Why threat intelligence means sharing more data

To better combat security threats, companies should share more information, but fear and greed are preventing that from happening

1 2 Page 2
Page 2 of 2
  • Getting organizations to overcome the reluctance to share detailed information outside their borders will require more detailed, incremental programs of information sharing; ones that start out with simple statistical sharing (like the Verizon VERIS framework) and then ramp up through programs of threat agent information (information about unsuccessful attack attempts, Indicator of Compromise information from discovered compromised hosts). Full data sharing of issues like breach details, successful threat actor attribution, et al, will logically remain within a more limited audience.
  • The technology for data sharing needs to adapt to enable more complex levels and methods of sharing; more ambitious standards for communication of shared data, while not immediately necessary for the early stages of emergent sharing arrangement, serve to illustrate what can be possible and encourage further expansion of sharing arrangements with the promise of more advanced security data analytics down the line. The current necessity of every organization having to roll its own solution for consuming intelligence data highlights the need for more ratified standards than just plaintext and CSV for the communication and processing of data and encourages vendors to support these standards to add another feature list checkmark on their product comparisons.
  • Adoption of tokenization and anonymization techniques and standards that can be implemented without significant effort will be an important factor in allowing organization to collaborate without undue legal or operational liability. Some level of assurance that the information shared will not (nay, cannot) be used against the contributing organization directly, is a requirement only the most reckless would ignore.
  • As the range of data necessary to formulate effective and adaptive intelligence that can be applied automatically within the security program and fuel the predicted wave of more advanced big data security research, former soft concepts, such as exposures, attack surfaces, and threat models, will likely become immersed into the area of semantic data processing (disclosure of bias: this is my own current area of research focus) with the goal of enabling some level of predictive processing to occur as security intelligence is consumed into the workflow.
  • The private sector information security world is continually re-treading a path taken by the defense intelligence community decades ago; but where HUMINT bears the greatest fruit in their world, SIGINT is key for us. Moreso, in the private sector, we have a more limited supply of actual, breathing, Human Intelligence available to us: security analysts need these force multipliers to ever stand a chance of being able to effectively cross-reference the vast number of security markers pouring out of their monitoring systems (against even the most limited of security intel sources) into a stream of directly actionable information that can keep pace with the opposition.

We've spent well over a decade now debating the need for more shared security data as the sanest way to raise the cost of entry and lower the return on investment for criminals and spies alike. In the last year, we've seen this idea go from a murmur to a party line as even the most unlikely of sources turn to the rallying call. The issue is far from settled however, and an implementation worthy of the promise yet to be created. What is important is that efforts are now underway to try and improve the situation, people are being convinced to give this idea a try and see for themselves whether it succeeds or not.

"Fail Early, Fast Fast, Fail Often" is a popular idea in the Agile Of All Things nowadays; let's see that applied to more attempts at making the promises of a shared pool of security data arrive while we're all still in business to see it.

Conrad Constantine is a Research Team Engineer at AlienVault. Over the last decade and a half, Constantine has been on the front lines of defense work in telecom, medical and media corporations, not least of which being at ground zero for the 2011 RSA Breach. He is a firm believer that incident response must become an accessible and effective discipline, available to all. He's striving to bring the mysteries of open source intelligence generation, and defensive agility, to those willing to take the leap from fear to action -- mostly via the medium of code (with Visio diagrams thrown in for good measure).

This story, "Why threat intelligence means sharing more data" was originally published by CSO.


Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
How to choose a low-code development platform