I had the opportunity to speak at and attend the FIRST conference in Bangkok during the second week in June and came back energized from the discussions and direction of the participants. FIRST includes a mix of national level CSIRTS, CSIRTs for large organizations, and vendors with talks covering a wide range of topics from policy to technical aspects of information security, not necessarily limited to the current hot topic of information sharing.
I was energized by the engagement in discussions on the useful and effective sharing of information. For my talk, my goal was to leave people thinking about ways we can share information more effectively, with similar themes to the RSA Perspective released today. There are a number of successful sharing initiatives that have been operator focused like the Anti-phishing working group (APWG) and other similar efforts that have had an impact on information security using efficient sharing models. After walking through a few examples, I put out a challenge to those in the room to help develop effective sharing models so that we do not inundate organizations with so much data; it would be impossible to perform Big Data analytics on it in a useful way.
In addition to the FIRST talk, I worked with several other vendors and service providers in a threat intelligence sharing catalyst project in May through the TM Forum with a focus on building effective sharing eco-systems that may be of interest. Several of us working in the effort agreed that analytic centers at times will need to focus on specific problems to help solve them well. As a result, we have an evolving ecosystem that includes many types of analysis centers, focused on their specific part of the problem (anti-phishing, eCrime, mail abuse, botnets, etc.). As a result,
Through the course of the week, a couple of other speakers hit on closely related themes to help drive industry to more effective sharing models. Dr. Paul Vixie from the Internet Systems Consortium (ISC) was encouraging vendors to “compete on execution” and Tim Mather from Splunk encouraged the use of open interfaces for information sharing. They both were advocating similar themes with slight variances to essentially drive industry to better information sharing solutions. Data should not cost money, rather intelligence
This to me was very positive progress and I hope that we will see real thought leadership emerge in how we share information, and I would like to see it shared effectively. After attending numerous conferences over the past year and collaborating with internal and external colleagues, I was motivated to write the RSA Perspective on effective sharing. I kept hearing themes of broadly disseminating data and think it is more useful to share information in a directed way, while having a broad impact. Even with this model of focused sharing, we will have Big Data and analytic challenges ahead to improve situational awareness.