Shifting the Economic Balance of Cyber-Defence
Ben Johnson discusses threat intelligence sharing and how current standards are without expert input.
Ben Johnson, chief security strategist, Carbon Black
The financial crisis that plagued global markets from the mid-noughties onwards finally seems to be improving, but nobody seems to have noticed that the cyber-security industry is sliding into its very own economic mess. That might sound dramatic, but in the fight against cyber-crime, the right kind of threat intelligence is the most valuable currency around.
However, a recurring problem is that those of us trying to defend organisations from the bad guys have, to date, done an ineffective job of sharing threat intelligence, whilst our adversaries have made it a top priority.
A growing deficit of intelligence
Cyber-criminals have built a hugely successful business model around intelligence, sharing it through organised groups such as the now defunct Enigma hacking forum, or trading it via marketplaces on the dark web, via underground markets such as AlphaBay.
These platforms are built on the idea that individuals can achieve far more by coming together than they can by going it alone. Unfortunately, the security community has not responded in kind. We have largely chosen to remain fragmented, isolating ourselves from one another to guard our intellectual property.
Meanwhile, not only has the attack surface expanded, as more devices have come online, but there is also a growing shortage of experts with the skills needed to protect these devices. It will certainly take time to address that shortage, but if we want to turn the economics of cyber-defence back in our favour, we have to take a page out of our enemies' book and stop fighting our battles alone.
Putting people first
First and foremost, we need to realise that vendors and technology can only do so much. With new threats emerging daily, there's no way that one company alone can identify them all. The people in the cyber-security industry are our greatest asset. Those on the sharp end of the wedge in IT security teams are best placed to spot new patterns of attack and use these patterns to identify the context of attacks.
These patterns help us understand how and why attacks are launched, which, in turn, enables us to uncover new patterns to watch out for. Ultimately, the key to winning the cyber-war is in getting all these people talking to each other and sharing their experiences. To do so, the industry needs to build a hub around which they can unite, to share best practices and exchange threat intelligence.
There are plenty of forums and alliances out there already claiming to be doing exactly this, but when you look beneath the surface, they're essentially just huge data dumps. There is no real way of verifying the information or context being added around anything that's shared, which prevents it from becoming truly actionable intelligence. Whilst “intelligence” can provide useful information, you can't guarantee how reliable it is. More importantly, it often can't be fed directly into an organisation's security posture, which limits its value significantly and creates a major flaw in our defences.
Building a better mousetrap
The only way to make the information being shared by the cyber-security community truly valuable is by having some of the industry's leading experts take a more active role. The information being shared becomes far more useful as intelligence if there's a team of experts verifying its authenticity and giving advice on how best to resolve the threats being discovered. However, we also have to go one step further and ensure that this threat resolution intelligence is being put to good use. The vendor community needs to integrate the information feeds into the solutions that businesses are using to defend themselves so we can collectively learn to identify similar patterns of attack and automate preventative measures.
We also have to realise that since there's no silver bullet to stop cyber-attacks, most organisations rely on a whole range of systems to defend themselves. At the moment, many of these systems are closed, locking the threat intelligence feeds that power them into solution-based silos. This creates a fragmented image of the threat landscape by preventing that data from being shared across the entire cyber-security stack. If security vendors embrace open APIs and allow their systems to talk to other best-of-breed solutions, we can start to build a much more detailed and far richer picture of how the patterns of attack that hackers utilise are evolving on a daily basis.
If this information is then shared across the broader community, everyone learns and becomes stronger every time a hacker attacks. Ultimately, this significantly diminishes the value that cyber-criminals gain from attacking, by forcing them to invest a lot more time, effort and money in developing new exploits. In doing so, we can finally tip the economic balance back in defenders' favour.
So what are we waiting for? Let's unite and take the fight to our enemies.
Contributed by Ben Johnson, chief security strategist, Carbon Black