The case for wider sharing of threat intelligence in 2015

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: In a year that began with the Tar­get breach and winds down with the Sony Pic­tures hack, Ben John­son, Chief Secu­ri­ty Strate­gist, Bit9 + Car­bon Black, sug­gests wider shar­ing of threat intel­li­gence is a New Year’s res­o­lu­tion worth embracing.)

By Ben John­son, Spe­cial to ThirdCertainty

Threat intel­li­gence is hot. Every­one is talk­ing about it, try­ing to pro­duce it or attempt­ing to lever­age it. But what exact­ly is it? And why is it gain­ing so much traction?

While the actu­al def­i­n­i­tion is up for debate, there is a con­sen­sus in defin­ing it as “infor­ma­tion that pro­vides insight into the mali­cious actors, tools, tech­niques and pro­ce­dures that com­prise cyber threats.” That’s a fair enough def­i­n­i­tion to work with for now.

We’re in a con­stant bat­tle against cyber crim­i­nals, spies, hack­tivists and nation-states. A quick glance at head­lines dur­ing the last year makes that clear. The speed at which hack­ers iter­ate and piv­ot their tools and tech­niques for attacks is astound­ing. Blend this with the often under-staffed or messy infra­struc­ture of enter­pris­es, and it’s been a bleak sit­u­a­tion for cyber defense.

Secu­ri­ty teams, how­ev­er, are fight­ing back and, they are doing it with threat intel­li­gence. And it is work­ing for sev­er­al reasons:

  • Threat intel­li­gence improves feed­back loops.
  • It pro­vides infor­ma­tion about adver­saries that can be obtained quickly.
  • Threat intel­li­gence offers enhanced rep­u­ta­tion­al infor­ma­tion that helps defend­ers score envi­ron­ment activity.
  • Threat intel­li­gence can be shared in larg­er quan­ti­ties and in a more auto­mat­ed fashion.
  • Indus­try com­mu­ni­ties and ven­dors are start­ing to serve the need­ed role of   clear­ing­hous­es for threat intelligence.
  • Threat intel­li­gence pro­vides spe­cif­ic attrib­ut­es to look for that sig­ni­fy mali­cious intent, which reduces the fre­quen­cy and dura­tion of cyber compromises.

There is still a lot of work to be done before the nation has any sort of cyber resilien­cy. But the good news is that the momen­tum is start­ing to shift. Threat intel­li­gence is shap­ing a new way of think­ing about the prob­lem. By over­lay­ing intel­li­gence about emerg­ing and sus­tained threats on top of vis­i­bil­i­ty into a company’s own activ­i­ty, enter­pris­es are bet­ter informed when craft­ing cyber strat­e­gy and devel­op­ing oper­a­tional posture.

Ben Johnson
Ben John­son

A cyber defense pos­ture should be approached with the notion of cre­at­ing an indi­vid­ual cyber intel­li­gence agency with­in a com­pa­ny. Tools are nec­es­sary to col­lect inter­nal event activ­i­ty and to cre­ate auto­mat­ed ways of com­bin­ing exter­nal threat traits and tech­ni­cal indi­ca­tors. And a human team using a well-designed process is essen­tial to lever­ag­ing the var­i­ous infor­ma­tion assets.

Explore what’s out there, col­lect data, join indus­try and region­al shar­ing col­lec­tives, and lean on ven­dors to help auto­mate more of the secu­ri­ty process. Com­pa­nies would do well to rely on, and par­tic­i­pate in, more threat intel­li­gence shar­ing in 2015.


Posted in Cybersecurity, Data Privacy, Guest Essays