Microsoft earlier this week published a 25-page framework offering guidance on how to effectively share information and what kinds of information need to be shared in order to reduce overall risk.
Information sharing has been an oft-repeated refrain in security and policy-making circles for the better part of the last decade. There have been draft bills, sharing platforms and every kind of appeal, encouragement and assurance; yet there has also been quiet mutterings that organizations simply do not want to share information for a variety of reasons, not limited to competition concerns and personal embarrassment. In theory, sharing information and building a sort of defensive cooperative seems simple enough. However, the reality is that we are still talking about threat information sharing like it isn’t happening despite the fact that it’s a perpetual topic of discussion at nearly every corporate and government security conference.
Microsoft’s framework seeks to define all the parties that need to be involved in any comprehensive information sharing exchange as well as the types of information that those groups need to be sharing. In addition to knowing with whom to share what information, Microsoft’s document offers insight into designing methods, mechanisms and models for data sharing exchanges.
Broadly speaking, Microsoft advises that organizations develop an overarching strategy for information sharing and collaboration with built-in privacy protections and a well-established governance processes. Sharing, they say, should focus on actionable threat, vulnerability and mitigation information. Organizations need to build relationships in order to enable voluntary, trust-based information sharing, whereas mandatory sharing should remain limited. Once information is being shared, companies must ensure they are using that information to its full potential. Beyond these, Microsoft says their needs to be a voluntary, global exchange of emerging best practices.
Perhaps not quite as broadly as best practices, Microsoft is encouraging that information-sharing exchanges of varying degrees of openness discuss successful attacks, including the information lost, techniques used, intent, and impact. They should also trade information about potential future threats and exploitable vulnerabilities and ways of mitigating bugs ahead of patch releases. Executive-level situational awareness, which could allow organizations to respond more quickly to attacks as well as strategic analysis of threats face and information sought by attackers should be shared too.
Microsoft says there are basically six categories of people to include in exchanges: governments, private critical infrastructure firms, enterprises, information technology, security companies and security researchers.
Microsoft encourages efforts by policymakers to construct legislation that would encourage information sharing. However, trust between those incorporated into information sharing exchanges, the computer company says, is critically important.
“Laws can compel incident reporting,” Microsoft notes, “but they do not increase trust or collaboration nor do they reduce risks.”
Exchange models can be voluntary or mandatory, though Microsoft explains that the former is the richer model. Microsoft favors voluntary sharing models because they serve to increase the level of trust between partners. On the other hand, mandatory models could shift the focus from smart collaborative defense to companies merely reporting threat-related information for the sake of reporting it because they are required to do so.
Microsoft publishes guidance on establishing and operating threat information sharing exchangesTweet
In terms of exchange methodology, organizations and groups thereof need to consider the level of formality of their network. Formal exchanges are generally based on contractual or non-disclosure agreements while less formal, ad hoc exchanges are generally event-specific. Subsets of formalized exchanges will be necessarily based on security clearance levels while less formalized groups of like-minded organizations can share information with one another based entirely on trust within the group.
“High-quality strategic information can help to project where the next classes of cyber-threats may come from and to identify the incentives that could motivate future attackers, along with the technologies they may target,” Microsoft says. “Additionally, strategic analysis can help put incidents into a broader context and can drive internal changes, enhancing the ability of any public or private organization to update risk management practices that reduce its exposure to risk.”
Information sharing, Microsoft’s Cristin Goodwin and J. Paul Nicholas explain, is not merely a human-to-human exercise but must also be automated between machines to some degree.
“Among security professionals, there is currently a lot of focus on developing systems that automate the exchange of information,” Microsoft wrote. “It is believed that such systems enable actors not only to identify information important to them more quickly, but also to automate mitigations to threats as they occur.”