In the security realm, information sharing is an activity which most organisations would like to do more often. Sharing information allows us to learn from one another and it can help us keep pace with the quickly evolving threat landscape. So why is it that many organisations struggle with this endeavour despite their articulated desire to the contrary, and how can they identify a way forward in information sharing?
Due to the challenges in information sharing, ad hoc sharing is still far more prevalent than people might be inclined to believe. Information security professionals tend to form circles of trust around specific interest areas where only those individuals who have been vetted and vouched for can be admitted. Within these circles, trust is everything and members within the circle consider this to be a serious pact. That trust enables members to share valuable, appropriately sanitised information without the fear of predatory activity. The quality of the information shared inside these trusted circles is usually quite high.
Ad hoc circles are a great start, but there are some issues that create the need for more formal approaches. Some of the challenges with ad hoc circles include:
- Individuals who lack contacts to vet and vouch for them find entry into the circles nearly impossible
- Less mature organisations struggle to recruit and retain ‘insiders' preventing them from benefiting from the trust circles
- The ad hoc nature of the circles makes oversight and governance difficult
- Information is shared in a variety of formats and through different methods so requires extensive manual labour to use it
More formal approaches to information sharing will not fully address all of these challenges, they can begin to address them incrementally. But formal information sharing efforts currently have a high organisational barrier to entry, which keeps organisations and useful information out of them; this directly limits the effectiveness of these efforts. So how can we as a community move from less formal to more formal information sharing approaches while not losing agility and effectiveness?
Communication and education are extremely important and seem good starting points to make this happen. Security leadership within an organisation can communicate the information sharing vision. A dialogue can begin with legal, privacy, and other relevant stakeholders within the organisation, so that they can be educated as to the value and importance of information sharing and be included in the efforts. People can begin tackling the information sharing challenge, working to build the organisation's reputation and fostering collaborative relationships. Goals and priorities for information sharing can be communicated to external organisations and entities that can facilitate formalised information sharing amongst various different peer organisations. Sure, some of these organisations already exist, but there is room to grow and improve.
Once communication and education are underway, a formal information sharing process can be developed. This process will include details regarding what type of information may and may not be shared, what to do if information is shared that should not have been, as well as the actual nuts and bolts around how information is collected, handled, used, and shared. Process in itself brings more formality to an information sharing effort and is an important part of the overall picture. It is also quite likely that legal and privacy professionals will require this process before giving the go ahead to formal information sharing efforts.
Technology is also important. Technology that facilitates, rather than obstructs information sharing is a must. The data of record (both network and endpoint) should be recorded with no loss or gaps. Searches for evidence of Indicators of Compromise (IOCs), both historical and ongoing, should complete rapidly as part of a well-oiled security workflow. It should be straightforward and smooth to both receive and share information. All of these factors contribute to technology enabling and empowering successful information sharing, rather than fighting it.
Perhaps not surprisingly, information sharing comes back to people, process, and technology. If this sounds like a business function, that is for a reason. As a community, we need to take information sharing from an ad hoc function to a business function, and that maturation begins within our organisations. Ad hoc trust circles serve an important purpose, but a more formalised approach to information sharing is required to mature it into a true business function such that it better meets our security needs.
Contributed by Josh Goldfarb, Chief Security Strategist, FireEye.