Companies that manage and distribute threat intelligence need to stop thinking of their curated feeds as a competitive advantage and instead share them as widely as possible, officials and executives from the power and telecoms sector urged last week.
“The information that can help everybody … better defend their networks is important to everybody, so it shouldn’t be a competitive advantage, it should be part of what we regularly share,” senior Department of Homeland Security official John Felker told the Intelligence and National Security Summit last week. “When you do that, we all get better at it [cyberdefense].”
DHS runs several programs that provide free threat intelligence to the private sector, noted former Homeland Security Undersecretary Suzanne Spaulding. Additionally, Congress passed a cyberthreat sharing law in December 2015, creating liability protections and other legal safe harbors for companies that shared information with DHS.
AT&T Vice President of Global Public Policy Chris Boyer noted that the cutting edge of the new information-sharing paradigm had shifted and was now in neither the government-to-private-sector, nor the private-sector-to-government channels.
“There’s a lot of activity going on in private-to-private [information] exchange,” Boyer said.
He told the discussion Spaulding moderated that the telecom backbone providers were focused on finding new ways of spotting malicious behavior in real time, as it is traveling across the global network, but before he reaches its destination and wreaks havoc.
“What we focus on is data that’s traversing the network and looking for anomalies, looking for threats,” Boyer said, adding that About 167 petabytes of data goes across AT&T networks every day.
“There’s a lot of collaboration going on in the industry … in fact that’s probably where the a lot of the best intelligence is gathered just by working with our peers in industry,” Boyer added.
Part of the reason for that is the virtuous cycle that intelligence sharing within a trusted group creates.
“As you add those [shared intel feeds] together, voluntary shares increase,” said Fred Hintermister, who runs the Electricity Information Sharing and Analysis Center.
He told the session that cybersecurity companies needed to focus on adding value by selling what they could do with the feed, not the feed itself.
“You’re going from a roadside motel to a destination resort,” he said of the transformation.
Tom Gann, chief policy officer for McAfee told CyberScoop the industry was broadly committed to sharing and many large companies were working together in the Cyber Threat Alliance.
“It is impossible for a single organization to have a clear view of all the potential threats, vulnerabilities and attacks across the globally connected environment,” he noted.
The alliance brings together major companies like Check Point Software, Cisco Systems, Fortinet, McAfee, Palo Alto Networks, Rapid7, RSA Security, SK Infosec and Symantec.
According to the CTA website, the companies “have chosen to work together in good faith to share threat information [to bolster] defenses against advanced cyber adversaries across member organizations and their customers.”
Information sharing, Gann explained “gets more threat data on a rapid basis to customers over the short run,” and working on the process of sharing, especially the technical details, “helps cybersecurity companies further optimize their solutions … over the long run.
“It’s a win-win,” he concluded.