The Case for Information Security Sharing

2015 might be the year that threat intelligence is finally taken seriously. The community has been abuzz recently over several bills making their way through the House Senate Committee this week that focus on the need for increased information sharing between both organizations and the federal government. Coincidently aligned with the nation’s largest security conference happening this week (RSA), Congress will hopefully come to agreements around establishing a framework, albeit light, for information sharing and affording legal protection for those who choose to share it.

While these bills have a long way to go, I certainly think they are a step in the right direction to help promote visibility into an intimately complex issue that many organizations are bumping up against. The need for infosec data sharing seems to have reached critical mass, as most organizations are clueless as to what types of attacks are being used against their industry peers and more importantly other organizations with similar network topologies and application stacks. Many subscription based threat intelligence feeds have come to market over the past few years and are positioning themselves as a solution to help bridge these visibility gaps. Unfortunately, these types of feeds often have limited value as the data is typically very specialized by industry or vertical, and outside of additional SIEM visibility and context, require manual processes to incorporate them into preventative toolsets often losing out on the true value of this time-sensitive data.

Some products address this issue by incorporating the threat intelligence data collected across their customer base and automatically providing it to the rest of their customers.  Solutions like these unfortunately operate in a closed ecosystem resulting in valuable information being compartmentalized to a single toolset or system. In a perfect world this critical data would be shared across platforms in real-time and even with other organizations for the greater good of security. In reality, as there is no financial benefit for building this level of integration between vendors and technologies, we will continue to see significant visibility gaps.

This is where some emerging frameworks and toolsets such as Stix, Yara, Open IOC, and Taxxi come into the picture. These solutions help organizations share both IOC data and higher level threat intelligence amongst each other in a standardized format. As these technologies have not been widely adopted and some compete against one another, IOC and threat intelligence data sharing on these platforms becomes a bit murky, especially when you factor in a researchers personal preference of a particular toolset.

We need a standardized method of exchanging threat intelligence and vulnerability information across organizations and between toolsets. In the real world, most companies still do not leverage threat intelligence services, let alone consider contributing to them.  Anything we can do to help automate the process of sharing information is a good thing. While data sharing is a complex issue, sometimes some of the best strategies are the simplest; by creating meaningful relationships with industry peers at other organizations and fostering a culture of collaboration within your team, you will greatly increase effectiveness of your security program.