Much like the Year of PKI that has never come to be, information sharing has been one of security’s more infamous non-starters. While successful in heavily siloed environments such as financial services, enterprises industry-wide are hesitant to share threat and security data for fear of losing a competitive edge or exposing further vulnerabilities.
Microsoft hopes the latest tweak to its Microsoft Active Protections Program (MAPP) will calm the waters a bit and engage companies and industries to share threat data in an effort to stem the effects of targeted and persistent attacks and speed up incident response recovery.
A private preview is scheduled to open this week for Microsoft Interflow, a distributed platform for information exchange that is built on open specifications such as the Structured Threat Information eXpression (STIX), the Trusted Automation eXchange of Indicator Information (TAXII), and the Cyber Observable eXpression standards (CybOX). Today’s announcement comes 11 months after Microsoft expanded MAPP, its vendor partner information-sharing program to include incident responders.
“We realized when we were building [MAPP for IR] that we needed a better way to automate the exchange of information with partners,” said Jerry Bryant, senior security strategic, Microsoft Security Response Center.
Interflow is built in Microsoft’s Azure cloud-based application hosting platform, and organizations can use its management console to subscribe to different threat feeds, build a community of trusted partners with whom to share data, and set trust levels on those relationships, Bryant said. A watchlist feature allows companies to filter the potential thousands of indicators of attacks and threats they may receive, and those indicators can be configured to feed directly into an intrusion detection system, firewall or endpoint protection system, Bryant said.
“The system is designed for end-to-end automation. We have APIs that can be used to subscribe to and process feeds into endpoint protection. It’s designed to integrate with investments you’ve already made,” Bryant said. “If you’re using SIEM to do analysis, this, through a plug-in architecture, plugs into that console. You can use it also for additional sets of data or build sets of data that you can share back out with partners.”
While Interflow’s extensibility allows for customization of the feeds it processes, it will arrive with a number of feeds provided by Microsoft as well, ranging from malicious URLs used in attack campaigns, to detection guidance that can help partners write signatures. Those companies will also have the option of sending telemetry data back to Microsoft based on hits against those signatures once they’re deployed, Bryant said.
Interflow is not the only sharing platform to support STIX and TAXII; Bryant said Interflow is meant to be complementary to many of those platforms, including established one-to-many systems such as those used by the Financial Services Information Sharing and Analysis Center (FS-ISAC).
“We’re making sure our system talks to theirs,” Bryant said of ISACs. “They have valuable data sets for those communities and valuable information for us. We can send them indicators [of compromise] and they can send telemetry to us that improves our responses and drive decision-making for out-of-band patches, for example.”
Telemetry exchange is not required, however, Bryant said.
“Companies will establish their own communities they want to share with. We want to be in their communities and we will make feeds available, but they don’t’ have to share back with us.
“We talked to CISOs, and some don’t like the idea of having to share their data back with a private organization. We don’t require that; we just want to facilitate more sharing in the industry.”
Bryant said anonymization and data sanitation capabilities are on the Interflow road map. For now, Microsoft has not set a general availability timeline for Interflow.
“People are getting more interested in sharing more of their own information. Obviously, there’s a lot of hesitancy, but you can start out cautiously with Interflow and develop tight circles,” Bryant said. “That’s part of what we’re trying to do is facilitate the next level of sharing and enable bidirectional sharing and connecting of systems. Our goal is to break down barriers and get more data flowing in the industry. Today, the way it works is not keeping up with threats.”