Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/6/2018
10:30 AM
Jonathan Couch
Jonathan Couch
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Understanding & Solving the Information-Sharing Challenge

Why cybersecurity threat feeds from intel-sharing groups diminish in value and become just another source of noise. (And what to do about it.)

Cybersecurity information sharing is not a new topic. In fact, we've been talking about it for years. We know we should share information and we expect others to as well. We even see pockets of success, typically among peers who are in the same industry and have a personal or long-term business relationship. They have established a level of trust that allows them to feel comfortable exchanging information that is truly useful.

However, when we try to scale that type of exchange through government and industry groups that exist to promote and facilitate information sharing, we're less successful. At a corporate level, because of real or perceived liabilities, organizations often aren't as willing as individuals are to share as individuals, so information sharing on a broader scale in a way that really benefits larger communities of defenders hasn't taken off. The quantity of active participants and the quality of information shared simply are not there to allow many of these exchanges to work as effectively as intended.

Quality and Quantity: A Cycle of Diminishing Value
Many organizations treat information sharing as another check box. They want to be part of an industry-specific Information Sharing and Analysis Center (ISAC) or a government sharing group, such the Department of Homeland Security's Automated Indicator Sharing capability or the UK's Cyber Security Information Sharing Partnership. But they haven't set up an internal program to identify the type of information their organization can share and how they will share it. Instead, they are focused on receiving information that others share. Eventually, and because sharing groups have guidelines they enforce, organizations will begin to share. But this raises the issue of quality.

As group membership grows, trust weakens, and many organizations are less comfortable sharing information that they have personally found to be of value — for example, from a breach they faced. Instead, organizations tend to share indicators of compromise such as IP addresses and domains. Information sharing becomes automated, with little or no context and sometimes regurgitated from another source. Without context, other participants don't know if the information is relevant to their organization and should be prioritized. This creates a waning interest in the sharing group as members become overwhelmed with quantity and lack of quality. The threat feed from this intelligence-sharing group diminishes in value and becomes another source of noise.

Groups that can overcome the quality hurdle and find ways to share rich, contextual threat intelligence within communities of interest often rely on the largest members to initially fill the queue with shared intelligence. The hope is that as time goes on, the smaller companies will begin to share as well. This rarely happens, though. Only the more progressive, smaller companies with more developed threat operations programs are able to share high-value information, with the remainder acting primarily as consumers. As a feeling of inequality spreads, the entire sharing construct eventually falls apart.

Breaking the Cycle: 3 Steps
But it isn't all gloom and doom. In fact, there are three areas where we can focus to strengthen information sharing and allow it to deliver value at scale as intended.

Step 1. Establish information sharing and consumption programs.
Organizations need to understand what they can share from a legal and compliance perspective. This will allow them to strike a balance so they don't over react and shut down sharing but also don't inadvertently share something that is proprietary or protected under privacy laws. With clear guidelines, security teams can do better at providing high-quality information with context and relevance. They also need to understand what they are going to consume and how they will use it. This will ensure they're doing their part to derive value from the intelligence they receive and not suffer from data overload and waste valuable resources. 

Step 2. Monitor for quality.
As information-sharing groups have grown, a surge in automated sharing of tactical information has become their downfall. Sharing groups must monitor information for quality. It must be curated to ensure there is value in passing it along to other members, either as "known bad" or packaged with context so that recipients can determine relevancy within their own environments.

Step 3. Devise ways for all to participate.
The writing is on the wall: Measuring success by numbers isn't the path to more effective information sharing. To maintain quality and balance quantity, we need to consider forming subgroups with trust built into them. At the same time, smaller organizations also need access to high-value threat information. We must accept that at least initially, they may not be able to contribute much information and will mostly be consumers.

A two-pronged approach can help to address their needs. First, smaller organizations should join or create their own industry-specific sharing community and then actively participate in sharing contextual, relevant intelligence that they have seen on their network. In turn, this will help larger industry sharing groups be more successful at protecting the industry as a whole — including the smaller companies that are part of their ecosystem. Second, small organizations that contract with managed security service providers (MSSPs) should rely on their providers to offer such intelligence. This community defense model is often part of the promise MSSPs make to their customers, so smaller companies should make sure their vendor is delivering.

As we break the cycle of diminishing value by getting a handle on the quantity/quality challenge, information exchanges will begin to thrive. Finally, we'll be able to do less talking and more sharing.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

As Senior VP of Strategy of ThreatQuotient, Jonathan Couch utilizes his 20+ years of experience in information security, information warfare, and intelligence collection to focus on the development of people, process, and technology within client organizations to assist in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/7/2018 | 1:47:20 PM
Quality and Quantity
Great point about the disparity between the quantity of active participants and the quality of information they share and how important for the industry to devise ways where all organizationns -- large and small - can particiapte. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7263
PUBLISHED: 2020-04-01
Improper access control vulnerability in ESConfigTool.exe in ENS for Windows all current versions allows a local administrator to alter the ENS configuration up to and including disabling all protection offered by ENS via insecurely implemented encryption of configuration for export and import.
CVE-2020-7066
PUBLISHED: 2020-04-01
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_he...
CVE-2020-11445
PUBLISHED: 2020-04-01
TP-Link cloud cameras through 2020-02-09 allow remote attackers to bypass authentication and obtain sensitive information via vectors involving a Wi-Fi session with GPS enabled, aka CNVD-2020-04855.
CVE-2020-7064
PUBLISHED: 2020-04-01
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.
CVE-2020-7065
PUBLISHED: 2020-04-01
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.