SAN FRANCISCO–The discussion about information sharing has been going on in the security community since before there was a security community, but the tone and shape of the conversation have changed recently thanks to an executive order from the Obama administration and the relentless drumbeat of attacks and data breaches. The benefits of sharing threat intelligence are clear, but at the moment, experts say, not enough organizations are enjoying those benefits.
There are a variety of factors contributing to that, and near the top of the list is the fact that many organizations simply don’t have the resources to handle the process. Smaller businesses and organizations that don’t possess a dedicated IT staff, let alone in-house security people, aren’t in a position to share data they might have or to handle information shared by peers.
“We’re in a position right now where those who are benefiting are a very, very small percentage of organizations,” Nate Lesser, deputy director of the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology, said during a panel on threat intelligence at the RSA Conference here Wednesday. “I feel like as a community we’re like Wile E. Coyote running off a cliff saying, let’s share, let’s share. The tools that do aggregation and analysis are getting better. But this whole process is very much in its nascent stages. Organizations need to think about where they can best spend their resources.”
In February, President Obama signed an executive order that lays out a framework for cybersecurity information sharing and some voluntary standards to guide intel sharing. The federal government has had a variety of information sharing programs in place for years, some internal and some external. And there are information sharing and analysis centers (ISACs) in many industries that function as clearinghouses for member organizations. But the executive order is seen as a milestone in the process and has had the effect of legitimizing intelligence sharing in some corners of the industry.
“The fact that there’s a national conversation going on about this, it is shifting large enterprises more and more in this direction,” said Hugh Njemanze, CEO of ThreatStream. “For some businesses, it was seen as a potential liability. It’s very positive that the perception is shifting. We see a lot less resistance.”
While there is a change occurring in the way that some organizations and executives think about sharing threat intelligence, the number of companies actively involved in it is still relatively small. That’s something that needs to change in order for the process to be more effective for everyone, and that change shouldn’t just involve formal programs and products, said Richard Struse, chief advanced technology officer at the Department of Homeland Security.
“I think we’re focusing too much on information sharing. It’s a means, not an end. The end is to improve our cybersecurity posture,” Struse said. “I’m a big believer in it, but it’s very important that we keep our eyes on the prize. We deal in a world that has a fundamental asymmetry. I can launch attacks and touch nodes from anywhere in the world because of the global connectivity. That reality is out of sync with the fact that our defensive systems aren’t globally interconnected. We really need to drive this into the fabric of the ecosystem. Right now we’re still talking about the tippy top of the pyramid, the one percent of organizations.”
Struse added that the attacker community is well ahead of the defenders on this score.
“Adversaries do a lot of information sharing. Not all of it is voluntary or on purpose, but they share victims, tools and tactics,” Struse said. “One of the things they get out of that is tremendous cost efficiencies. And one of the things we need to do is drive the cost to the adversary way up and the cost to the defender way down.”
One way to do that is to automate as much of the information collection, sharing and response as possible. But that’s a difficult pill for some organizations to swallow and isn’t always possible or even desirable.
“Automated response is a challenge because many organizations aren’t comfortable with it,” said Njemanze. “When you talk about democratizing the benefits of this, then you get to organizations that don’t necessarily have a human to do that.”
“There’s tremendous interest in automation of information sharing, ingestion, anonymization. But are these organizations ready to do that?” Lesser said.