Missing Link in ENTERPRISE NETWORKING
By: Adam Meyer | 31 October 2016
A lot has been written on the importance of information sharing in the cybersecurity community. There is seemingly an ISAC for every industry these days. We're talking the talk, and on the surface it looks like some organizations are starting to walk the walk. But in reality, we're still just scratching the surface when it comes to sharing cyber threat information, let alone sharing intelligence that is useful and practical.
The concept of intelligence sharing goes way beyond the stream of acronyms such as STIX, TAXII, CybOX, etc. Not to take away from the importance of a standardized format, but that's just one small piece of the puzzle to make this work - and to get others to give as much as they might take.
Let's step back for a second and look at why intelligence sharing is important. What's the benefit and is it worth the effort? At the end of the day, threat intelligence analysts should be working to affect positive change from a cyber risk perspective. Consumers of that intel should be measuring the value of the intelligence, things like: Is the organization safer, and is cybersecurity spend more cost-effective? Practical cyber threat intelligence can absolutely help an organization focus on their most critical risk areas - and sharing can play an important role in all of this.
Before you can start intelligently sharing threat intel, there are several important things you must do first...
Depending on your organization, there may be more or less stakeholders involved, but the larger point is that cyber threat intelligence has a value to many different roles and organizations. The intelligence you create and share must have context and meaning to each party. Thinking through the types of questions each group would ask is a good starting point in terms of what intel is useful. Sharing an indicator of compromise (IOC) to a risk officer or executive isn't going to mean anything. Sharing intel on the impact of a threat to the company's finances might mean a lot.
Create a private ISAC for your stakeholders. ISACs are the rage when it comes to sharing - there seems to be a new one popping up each week - but a private ISAC that is specific to your business ecosystem can really drive value for you as well as your customers, partners and vendors because the intel will be highly relevant. So the question becomes how to create this sharing environment?
1. Get organized - As mentioned above, EVERYTHING should start with your collection plan. What sources are you pulling from and why? What source gaps do you have? Who are the stakeholders? Who will produce intelligence versus consume it?
2. Enhance current processes instead of starting from scratch - Data fatigue is a real problem out there, analysts are constantly floundering in a sea of data trying to make sense of it all. Instead of trying to create a net new process/deliverable or service from scratch, you can quickly get in the game by looking at improving your existing cybersecurity processes. How can intelligence enrich that current process? How can it give the employees who participate in that process more perspective? A few examples:
3. Store, analyze and share - Having a simple repository of "finished" intelligence products and allowing access for those with a "need to know" is a solid start. I see too many organizations get all spun up trying to engineer this mega-sharing platform that quickly spiraled out of control ... you end up getting nowhere. Keep it simple, keep it useable, and keep it practical. This is about collecting, evaluating and producing finished intelligence based on the needs of the consumers of that intelligence.
4. Make it official - Intelligence should be a part of your risk management decision-making. It needs to be called out as such in your policy and processes and needs to be funded at some applicable level. Your organization does this already, except it is called Business Intelligence. Every product and service that your organization produces depends on technology in some way shape or form, yet it does not get treated as a risk area. Cyber threat Intelligence should give the cyber risk decision makers more clarity and context to problem areas so they can make more informed decisions and take action.
5. Grow your network - As you begin to reap the rewards of info-sharing and collaboration, expand your network. Consider your own organization's subsidiaries, satellite or branch offices, internal departments and more. Your organization is also reliant on the products and services that your partners and suppliers provide, so it is imperative that the same conversation is extended to those stiakeholders as well.
Establishing a cyber threat intelligence capability is a strategic decision that takes patience and diligence, but which can change cybersecurity outcomes for the better over the long haul. Intelligence sharing is a key component, and again, it will take time and concerted effort to make it useful - but the end result is more than worth it.