By Kathleen Moriarty, Global Lead Security Architect, EMC Office of the CTO
Continuing on the theme of sharing information in a directed way to have a broad impact, I think it is important to think further about how we can share information effectively. For me, this means breaking down what is important to share and with with whom. For a single use case, this could mean multiple exchanges that vary in content and possibly in the methods that are used to exchange the relevant information.
I think the answer to what people want to receive and share vary greatly by the business area, type, and size of organization in which they work. If you think about some simple examples of information shared and who may want to participate in the exchange, the scope of these activities changes quite a bit:
- Do all organizations want to understand what an indicator of compromise is or what was the latest attack technique?
No, not always.
- Does everyone need or want to know about threat actors, campaigns, and tools, tactics, and procedures (TTPs)?
- Is this relevant to some organizations?
- Does every organization want a full list of botnet IPs, malware distributions site URLs, or phishing email server IP addresses to process, assess the risks, and deploy appropriate controls?
Once again, no, or not always.
- Is it useful to aggregate data, analyze it, and determine how to work with operators to have a broad impact before you widely share information?
Let’s take a closer look at who needs what information and how we can apply best practices to new sharing models. I like to break the types of organizations interested in sharing information into three user groups for simplicity. I presented this at the FIRST conference in June:
In my previous blog post, “Putting Threat Intelligence to Good Use“, I talked about the need to move away from information sharing models that disseminate data broadly. If we continue down a path where we share information broadly, small, medium, and some large organizations will have no resources to dedicate to the ingestion, analysis, prioritization and deployment of controls. This is where the existing operator models and threat feeds should be considered as part of the information-sharing ecosystem.
For the most part, small- and medium-sized organizations will not have the resources to participate in sharing circles. They won’t have the skilled and dedicated team members to sort through information to determine what can be shared as well as utilize sharing portals to download relevant information, then apply mitigating controls in their environments.
Small- and medium-sized organizations will rely on their service providers, which include Internet service providers, managed security service providers, vendors with intelligence feeds, and their security products to effectively mitigate attacks. This is an important consideration so the end result of information sharing can be both effective and pervasive. So while it would be wonderful if all threat information sharing could be done for free and shared among peers, small- and medium-sized organizations could still be left with no protection from advancing threats.
Right now, the emerging sharing groups favor large organizations, whereas we need to come together and ensure protections can apply more broadly so smaller organizations don’t get left out in the cold. If we do not leverage operators and various consortia, some of the emerging sharing models are almost guaranteed to fail. Done thoughtfully and inclusive of the needs of smaller organizations, information sharing done right can help avoid the scenario in which security organizations become awash in information, yet remain thirsty for wisdom.