Threat intelligence sharing is a hot topic right now, made all the more relevant by the series of high profile breaches that have plagued the retail industry since December. Target, Neiman-Marcus, Sally Beauty, Michael’s, Aaron Brothers… no doubt, more to come. These breaches have been covered by the media extensively, and there’s not much more I can add to the conversation, except this: Would there have been this ripple effect across the retail industry if all of these organizations had been sharing threat intelligence data all along?
According to an article in Reuters last week, The National Retail Federation is responding to the recent breaches by establishing an Information Sharing and Analysis Center, or ISAC, for the retail industry. This is a good move, as other industry groups – like the financial services industry with the FS-ISAC – have proven the value of threat sharing across and between organizations. But is it enough? And should threat sharing be limited to players within specific vertical industries?
While the retail industry is working to rebuild consumer trust, the government is trying to rebuild everyone’s trust in the aftermath of the NSA scandal. At the Kaspersky Lab Cybersecurity Summit recently, Department of Homeland Security secretary Tom Ridge said, “The security of both government and private enterprise systems going forward relies on the ability of those two parties to share threat, attack and compromise information on a real-time basis.” He went on to say that without this cooperation, “the critical infrastructure of the United States will continue to be ‘a target-rich environment’.” Those of us on the front lines of security in the private sector have known this for a long time, and now we can only hope the government holds up its part of the threat sharing equation.
To the retailers, I say: Sure, create the ISAC that will bring you all together to discuss and share threat data.
To the government, I say: Sure, encourage threat sharing between government agencies and the private sector.
And to both, I say: Challenge your security technology providers to make this threat sharing as easy and affordable as possible. That mandate needs to come from the top of the government and enterprise food chain on down. Big retailers have the big budgets to invest in security, and large government organizations do too. But the only way we can make the U.S. – and I would argue, the world – less of a “target-rich environment” for cyber criminals, is for all organizations to have the proper security products and threat sharing capabilities in place. The determination of the retail industry and government to share threat data is all fine and good, but the technology at the heart of all this sharing needs to be within financial reach of all organizations, and it needs to help facilitate this sharing easily.
Staying focused on the threat sharing piece of this, here’s the conundrum when it comes to threat intelligence: There’s vendor-created threat intelligence and customer-created threat intelligence. ‘Vendor-created’ is the data that comes from a vendor’s R&D lab and the supplemental data they might invest in. ‘Customer-created’ threat intelligence is the data that flows back to the vendor from installations of their product. Ironically, customers end up contributing valuable threat data back to their vendors, then end up having to pay for this collective intelligence when it’s time to renew their product license.
At AlienVault, the only threat intelligence that our USM customers pay for is the intelligence generated by our research team, the ‘vendor-created’ threat intelligence. They use a variety of tools and technologies to monitor, analyze, reverse engineer, and report on emerging threats including malware, botnets, phishing campaigns and more. This is original research, not the data collected through our Open Threat Exchange. The OTX threat data is free and available not only to our paid customers, but to our open source community of OSSIM users as well, and to anyone who takes advantage of some of the free services offered through our threat exchange.
Whether it’s the Open Threat Exchange or some other network that facilitates the collection, validation and dissemination of diverse, crowdsourced threat data, I hope the trend towards threat sharing continues, and I hope we can broaden it to span industries, market categories, and geographies. The ISACs are great, but we need not to be myopic; you’ve got to believe the bad guys are thinking big and acting cross-industry. Like a neighborhood watch, we all need to be keeping an eye out for each other and sharing information that will help us protect our businesses and even our lives better.
Security industry: let’s lead the way. Let’s take that threat data we’re collecting through our products, combine it for greater insight, make it available without restriction, and give the bad guys a run for their money. Imagine how comprehensive our threat intelligence would be if even just FireEye, Symantec, Palo Alto Networks and Cisco got together – boy, you could cover the range of threat vectors.
I’m in. Join me?