It’s no secret that the volume and diversity of cyber threats is skyrocketing. It wasn’t very long ago that McAfee Labs was seeing five new threats per day. Now McAfee Labs is identifying more than five new threats per second, or more than 300 per minute.
It isn’t just the deluge of threats or the growing sophistication of attackers that is exposing organizations to unprecedented cyber risks, however. Increasingly, the organizations themselves and – especially – the security solution vendors that serve them must shoulder some of the blame.
Why? Because a culture based on secrecy and competitive advantage is undermining the pressing need to share cyber threat intelligence (CTI). For instance, a company that suffers a breach may gain crucial information about the attack’s techniques, tactics, and procedures, but may also be reluctant to share that knowledge for fear of publicizing the breach. (Such fear is unfounded, because this type of sharing can be done anonymously in ways that protect the company’s privacy, and vendors have a priority to not expose customer names.)
Even more potentially damaging: Security vendors that routinely collect huge volumes of threat intelligence often treat that information as a proprietary differentiator that gives them competitive advantage.
Unfortunately, so long as the aversion to CTI sharing persists, attackers will hold the upper hand. If only one business or one security vendor is able to build defenses against a newly identified attack, that inevitably leaves much of the community unprotected. If security vendors and their customers are serious about protecting the entire digital ecosystem, they need to share CTI information in support of the common good.
Recognizing this need, a number of security solution providers, including Intel Security, formed the Cyber Threat Alliance in September 2014. Participating vendors have agreed to share threat information with each other so that all member organizations can improve our security solutions and our customers’ defenses.
Beyond sharing CTI, Cyber Threat Alliance members are also collaborating on research into specific threats. One example: The group collectively analyzed its shared threat intelligence about CryptoWall, one of the most damaging and far-reaching forms of ransomware. As part of their investigation, the alliance members examined more than 4,000 samples of the CryptoWall 3 malware, identified 839 command-and-control URLs, and determined that the ransomware had caused an estimated $325 million in damages globally.
In keeping with its mandate to promote CTI sharing, the Cyber Threat Alliance made public its CryptoWall 3 findings. The resulting CryptoWall analysis report shared, among other information, all the indicators of compromise (IoCs) that the researchers identified so that non-member security vendors and individual organizations could improve their own defenses against this form of ransomware.
As more customers learn about the value the Cyber Threat Alliance is providing, growing numbers are asking in their RFPs if their vendors are, or plan to become, alliance members.
Additionally, it’s now easier for enterprises and developers to connect, share threat intelligence data, and orchestrate security tasks across applications using the Open Data Exchange Layer (OpenDXL) initiative. The goals of OpenDXL are to increase integration flexibility, simplicity, and opportunity for developers and to improve security operations for organizations that deploy it. OpenDXL makes it easier to share up-to-the-minute data for participating enterprises and demonstrates the strength of working together.
Security vendors need to understand that their competitive value does not lie in the cyber threat intelligence itself, but in how they use that information to improve the effectiveness of their products and services. The real competitive differentiator is a willingness to share CTI and to participate in collaborative organizations such as the Cyber Threat Alliance.