A United Front: The Issue Of Threat Data Sharing In Cyber Security

threat detection

IN DEPTH: The sharing of threat data is a key talking point within the world of cyber security, as we found out at RSA 2017

The sharing of threat intelligence has long been something of a contentious issue within the security sector and one that has very much been pushed to the forefront of the industry in recent times.

As the threat landscape has continued to develop, people and businesses have realised that the sheer number of cyber threats and security vulnerabilities doing the rounds these days is simply too great for any one organisation to tackle by themselves.

It’s no longer a feasible approach and hasn’t been for some time.

As a result, having timely access to accurate data around emerging threats, software flaws and effective remediations has taken on a new-found importance.

But what are the key barriers facing businesses and, more importantly, what is the solution to the data sharing conundrum? Silicon spoke to several industry experts at this year’s RSA Conference in San Francisco in an attempt to find the answers.

Chris Young @ RSA

The data

One of the main issues with traditional threat data, according to Carbon Black CTO Mike Viscuso, is that it just hasn’t been up to scratch: “When you look at threat intelligence right now, most of the data that’s being shared is at the very bottom of the difficulty scale for attackers. So it’s file hashes, it’s domain names, it’s IP addresses, all things that are really easy for the attacker to change.

“As soon as he knows that you know, he can change it in a second and that just exposes the fragility of what we’re talking about.”

Kowsik Guruswamy, CTO at Menlo Security, took a slightly different view, saying that the industry’s obsession with data has actually been the problem. We’ve become “obsessed with data”, he said. “It’s overwhelming and yet we’re priding ourselves with more data, more data, more data.

“There is a lot of talk about we need to share all the IOCs – indicators of compromise – hashes and URLs. But by the time you operationalise that data those URLs are burnt. People are, I think, finally at the point now they’re looking for a product to stop telling me everything there is to know, just do the damn work and stop, just leave me alone.”

Scott Scheferman, Director of Consulting at Cylance agreed, bemoaning the dangers of “alert fatigue”, while SecureLink’s vice president of services Stefan Lager went as far as to describe the value of threat intelligence alone as “actually quite limited”.

So, the general consensus was that simply collecting data isn’t enough, an approach that the industry has so far struggled to shake itself out of.

The solution

Carbon Black’s Viscuso believes a focus on an attacker’s behaviour and a data-collection approach that reaches all the way back to the root cause of an attack, enabled by “next-generation” security solutions that add context to attacks, would help to solve the problem,

“Whatever the case may be, if I get back to that root cause and I’m sharing root cause, that attacker can’t do anything about it,” he said. “If I address the root cause, the fact that the attacker knows that I know doesn’t actually diminish my ability to secure my enterprise at all. In fact I could post this publicly and I long as my remediation is appropriate, the attacker gains no advantage.

“If people are reluctant to share it’s just exposing the fragility of what they’re sharing and if we can rise up and talk about behaviours and talk about the root cause and the original vulnerability that was used to exploit me, then we can change the sharing conversation altogether, because now it doesn’t matter if the attacker knows. I can say it openly and the only thing they can do is have remorse.

“That’s where we need to get to. If we as an industry were sharing that information, then it would significantly increase the cost of attacks to the point where it would be pointless to even do an attack at all.”

Guruswamy’s recommendation was one of simplicity. His reasoning was that users are going to get compromised through four or five main avenues and, if your organisation is able to close those avenues, the rest doesn’t really matter.

“Our notion of Menlo is very simple,” he said. “Instead of chasing after these taxonomies and characterising every possible badness there is in the world, just stop those five things from happening and it’s game over. Yes, there is a broader thing about intelligence and sharing and all of that stuff. But if you nuke those five things and you just isolate them and you just stop them, it doesn’t matter.”

security and privacy

Industry collaboration

The other theme that emerged from RSA 2017 was the need for collaboration within the industry, an especially important factor when it comes to the sharing of threat intelligence. Calls for unity and keenly dispensed, with execs from the likes of RSA, Intel Security and Microsoft urging businesses to join forces in the battle against cyber criminals.

RSA’s CTO Zulfikar Ramzan called for businesses to “work together across the public and private sectors to ensure that our organisations, our infrastructure and our social institutions remain resilient”, while Intel Security’s Christopher Young urged the industry to “admit we can’t go it alone and come together as an industry knowing that we’re better side by side, working together”.

And it’s not just the responsibility of the private sector. Microsoft President Brad Smith also implored governments to do more in a passionate rallying cry that highlighted the dangers of nation state hackers carrying out “attacks on civilians in times of peace”.

It remains to be seen whether such a collaboration revolution will take place, but there can be no question that, when it comes to the issue of threat data sharing, we’d all be a whole lot better off for it.

Quiz: Cyber security in 2017