Call for vendors to share incident data to better help users

News by Dan Raywood

Vendors with vast incident data repositories could help users if they shared what threat data they had with their competitors.

Vendors with vast incident data repositories could help users if they shared what threat data they had with their competitors.

Speaking to SC Magazine, Amar Singh, CISO at News International and head of the UK security group at ISACA, said that detection is a huge issue for businesses due to the scale of the data that they are collecting and this is a challenge for businesses, as they have to dig into the data to find out what happened even post incident.

He said: “There is so much data in an organisation, it is not an audit as it is not being done and there is no central depository for that, and that creates interesting challenges as you will only find out when the media tells you something has happened.”

Singh said that sharing information is really important and predicted that in future it will take place more, but that the biggest problem in relation to information sharing is that it may lead to something being released. He said that the vendors are "repositories of unbelievable information that can be shared", but that they need to work together, as it can help any organisation in any sector improve their security posture.

He said: “Maybe all these companies need to sit down with the government, but I think that they are talking about a different type of threat; well most organisations need to work together to come out with an acceptable single [policy] and that is really key here.

“Everyone is working on their own and then they relax as you cannot exchange anything. That is pretty sad, as what is the point of having a UK-specific exchange medium? It would be great if these huge repositories holding information could be shared correctly so users could improve their security postures. Starting with baby steps could lead to a significant difference to organisations.”

Check Point is one vendor that believes in the principle of companies anonymously sharing threat data, and released its ThreatCloud service in 2012. 

Gabi Reish, head of product management at Check Point, said: “Check Point strongly believes in the value of sharing cyber threat data and feeds as a way to mitigate attacks and, just as importantly, expedite our response to attacks (which today can stay undetected for months or years).

“This collaboration should be done between customers, with mechanisms such as Check Point ThreatCloud facilitating the sharing of attack information and newly-discovered attack vectors between users. In addition, this collaboration should be based on sharing of feeds and findings between vendors. Check Point is taking steps in this direction in order to enrich ThreatCloud's knowledge with intelligence collected by other vendors.”

Imperva launched the crowd-sourced threat intelligence service ThreatRadar Community Defense in April of this year. Amichai Shulman, CTO and co-founder at Imperva, said: “We actually are getting data from other sources today - we buy some and we source some through open source groups as well as from our customers.

“Since we see the value in sharing threat data between customers of the same vendor, it makes sense to aggregate shared threat data from different, competing vendors. I think that in practice we are not going to see this happening in the application security area any time soon. This has to do with inherent fear of ‘helping' the competition as well as the natural evolution of such data exchange programs. In addition, for competitors to share directly would require standards for normalisation of data.

“The issues [Singh] raised are valid points that can be solved once individual vendors get more proficient with using their own data and agree to standards. Only then, there's a chance that organisations (including ourselves) begin to tackle the psychological barrier of sharing information with the competition. It is important to note that we are in the early stages of this with gathering data from other sources today. It took a while for anti-virus vendors to work it out.”

Nawaf Bitar, general manager of the security business unit at Juniper Networks, told SC Magazine in April that Juniper was very willing to share information with partners and users, and it had agreed to collaborate with RSA on sharing threat intelligence for its Junos Spotlight Secure and the RSA Live system.

Henrik Davidsson, director of security sales EMEA at Juniper Networks, said: “By sharing data among all vendors, we will be able to better identify the bad guys early, preventing attacks. This way, users will have the protection of the IT security industry at large and not just one vendor.

“At Juniper, we already share our knowledge of potential risks with partners and we agree that the industry needs to think hard about how we can collaborate to truly protect all users and enterprises.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews