structure of the government's Australian Cyber Security Centre (ACSC) – which was moved from an office inside a secure government building into its own facility – had “allowed the industry to start to collaborate”, Duca noted.

Similarly, growing consensus around the types of information that were most important to share – “STIX has around 600 different fields that can be populated with information but if you talk with anyone that has actually used it internally, there are probably around 45 fields that are pertinent,” he said – had helped threat-sharing efforts get well past the starting blocks.

Despite the government taking an early role in getting the cybersecurity ball rolling, individual private-sector companies were rapidly picking up the baton – heralding a new level of sharing that Duca believes will help private-public cybersecurity partnerships really start putting runs on the board in the fight against cybercrime.

“There are a lot of people in the private sector that have been doing amazing things,” he explained. “If we can get that into the hands of private organisations or the public sector, we can quickly create a standard. We've all got a role we can play.”

Join the CSO newsletter!

Error: Please check your email address.

Tags security leadershackerscybersecurityACSSCISOsthreat intelligenceprivate-sectorAustralian Cyber Security Centre (ACSC)cybercrimeKill Chain

More about APACCSOPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts