I really like that some organizations are getting more open about sharing information regarding their security successes and failures. Prezi comes clean about getting pwned as part of their bug bounty program. They described the bug, how they learned about it, and how they fixed it. We can all learn from this stuff.
Facebook talked about their red team exercise last year, and now they are talking about how they leverage threat intelligence. They describe their 3-tier architecture to process intel and respond to threats. Of course they have staff to track down issues as they are happening, which is what really makes the process effective. Great alerts with no response don’t really help. You can probably find a retailer to ask about that…
I also facilitated a CISO roundtable where a defense sector attendee offered to share his indicators with the group via a private email list. So clearly this sharing thing is gaining some steam, and that is great. So why now? What has changed that makes sharing information more palatable?
Many folks would say it’s the only way to deal with advanced adversaries. Which is true, but I don’t think that’s the primary motivation. It certainly got the ball rolling, and pushed folks to want to share. But it has typically been general counsels and other paper pushers preventing discussion of security issues and sharing threat information.
My hypothesis is that these folks finally realized have very little to lose by sharing. Companies have to disclose breaches, so that’s public information. Malware samples and the associated indicators of attack provide little to no advantage to the folks holding them close to the vest. By the time anything gets shared the victim organization has already remediated the issue and placed workarounds in place. I think security folks (and their senior management) finally understand that. Or at least are starting to, because you still see folks who will only share on ‘private’ fora or within very controlled groups.
Of course there are exceptions. If an organization can monetize the data, either by selling it or using it to hack someone else (yes, that happens from time to time), they aren’t sharing anything.
But in general we will see much more sharing moving forward. Which is great. I guess it is true that everything we need to know we learned in kindergarten.
Photo credit: “Sharing” originally uploaded by Toban Black
Reader interactions
One Reply to “Security Sharing”
There are lots of information sharing groups. Most are email based, but there are other systems as well. The biggest problem is the innate conflict of interest associated with sharing. For example:
1. Automated sharing requires software and infrastructure which requires someone develop and maintain the service. Companies want to share because they want security help, not because they have extra cycles to spin up a big system.
2. Security companies provide threat intelligence and indicators of compromise. Most of this data is obtained from the customers of the security company. It would be disadvantageous if customers directly shared as it would remove the necessity of the security company.
3. Most threat intel companies mine C2s and other IOCs forever. Companies want to block these guys. If everyone shares and blocks the C2, then threat intel gets harder.
4. If you provide IOC or other threat intelligence to competitors, you’re suggesting that you’re compromised. Unless you have a very tight sharing network with robust legal controls this could be disastrous.
My personal thought is that software and a colaborative of intelligent core security engineers could develop and maintain a sharing system without a lot of work and with a high degree of success. Such systems already exist to some extent. High speed sharing enables high speed blocking which raises the cost to attackers and would likely yield a net positive good versus mining C2s or IOCs. The hurdles are mostly political and aren’t easily solved. But as threat intelligence becomes more standard, as institutions become more accustomed to publicly dealing with security issues, and as costs go down it seems likely sharing will become more practical despite the problems that I mention.