Why sharing is caring with cybersecurity information

No company is an island in our interconnected world. When it comes to cybersecurity, sometimes opening up is the best defence.

By Bill Clark

Fri 10 May 2019 @ 12:08

Keeping a business secure is a tough job. Keys, locks, fire alarms, burglar alarms, security guards and clear desk policies. That might have been enough in the past but, there’s now cybersecurity to deal with too. And the world of cybersecurity can learn something from the offline world when it comes to security: Speak up.

In the physical world, an alarm gets investigated, police are called and a report is filed. Criminals prefer to operate in the dark. The more is known of the threat, the better we can protect against it.

Information is power

The National Institute of Standards and Technology, explains (and surprisingly clearly) why sharing matters:

“Cyberthreat information is any information that can help an organisation identify, assess, monitor, and respond to cyberthreats. Examples of cyberthreat information include indicators (system artifacts or observables associated with an attack), TTPs (tactics, techniques and procedures), security alerts, threat intelligence reports and recommended security tool configurations. Most organisations already produce multiple types of cyberthreat information that are available to share internally as part of their information technology and security operations efforts.”

That’s the idea behind cyberthreat information (CTI) sharing: Organisations share information about cybersecurity threats with the idea that all benefit.

Governmental organisations have taken much of the lead. There are also non-governmental groups integrating information sharing into their cybersecurity tools.

Dealing with cybersecurity is more than a full-time job. Due to the cybersecurity skills shortage, it’s a constant challenge to keep up. The popularity of tools such as SIEM, SOAR and UEBA has been fuelled, in large part, by the need for overworked teams to deal with increasing volumes of data. They’re powerful tools that can provide vital information for detecting, responding to and mitigating a threat.

Just think how much better a security operations centre would work if it knew what was coming.

It’s been said that every device you allow to access your network increases security risk exponentially, as every connection to that device also represents a risk to you. Connectedness increases your attack surface.

But with CTI sharing, you get to even things up. By enabling your systems to draw upon the lessons learned by others, you can identify suspicious network activity more quickly, respond more quickly, and you’ll know what works.

Sharing information within the organisation used to happen on an ad hoc basis when an incident took place. If they had the time, security teams might share information with suppliers and partners who may also be at risk. However, that’s simply not enough. There is certainly a place for national and regional bodies, as well as industry groups, to come together as communities to share information. As organisations and flows of data have grown, it has become essential to automate the process. From this need, standards such as STIX and TAXII have been created and developed.

STIX and TAXII and related CTI standards are not tools, but ways of collecting, classifying, sorting and storing threat data. Software makers can use the standards to build data collection and reporting into their systems. Because the data is in a standardised form, it can then be shared with anyone with tools that can use data in that format.

Automation is also crucial: To be effective, the information must be processed and shared quickly. Therefore, artificial intelligence and machine learning are usually used to help at all stages.

You can’t hide

Some organisations may prefer to keep their cybersecurity information secret, hoping that will improve security. While ‘security by obscurity’ may sometimes work, you can no longer count on it.

Cybercriminals are collaborating, sharing information and tools to become more effective attackers. The best strategy to protect yourself is stay a step ahead.

Learn more

Learn more about how LogRhythm can help you stay informed, connected and a step ahead of the threats of tomorrow.