Guy Wertheim, the CTO at Comilion, talks about the importance of collaboration and data sharing in the battle for increased security.
Modern organizations are tackling a fast-paced threat landscape, how does collaboration help in this regard?
In today’s dynamic threat environment defenders must stay ahead of attackers even by a small margin. This is proving to be extremely difficult since attackers often make advancements across many vectors. Meanwhile, defenders must figure out which attack and vector they should investigate and defend against. Investigating in communities can help ease this burden for individual organizations.
Here’s an example scenario. Let’s say one organization (a bank) and four of its peers are targeted by 10 different attack tools. It would be much more efficient to let each peer organization research two different tools and share their findings with the rest of the community. This approach is already being used inside individual organizations, where two security experts researching the same malware will share their findings with each other, instead of keeping them private.
Besides workload sharing, a collaborative community can act as an early warning system. Let’s face it, we don’t have the manpower to research, understand and defend against every attack vector out there. We need to prioritize. Sometimes it’s according to a specific technology being compromised and other times it’s according to a specific adversary or attack campaign. The moment a monitored threat starts using a new tactic is when we should start putting effort into stopping it. Some companies need to protect themselves against hacktivism, others against financial cyber crime. A security collaboration community can provide organizations with early visibility into new threats that are targeting other member companies and are likely to affect them in the future as well.
Many are interested in working with others if it ultimately leads to better security. What are the major obstacles to effective secure data sharing and collaboration?
In many cases, security experts are willing to share their findings with trusted peers but their organizations’ are hesitant to establish a more formal and efficient collaboration channel with other companies. A security researcher may be comfortable disclosing details of a breach with a well known professional acquaintance or friend, but organizations typically require greater privacy and confidentiality guarantees. In these situations, anonymity can help to address liability, while data ownership techniques or DLP mechanisms can help minimize exposure risks.
Regulatory mandates and privacy laws can also prevent symmetric sharing between peer organizations. In some cases, sharing a piece of intelligence will be met with a wall of silence from a peer who cannot respond without violating compliance rules. If collaboration generates too many rudimentary questions and requests for basic information, this can also prevent individuals from sharing if they feel they are wasting too much time on trivial issues.
In many cases, security collaboration is not a one size fits all proposition. Some data should be shared as widely as possible with the community, while other findings should be collaborated upon in a more controlled fashion. Individual collaboration efforts may start in one form (i.e. controlled) and eventually shift to another (i.e. community wide) as the event or threat is better understood.
Running increasingly complex security architectures can create massive amounts of data. How can organizations make sure they’re getting the right information at the right time?
When it comes to security collaboration, more is not always better. Organizations should pick their collaboration peers carefully and not just solely according to trust and legal attributes. Choosing peers that share similar challenges is important since security topics will overlap and both sides will benefit. Finding the right peers is a trial and vetting process. Fortunately, the security industry is small enough that finding references is not too difficult. Even after a rigorous vetting process, it’s best to start the collaboration effort slowly and gradually expand the scope over time.
Inevitably, every collaboration environment contains some amount of spam. However, spam is not always objective. One man’s garbage is another’s treasure. This also applies to security. Automated processes can be used to perform smart and efficient relevancy queries. For example, a simple correlation like “Does anyone’s SIEM see this indicator”, can evolve into more sophisticated questions such as “Do you see an increase in encrypted Skype communication”; an abstract conversation like “How are you mitigating this specific threat?”; and specific queries including “Are you blocking the malicious IP on your gateway” or “investigating the malicious communication beaconing out to command and control servers?”