I really like that some organizations are getting more open about sharing information regarding their security successes and failures. Prezi comes clean about getting pwned as part of their bug bounty program. They described the bug, how they learned about it, and how they fixed it. We can all learn from this stuff.
Facebook talked about their red team exercise last year, and now they are talking about how they leverage threat intelligence. They describe their 3-tier architecture to process intel and respond to threats. Of course they have staff to track down issues as they are happening, which is what really makes the process effective. Great alerts with no response don’t really help. You can probably find a retailer to ask about that…
I also facilitated a CISO roundtable where a defense sector attendee offered to share his indicators with the group via a private email list. So clearly this sharing thing is gaining some steam, and that is great. So why now? What has changed that makes sharing information more palatable?
Many folks would say it’s the only way to deal with advanced adversaries. Which is true, but I don’t think that’s the primary motivation. It certainly got the ball rolling, and pushed folks to want to share. But it has typically been general counsels and other paper pushers preventing discussion of security issues and sharing threat information.
My hypothesis is that these folks finally realized have very little to lose by sharing. Companies have to disclose breaches, so that’s public information. Malware samples and the associated indicators of attack provide little to no advantage to the folks holding them close to the vest. By the time anything gets shared the victim organization has already remediated the issue and placed workarounds in place. I think security folks (and their senior management) finally understand that. Or at least are starting to, because you still see folks who will only share on ‘private’ fora or within very controlled groups.
Of course there are exceptions. If an organization can monetize the data, either by selling it or using it to hack someone else (yes, that happens from time to time), they aren’t sharing anything.
But in general we will see much more sharing moving forward. Which is great. I guess it is true that everything we need to know we learned in kindergarten.
Photo credit: “Sharing” originally uploaded by Toban Black