A Sharing Economy for Security

Friday, September 25, 2015

Anne Bonaparte


Hackers trade information to make their attacks more effective. If organizations want to beat back the bad guys, they must also learn to share.

The security industry is falling short. While companies are spending more and more money on security solutions, many of these solutions aren’t doing the job. Gartner reports global spending on security rose to $71 billion in 2014, an increase of 7.9 percent over 2013. Yet PwC says security incidents over that same period surged 48 percent—and that’s just the incidents that were detected (or reported?  So detected and actual would be even higher).

Why the disconnect? Because the current security model is broken. Companies are trying to protect themselves by building higher walls and wider moats. They’re trying to plug an always-shifting range of entry points. It is reactionary and always a step behind.

Worse, they’re trying to go it alone. They don’t collaborate with other organizations. That would defy security’s foundational rule: secrecy. Security people are hardwired not to share information, not to show their hand, not to reveal potential security holes. They fear that if they admit to any weakness it will be used against them, either by competitors or by the government, because they’ve fallen short of some security compliance requirement.

This is the wrong approach to security in today’s changing cybersecurity landscape. Companies now need to protect themselves not only with walls but also with intelligence. They need to work together and share information to protect the community, not just a single enterprise.

Why are the bad guys so successful? In part because they trade information with each other. They’ve built a hacker economy, in which intelligence about vulnerabilities is constantly passed around. Cybercriminal communities share techniques and tools and join forces to conduct attacks. They maintain an underground marketplace where they buy and sell information.

We need to deploy this strategy on our side. We need to collaborate and share intelligence to beat back the bad guys. We need to open up about the indicators of compromise we are noticing to alert communities who may be experiencing them too.  Is anyone else dealing with this or that anomaly? Is it a legitimate threat?

Responsive, effective security is a process of discerning the real risks in a sea of data, so learning the context around a particular threat—its velocity and breadth of penetration—is vital to defending against it. But this requires intelligence sharing among organizations. Who else is under assault and what do they know about the nature of the attack? Armed with that information, organizations can better defend themselves. And when you’re attacked, you can help others defend themselves by sharing your experience. Before long, every company in your community is protecting itself and each other better.

The good news is that this is starting to happen. Take health insurer Anthem, for example. After it was ruthlessly ransacked by hackers, Anthem began to share its indicators of compromise with other healthcare organizations, enabling them to take steps to proactively block a similar attack. This has improved security throughout the healthcare field.

But this sort of intelligence sharing is not yet happening on a broad scale because the mindset of collaboration has not been fully embraced. Most companies are not sharing what they learn, even though they know they should. A new study by Enterprise Strategy Group found that, while 94 percent of respondents see the value of sharing threat intelligence, only 37 percent of respondents’ organizations regularly share internally driven threat intelligence with other organizations or industry groups.

So what’s holding them back? Organizations want to be sure they can share threat intelligence in a manner that is secure, anonymous, non-attributed and standards-based; to avoid risk of opening themselves up to backlash or losing their company’s crown jewels.

Fortunately, the technology exists today. There are now standards-based mechanisms in place to share threat intelligence anonymously, without fear of attribution and without fear of tripping some compliance alarm somewhere.

With the advance of data analytics and cloud computing, companies have the power to process massive amounts of data within their perimeters and share findings anonymously. They can learn the context and relevance around security threats. They can glean threat actor data to identify who is related to what attack patterns, and the geographical source of attacks. They can conduct search and indicator tagging, and analyze and score incidents for prioritization. And they can go to trusted venues and platforms to anonymously and securely share their threat intelligence.

The onus here is on the C-suite to take advantage of these new technologies and platforms. C-level executives need to lead the way to better security by sharing what their companies know. They cannot plead ignorance.

More than 80 percent of directors say security breaches are discussed at nearly every board meeting, according to the ESG study. A PwC survey of more than 1,300 CEOs earlier this year found that 87 percent of them are “concerned”about cyberattacks, while nearly half go so far as to say they’re “extremely concerned.”

So it’s time to do something about it. This is not the time to cling to old models of security, building walls, hunkering down and keeping secrets. Leaders need to lead. They need to share their knowledge with each other and work together as a community against the cyberthugs. Then everyone will benefit from better security.

About the AuthorAnne Bonaparte is the president and chief executive officer of BrightPoint Security. Known for leading security companies through high-growth stages to become businesses that endure, Anne has also served as the CEO of Solidcore Systems, Tablus, and MailFrontier, and vice president of international at VeriSign. Anne holds an MBA from Harvard University and a BS in industrial engineering from Stanford University.

Related: Learn About Threat Sharing at the 2015 ICS Cyber Security Conference

Possibly Related Articles:
Enterprise Security Policy
Information Security
Information Sharing cyber
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.