Earlier this week, Microsoft unveiled Interflow, a platform for real-time sharing of information about cyber security threats. It's a great idea, but it raises a question: What kept this from coming along sooner?
In the abstract, the idea's quite wise: a common platform and methodology for getting word out about security issues for all the folks who perform security research and break news about threats. Microsoft describes Interflow as "an engine designed and built for the greater good of the community," so members of Interflow can pass around samples of suspected malware, share info on malicious URLs, and pool their talents in other ways.
The protocols used for swapping data on Interflow are based on a slew of existing standards for exchanging threat information: STIX (Structured Threat Information eXpression), TAXII (Trusted Automated eXchange of Indicator Information), and CybOX (Cyber Observable eXpression standards). In other words, it's not based on Microsoft's own creations, though Interflow is partly an outgrowth of work Microsoft has done with MAAP (Microsoft Active Protections Program) -- also devised to allow security software firms to coordinate information.
Adam Kujawa, head of malware intelligence for antimalware software firm Malwarebytes, spoke highly of the project. "The biggest problem with intelligence sharing is knowing what to do with it," he said in an email. "In specific cases [such as] researchers creating threat profiles on specific target, those groups can use targeted intelligence to protect users and understand the threats that are out there. In other cases, however, the flow of information is too great and it becomes difficult to discern exactly what is important and what isn't. Microsoft seems to have taken this fact into consideration and allowed for specialized intelligence to be gathered using their Azure cloud technology with plug-ins that gather and output the intelligence in the forms that are most useful to the users."
InfoWorld's Roger Grimes has previously spoken out about the need to share threat data through a common platform, perhaps through a mechanism akin to the threat-sharing data used by retailers. But in his view, "Most companies don't want to give away such telemetry for free. Information is power. When a security company has that information, it's going to be better at protecting us from those threats than we would be on our own."
Perhaps, then, it falls to Microsoft to make this happen. That might seem off-base given Microsoft's rep on issues like the unimpressive performance of its Security Essentials products (apparently by design) and the seemingly nonstop parade of security problems with Internet Explorer. But it has also helped shut down criminal botnets (albeit criticized as a mere PR move) and contributed to the Core Infrastructure Initiative, which ensures that critical security projects like OpenSSL get the funding and personnel they need.
To Kujawa, an initiative like this hasn't happened sooner because "people who have been running our current tech businesses for so many decades hold the principal of competition close to their hearts." Problem is, they're now faced with enemies that will use that divisiveness against them. "It hasn't happened sooner," he wrote, "because we didn't want to admit it was what needed to happen until now."
While the data formats it uses may be open, Microsoft still holds the leash on the project, which could become a sticking point. Users need a Microsoft Azure subscription to participate in Interflow, if only for Microsoft to keep the threshold for participation respectably high. InfoWorld's J. Peter Bruzzese believes the security community as a whole will have a hard time trusting Microsoft with stewardship of such a project, though the company is in a prime position to support it -- at least, for its own platforms.
Kujawa further notes that having Interflow on Azure isn't just about allowing Microsoft to control the experience; it's also a way for Microsoft to monetize the project in the long term. "Utilization of this service is probably going to be limited to those who can afford it, namely corporations rather than individual users," he wrote.
This story, "Microsoft's Interflow should've happened sooner," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.