Building a Community Defense Model to Protect Critical Assets
Today’s cyber threats don’t stop at country borders. They don’t stop at corporate thresholds. And they can’t be stopped by just a single vendor solution. It takes constant vigilance. And it takes a community coming together. Threat information sharing and trust groups have helped protect the financial sector for years. Soon they will protect many others. What happens when a community collaborates? Or many communities share? Community-driven defenses may just be the future of cyber security.
“Today’s threat intelligence sharing must occur at network speeds. It needs to be available for all critical sectors”
The Value of Information Sharing
About 14 years ago, the financial services sector realized that many threats could be prevented or minimized by carefully and properly sharing threat information with each other. Say that large Bank A gets attacked by cyber criminals and lets Bank B know that the attack is underway. Bank B can take immediate action to prevent a similar attack. Cyber criminals often practice their attacks on small community institutions or on regional banks before they take their attacks more broadly. And in many cases, once they perfect their attacks, they go after many financial institutions at once. Information sharing is the cornerstone to a Community Defense model so that a specific sector can start to turn the tables on attackers and make it more difficult and costly to attack, and reduce the cost and effort to defend. For example in the financial sector, sharing real-time, actionable information helps protect and preserve critical assets including, funds, customer account data and payment processes. For other sectors, it means the protection of lives, of intellectual property and of continuity of critical systems that keep an economy running strong.
Best Practices Developed by Information Sharing and Analysis Centers
But there have to be processes, best practices and safeguards as information is shared. A Presidentially mandated construct, called an Information Sharing and Analysis Center, or ISAC, is available in nearly every critical sector in order to help facilitate sharing. There are ISACs for Healthcare, Technology, Transportation, Energy and many more. One of the best known is the Financial Services Information Sharing and Analysis Center, or FS-ISAC. FS-ISAC is a non-profit, member-created and member-owned organization that has perfected information sharing between financial institutions of all sizes, all over the world. With over 5000 members, FS-ISAC shares threat intelligence and distills it down into actionable information for institutions of any size.
Each ISAC uses its sector’s vast resources (people, processes, and technology) to aid the entire sector with situational awareness and advance warning of new physical and cyber security threats, incidents, and vulnerabilities. Those that are active with their sector, ISAC are able to share relevant details of an attack, even as the attack unfolds. While members often digest the information available, they find increased value in ISACs when they also contribute information back to other members. Members learn to trust other members, and hence share more and more information. Sharing can occur via electronic means, live meetings, and special interest groups. ISACs have helped develop core processes, for example Circles of Trust. With this concept, members earn each other’s trust. They share detailed threat information most frequently with those they trust the most and with those that can most benefit from that exact type of information.
Cyber Security Intelligence—From a Trickle to a Flood.
Information sharing works. Over the past few years it has become an invaluable part of cyber defenses in critical sectors and has helped prevent, minimize or mitigate the impact from attacks including Distributed Denial of Service (DDoS) attacks, targeted attacks, advanced persistent threats, nation state attacks, cyber criminal attacks, attacks against critical processes and many more.
At the same time that information sharing has become so important; the actual threat data available to analyze security threats has passed the tipping point. What used to be a small trickle is now a gushing torrent. Thousands of threat indicators flood in from many sources, some reliable, some not. According to some estimates, the average analyst can take up to seven hours to process a single piece of threat intelligence. No single organization can do it all. And no single vendor provides a comprehensive solution that addresses the entire threat intelligence lifecycle.
It’s time to rethink this whole process. What if the same practices around threat intelligence sharing that have helped defend the financial critical infrastructure could be re-created at machine speed? And then applied to other critical sectors? What if many hours of analysis turn into mere seconds? Having proven, effective information sharing processes is the first part of forming a Community Defense. But once you have those processes established, automating them creates tremendous efficiencies.
The Automation of Threat Intelligence Sharing
Nearly two years ago, FS-ISAC realized that its membership would require threat intelligence to be automated. While several private sector solutions were being developed around threat intelligence, it would require a cross-organization, cross-vendor, even a cross-sector approach to establish the backbone for automated information sharing. FS-ISAC partnered with The Depository Trust & Clearing Corporation (DTCC), the premier post-trade market infrastructure for the global financial services industry to develop just such a solution. Called Soltra Edge, this security automation platform codifies the ‘Circles of Trust’ utilized in critical information sharing. It enables confident, straight through processing of threat intelligence to help immediately reduce risks & threats as they unfold.
“Today, most cyber threat information is provided manually to users from various, unconnected industry sources. Because of this, on an average, it can take firms seven hours to evaluate each threat,” states Mark Clancy, CEO of Soltra, CISO of DTCC and Board Member of FS-ISAC. “With Soltra Edge, one organization’s incident becomes everyone’s defense. The solution will enable clients to send, receive, and store cyber security threat intelligence in a streamlined and automated format, enabling these firms to deploy safeguards against a potential cyber attack.”
Soltra Edge helps take threat intelligence in many formats and normalizes this data using open standards known as including Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) so that the intelligence can be easily processed and used. This platform is designed to support a Community Defense model in each sector, and also helps share information across sectors. It’s designed for use by thousands of critical entities and is also designed to plug in to dozens of cyber security software solutions from private sector vendors.
A Community Defense approach, supported by active information sharing and enhanced with automation should be a key piece of today’s cyber strategy for many organizations. Proven models are out there. Best practices are in use and effective. Automation is available. Many organizations can benefit from this approach and experience the ISAC motto: “One organization’s incident becomes everyone’s defense.”