You are here

Why information sharing is essential to security

public://pictures/20151229-DSC_4817 (1024x766) (640x479).jpg
Dan Schulte, Security Strategist, Hewlett Packard Enterprise

I recently attended a CISO-only event and one thing is for certain: We’ve come a long way in the 20-plus years of my security career. I remember the days when sharing information about your security environment was taboo. We would not talk about products we were using, malware we had running rampant on our networks, or our security architecture. At this event, though, I constantly heard CISOs asking their peers questions about specific issues, products, and even how to communicate with company boards.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

All together now: Security comes of age

I am so glad that we have finally evolved to see that information sharing is absolutely necessary to security. I remember the moment that opened my eyes to this need. I was working through an incident where I was seeing Poison Ivy malware on my network. We were aware and reacting to a breach from a nation state, but having difficulty finding the actor and removing it from our environment.

I received a call from our incident response (IR) consulting firm (we hired an organization that specialized in removing these types of attackers) to notify me that we had a Poison Ivy infection that was beaconing to a specific IP address known to the attack group. We needed to get on this immediately. We did, and soon we had eyes on everything the actor was performing on our systems.

Later that same weekend, we had another event where our intrusion prevention system (IPS) sensors were notifying us of Poison Ivy reaching out of our network. I called our IR consulting firm, which notified me that this was just commodity malware. Note taken... Two separate malware infections being identified as Poison Ivy were beaconing out of our environment, but one was a much lower priority.

The point is, without knowledge sharing on the specific threat, we would have never known. Our security solutions had identified both of the threats as Poison Ivy, but there was no way of knowing whether it was a commodity versus nation-state attack without having specific intelligence on our attackers. We would have treated each of these threats in the same manner. I needed a way to have the same knowledge as my consulting firm.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

Build it and they will come

In recent years, we have seen an explosion of information sharing platforms and groups. These give us the opportunity to gain insight we are not getting from our antivirus, IPS, and firewall vendors. Threat information sharing platforms such as Threat Central allow customers to compare their threats with what other companies are seeing in their networks, and to understand what their threats are and how other organizations are protecting themselves.

The current statistic for finding an intruder in your network is 240 days. After which, it typically takes another 40-plus days to remediate the threat. Threat intelligence solutions can dramatically reduce that dwell time and give organizations the ability to identify threats in their environment before data is exfiltrated.

Don't fear oversharing

My recommendation is to share as much as possible with your peers. Share information about your architecture, including what’s working and what’s not. Share your positive and negative interactions with vendors and products. Ask questions of vendors, strategist teams, and your peers as to how they are tackling specific issues in their environments.

Perhaps most important, get involved. Get involved in threat information sharing platforms (products and groups). Get involved in conferences or "lunch and learn" meetings in your region to better understand the security landscape. Get involved in ISACA, ISSA, ISC2, InfraGard, and other organizations so that we can all benefit from each other’s experiences.

Is information sharing critical to beating the bad guys? How much should the government be involved? Share your experiences in the comments below.

Image credit: Flickr

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]