In a world where threat actors collaborate with one another and cyber attacks can disrupt critical infrastructure, such as the electric grid, enterprises and governments need to find better ways to share threat information. Several recent steps by the U.S. federal government will help, but alone are insufficient. Enterprises will still need to improve how they operationalize threat intelligence if they’re to improve their security posture.
Big Government Leads The Way
Today, the US and Israel are due to sign a bilateral threat sharing program involving co-operation between their Computer Emergency Response Teams. The exchange will include the sharing of vulnerabilities, attacks and (importantly) mitigation strategies in “near real time.” John Leyden at the Register has more details.
The move is part of a broader effort to share threat information. The Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has been set up to serve as the department’s hub of information sharing activities to increase awareness of vulnerabilities, incidents, and mitigations.
Those efforts are not just aimed at the federal government, but also look at to engage the private sector. The Cybersecurity Information Sharing Act of 2015 now requires the Director of National Intelligence and the Departments of Homeland Security (DHS), Defense, and Justice to develop procedures to share cybersecurity threat information with the private and public sector.
The DHS is also heading a transition at OASIS to develop and promote standards that enable cyber threat intelligence to be analyzed and shared among trusted partners and communities. The work will evolve the STIX, TAXII, and CybOX security specifications to support automated information analysis and sharing for cybersecurity situational awareness, real-time network defense, and sophisticated threat characterization and response.
The US government’s Executive Order 13691 will help expand the use of Information Sharing and Analysis Organizations (ISAOs). Companies in some industries, such as financial services, energy, and aviation, join Information Sharing and Analysis Centers (ISACs) to share threat information. Not all sectors are covered by those entities, however. Efforts are being made to establish ISACs for other industries. TechCrunch’s Daniel Ridel has an excellent piece about the area.
We Need The Right Tools
Better threat information sharing is long overdue, but it’s not enough. Just as critical is providing the tools and technologies to leverage that information.
Enterprise security operations teams consume threat intelligence information with Threat Intelligence Platforms (TIPs), such as those from ThreatConnect, Anomali, and ThreatQuotient. All too often, though, the use of these platforms is limited to tier-2 specialists, such as threat investigators. The front-line security analysts, the ones expected to triage and identify threats, rarely have access to threat intelligence. Yet, it’s these individuals who need those insights to determine whether security alerts are worth investigating – or not.
As organizations look to share threat information, attention must be paid to improving threat information sharing among their security teams members. Only putting platforms readily in place that make threat intel available to the entire security team will organizations realize their ultimate goal – a smarter, more robust cyber defense.