Jul 2, 2020
All links and images for this episode can be found on CISO
Series (https://cisoseries.com/defense-in-depth-shared-threat-intelligence/)
We all know that shared intelligence has value, yet we're
reticent to share our threat intelligence. What prevents us from
doing it and what more could we know if shared threat intelligence
was mandated?
Check out
this post for the basis for our conversation on this week’s
episode which features me, David Spark (@dspark), producer of CISO Series,
co-host Allan
Alford (@allanalfordintx), and
sponsored guest, Joel Bork (@cincision), senior threat
hunter,
IronNet Cybersecurity.
Thanks to this week's podcast sponsor, IronNet
Cybersecurity.
To combat sophisticated cyber threats, companies are
increasingly adopting collective defense strategies to actively
share intelligence with peer organizations to improve the detection
capabilities of the collective. Through faster sharing of
behavioral analytics, signature-based, and human threat insights,
organizations can more effectively spot malicious activity and
reduce attacker dwell time. More on
IronNet Cybersecurity.
On this episode of Defense in Depth, you’ll
learn:
- We all benefit from sharing threat intelligence, so why don't
we do it?
- If threat data is public, is it useful? The argument is that if
the good guys know about the threat intelligence, then all the bad
guys know as well. But that's if it's in a public forum.
- If threat intelligence was shared in a more rapid,
comprehensive, and secure manner it would have more utility.
- Sometimes the "intelligence" a company first gets is just a
data feed.
- There has to be a greater discussion of the risks of sharing as
compared to the upside. Often, it's so easy to shut the doors and
not share with the benefit never calculated into the equation.
- When an organization is in the middle of their security
maturity curve, they hold all their data as close to their chest as
possible. As they continue on their journey and continue to learn
lessons along they way, they begin to understand that collaboration
will help the community as a whole - including themselves.
- Threat data is really not what professionals need. What they
need is intelligence. And this requires a way to onboard and make
sense of the data on its own and in aggregate and over time.
- Each of us are collecting different pieces of the threat
landscape puzzle. If someone doesn't provide their piece, then we
have an incomplete puzzle and there are now holes in our knowledge
and ability to protect ourselves.
- Threat intelligence does not hold the same weight for every
user. What's valuable to someone may not be of value to another.
And you may be holding onto that data that you don't necessarily
think is valuable.
- You want threat intel to be actionable, not necessarily
responding automatically.
- We spoke of threat intel with the analogy of animals traveling
in herds for protection. The attackers often pick off the weak
ones, but when everyone is working together, the stronger animals
can actually protect the weak.
- Even with everything we know and value with shared threat
intel, there is still a ton of paranoia around sharing. While there
is lots of discussion about data not being identifiable, most
choose to opt out of sharing threat intel.