DENVER – When it comes to information sharing, are companies too scared or too selfish to trade attack data?
A number of information security officers from high-profile companies debated the topic this week at the NG Security Summit and came to the conclusion that it’s a little bit of both.
Sharing of threat intelligence and real-world attack data has been the pot of gold at the end of the rainbow for this industry for more than a decade. Companies, however, are often reticent to share information because it’s either not scrubbed, can give away a competitive advantage or they’re gagged by general counsel on anything sensitive.
The result is an industry spinning its wheels on a topic that needs some traction. To give credit where credit is due, some organizations have publicly tried to lead the way. Google, The New York Times and a few others have been stung by targeted attacks and have gone the extra step to put information about indicators of compromise and potential attack sources out there for public consumption. But outside of a few formal sharing entities such as the Financial Services Information Sharing and Analysis Center, better known as FS-ISAC, there’s been very little in the way of positive movement forward.
The FS-ISAC, said panelist Brian Phillips, global head of information security for retailer Macy’s, is trying to drive standards for information sharing by developing a standard language of communication. While that may work for the financial services industry, more effort has to be put in for it to cross market boundaries. For example, data has to be sanitized so that victims aren’t put at further risk or give up any competitive secrets about systems or processes.
“With retail, the challenge is that most of the companies we share with are direct competitors,” Phillips said. “From a security perspective, you have to get over that and share because we’re all facing the same challenges. There’s no way any of us will win the war on our own.”
Yonesy Nunez, senior vice president of information security for financial services giant CitiGroup, said organizations take time reaching a comfort level before they share within the FS-ISAC, Infragard or other groups trying to facilitate these exchanges.
“You have to be in it; you’re not going to get much out of if you don’t participate in the forums and take part,” Nunez said, also pointing to the need for some standardization to ease hesitation over sharing. “Infragard has one format, other groups have other formats. As a participant, you should agree on what updates or threat documents will look like so you can take actionable events into your environment.”
Trust is an underlying issue with information sharing, the panelists said.
“Trust has to be the issue. We have to trust one another and understand that information security is a common thing to our organizations and it would be mutually beneficial to all of us to participate,” said Kevin McKenzie, CISO at Clemson University. McKenzie said groups he participates in vet members up front and potential issues are ironed out beforehand. “You have to give to get. It happens [that some don’t participate, just take]. I don’t have an issue with it if the information can help their systems from being compromised.
“But security is a shared responsibility. We often close ranks when something happens on our network,” McKenzie said. “It should be the other way around. We should be willing to share and put it out there. You might be next and if you’re forewarned, you can prevent downtime or disclosure issues.”