Drowning in danger notice? Stop sharing so much, the professionals at InfoSec said

Drowning in danger notice? Stop sharing so much, the professionals at InfoSec said

There is no shortage of cyber security experts who urge InfoSec professionals to share more threat information with colleagues, competitors and governments.

But the head of a threat sharing platform said at the annual RSA conference this week that the right information would have to be collected, shared and implemented or the effort would be wasted.

"We made some misconceptions about information sharing," said Michael Daniels, CEO of Cyber ​​Threat Alliance.

"As a result the foundation of most of our information sharing efforts is flawed. Since the foundation is flawed, the resulting activity suffers from some fundamental weaknesses," he said.

Arguably the biggest assumption is that the information needed to be shared is technical, such as an indicator of compromises and malware hashes. This data is usually shared through the STIX (Structured Threat Information Expression) language. But, Daniel said, cybersecurity relies on more than technical data. For example, the fact that an application needs to be patched is not technical.

The second assumption is that all organizations should share the technical data they collect. But, Daniel said, most IT departments cannot produce or consume technical data. In fact, many organizations - such as nonprofits - are bad at it.

And third, information sharing is not easy. The fact that the Cyber ​​Threat Alliance was to be formed is evidence, he argued. "If you want to share speed, scale and high quality at a time, then connecting pipes is not enough."

In Canada, one of the most well-known Threat Sharing platforms is the Canadian Cyber ​​Threat Exchange. Others include the National Computer Incident Response Center and the Threat Center for Profit. Some industries provide them, such as the North American Center for Electrical Information Sharing and Analysis, U.S. One of several ISACs.

Daniel, who used to be the White House cybersecurity coordinator on the US National Security Council during the Obama administration, argued that there are four types of threat notice:

Technical (malware hashes, IP addresses etc.).

Strategic (information about specific instances of malicious activity, such as a threat actor targeting a specific organization or region. This information is used to make adjustments to network configurations, or devices on the network).

Operational (helps senior personnel make system-wide decisions such as how often to patch. This includes reporting vulnerabilities and security errors in the software, characterizing the attacker, defensive measures to minimize exploitation).

Strategic (Rise of ransomware, or data to be followed by a nation-state. It will also include best practices. This type of information is aimed at the most senior personnel).

Within those categories, Daniel identified 11 types of threat information. However, he stressed that not all organizations can handle them all.

In fact, he argued, most organizations only need to make certain cybersecurity decisions. As a result, they should ask two questions about the threat information they collect and use: Is it relevant to their business model? And can it be used to create a comparative advantage with competitors?

"If you can't drive the value of sharing directly to the business needs of the organization then it won't work," he said.

Creators of hazard information will also have to think about what they are good at and leave the rest to other suppliers. For example, governments are good at gathering their intelligence. They should not distribute technical information such as indicators of compromise, which can be improved by security vendors.

Daniel said that if the threat information you are getting right now is not helping protect your organization, then it is probably not the right type for your needs. Find new sources

"New sources can make you aware of the dangers quickly, or make it easier for you to find out if there is a danger that could affect you," he explained.

No one else is better, he said. Perhaps the best step is to reduce the number of threat information sources. This can free up resources, making it easier for business operations to add threat information more effectively.

He said that the leaders of InfoSec should formulate a plan that knows the most useful risk for the least burden.

Cyber ​​threat information (CTI) suppliers need to find ways to incorporate best practices such as non-technical information.

Affected by bad perceptions, Daniel said, "Information sharing is an important and even important element in effective cyber security."

"However, if we change our assumptions and work on the basis that CTIs contain many different types of complex information, then relevance and comparative advantage must be shared and that sharing will require long-term investment , Then we will be able to share and live up to our promise.