Imagine that you are at a cricket match and a stray “6” heads straight for your friend's face who is sitting next to you. You may think at first “phew, thankfully that avoided me so I am not in danger!” but another thought could be “I'd better save my friend before he gets a black eye or concussion!” The lesson is: we are better protected when we work together. Whether it is being eagle-eyed at the leather ball heading straight for us or, in the case of cyber security, sharing threat data to make sure we know about the latest threats that our competitors and colleagues have faced.
Cyber security attacks are occurring every day and in the past year more than 90 percent of all US companies suffered some form of hack, even if they did not know it. It is estimated that $120bn worth of damage was caused to US companies alone and more than $1 trillion in intellectual property was stolen. There is only way to describe the situation – industrial scale cyber crime that is only getting worse. Although law enforcement agencies would claim that there is no way to prevent cybecrime, like organised drug dealing, millions of people could benefit from shared security knowledge. From what I have seen, the best example of this is in the global financial services community where there is a weekly conference call. Every Tuesday, the security leaders from across the financial services industry, many of them fierce competitors, get on a call and talk about the threats they are seeing and experiencing. This is a great example of how powerful it is to share - a case of strength in numbers. And it makes sense: after all, if you are walking down the street and someone robs you and then it happens again at the same place at the same time the following day, you might avoid it in future. This is how neighbour watch schemes came into existence and they have proven to be very effective.
Just like the case of saving your friend from a googly or the Tuesday call of CISOs from financial services heavyweights, effective security programs will alert other users, regardless of whether they are allies or competitors. This demonstrates the ‘power of the crowd,’ because in the security industry, it is not simply about one great expert, but rather the expertise of thousands of security practitioners who become the collective genius. And with the network of users and the community connected to the Open Threat Exchange (OTX) it can be done, and with near real-time threat intelligence sharing, it can be even more effective in preparing everyone for the inevitable and growing barrage of attacks.
Whilst collaborating on threat data in the infosec community, there are three things we can do: identify who is attacking me, so if there is an attack on one of us, we all know about the attack and attacker. This is one of the most effective ways that threat sharing can benefit the entire group. To take this a step further, individuals can share stories on how they were attacked and how they might prevent different methods of attack; and finally sharing what we did to overcome the attack through the use of tools, policies and procedures. This is all the more important given that cyber attacks are growing by more than 50 percent per year, and becoming every more sophisticated.
This idea, or at least the first element, is starting to take off. More companies are offering crowd-sourced threat data and trying to turn the threat data into threat intelligence. HP, among others has recently announced a similar offering, showing that the large vendors can try to do crowdsourcing, and all power to them; after all, they have sizeable networks of people and the diversity they have will likely bring value. However, companies like HP are constrained by the closed systems and customer communities that they support; while crowdsourcing threat data is a great idea, big security vendors certainly have not embraced the concept from the outset. In other words, this has not been built in to their product offerings or general philosophy of doing business. And to overcome this shortcoming, HP, Intel Security and others have started taking advantage of the threat intelligence being gathered and curated by becoming OTX partners.
Intrusion detection, vulnerability scanning, behavioural analysis, asset discovery and log management are security monitoring tools that were not designed to share threat data. Furthermore it is not easy to correlate threat data from the wide variety of security monitoring tools and create actionable threat intelligence. This is even more of a challenge for vendors with proprietary solutions since they often only have subset of the required data, and of course this does not reflect a typical network. Unless the threat data can be converted into actionable threat intelligence, it will always be of limited use. If you were a pilot or air traffic controller, this would be like only seeing some of the planes in the sky.
For open threat intelligence sharing to work correctly, there has to be an open and free collaboration platform where information security professionals across the world can come together and share information and threat knowledge. Without the users and vast amounts of threat data, there isn't much insight to be gained, nor can the threat data be curated into actionable threat intelligence. It takes time to establish this collaborative environment, and unfortunately most security vendors are not used to providing threat intelligence, regardless of the quality, for free.
The notion of a collaborative group sharing environment exhibits a logarithmic network effect and the chances are that someone in the network has already experienced the same cyber attack, so once an attack has been identified, the entire network of collaborators will be notified in near real-time. But this is not enough, we have to go further and encourage industry security professionals to proactively talk about how they were attacked and what tools and methods were used to remedy the situation. This concept has to be at the heart of the design for an open threat intelligence sharing platform, like OTX. More than 26,000 participate in over 140 countries, contribute more than 1 million threat indicators daily, providing the most comprehensive source of threat data that AlienVault’s security researchers curate to create valuable and actionable threat intelligence.
