Can 'year of the hack' spur better threat info sharing?
- By William Jackson
- Jan 17, 2012
A panel of industry executives is calling for a new, intelligence-driven model of cybersecurity based on improved information gathering, sharing and analysis to counter advanced threats. But effective collaboration and information sharing often is more a dream than a reality.
The main challenges to more effective cooperation, according to members of the Security for Business Innovation Council, are two-fold: A lack of ability to integrate and evaluate data within organizations, and a reluctance to share information between organizations, especially with government.
The need for sharing information among organizations and between government and the private sector has been talked about for years, but often has not gone much beyond talk.
Advanced persistent threats are a new way of life
Advanced threats: The enemy is already within
“There is a lot more rhetoric going on about it national than action,” said William Guenther, president of the Advanced Cyber Security Center, a collaborative effort between industry, government and academia to enable sharing. The need for improved cooperation in cyber defense is growing, however. “The bad guys are arming, and the bad guys are collaborating.”
SBIC is a forum of industry leaders sponsored by RSA for researching and assessing cybersecurity challenges and responses. The group’s most recent report, Getting Ahead of Advanced Threats, was released Jan. 17. A group of contributors and commentators previewed the report for reporters shortly before its release.
Achieving intelligence-based information security will require significant shifts in how organizations address their IT infrastructures, SBIC found.
“Organizations need to obtain the latest data on threats, relate that to real-time insights into their dynamic IT and business environments, determine what’s relevant, make risk decisions and take defensive action,” the authors wrote. “Yet, most IT security programs are not set up for this. The hard truth is most organizations don’t know enough about the threats or their own security posture to adequately defend themselves against the rising tide of cyberattacks.”
One of the first steps in enabling the level of analysis required for converting data to intelligence is to make the business case for it, the report says. Bill Boni, CISO of T-Mobile USA, said that the drumbeat of high-profile data breaches in last year’s headlines has helped in that. The assumption today is that most organizations already have been targeted by advanced attacks, if not already compromised.
“The ‘year of the hack’ has people accepting the need for change,” Boni said. “We can leverage that. That’s an opening to make the case.”
Despite continuing challenges, there has been progress made over the past decade in sharing information about vulnerabilities and threats. Among the notable efforts are the sector-specific Information Sharing and Analysis Centers established between industry and government in the wake of the 2001 terrorist attacks. But the hub-and-spoke structure of the ISACs, in which information is routed to a central point where it is evaluated, sanitized and redistributed to members, has limited efficiency, Guenther said.
Government also is reluctant to share classified or sensitive information with the private sector, and companies often are reluctant to share because of liability concerns. “Legal counsel will always counsel caution,” Boni said.
Because of this, more effective results sometimes are achieved by small, informal collaborations in which information is shared through personal contacts and back channels. These groups do not provide the kind of global situational awareness needed for more complete security, but Guenther said industry should not wait on government to show the way.
“These things work better when the private sector gets together and then tries to engage the government,” he said. “It’s a dance.”
William Jackson is freelance writer and the author of the CyberEye blog.