Threat-Intel Sharing Communities Spring Up to Aid Network Defenders

 
 
By Robert Lemos  |  Posted 2014-06-27
 
 
 

Three years ago, companies that wanted to exchange information on the latest cyber-threats needed to belong to one of several exclusive clubs, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), Microsoft's Active Protections Program (MAPP) or the Anti-Virus Information Exchange Network (AVIEN).

Since then, new information-sharing tools and networks have emerged to allow businesses to exchange attack information with other companies. In September 2013, for example, Hewlett-Packard launched a threat-intelligence sharing environment, dubbed Threat Central, which allows its customers to upload threat data and share it with other subscribers.

Security and network-management provider AlienVault supports the Open Threat Exchange that allows anyone to upload threat data and post analyses. Security services firm Cyber Squared offers companies a similar environment known as Threat Connect.

While each provider has a different goal for their platform, the offerings allow business customers to gain intelligence and share information on threats, usually in machine-readable format that speeds their response to attacks, Jerry Bryant, lead security strategist for the Microsoft Security Response Center (MSRC), told eWEEK. Defenders need to counter attackers' ability to quickly share information on network weaknesses, he said.

"I don't think that attackers are that much better at sharing information," Bryant said. "This is less about attackers sharing information amongst themselves, and more about countering their level of automation."

On June 23, Microsoft launched its own threat-intelligence sharing environment, known as Interflow. The platform allows cyber-security specialists and analysts to create communities of peers and exchange machine-readable threat information using a variety of open specifications.

Interflow supports the Structured Threat Information Expression (STIX) format, Trusted Automated Exchange of Indicator Information (TAXII) protocol, and Cyber Observable Expression standards (CyBOX), according to Microsoft. Currently, the platform is open only to a few customers as a private preview and eventually to all members of the Microsoft Active Protections Program (MAPP).

Such programs could be used as a way to lock customers into using a specific vendor's security platform, but Microsoft sees the creation of these platforms as a way for security providers to execute better, not create walled communities around their data.

"Years ago, AV [antivirus] firms used to compete on the size of their malware databases," Bryant said. "But companies need to stop competing on the data that they have and compete more on the execution. As an industry, we are not going to get ahead of the threat landscape by using these siloed models and competing on the data."

Whether the platforms openly share information across the broader security community remains to be seen. Yet, having generalized platforms can help industries create tight communities that can share threat information between security teams, he said

The focus on interoperable formats could help create such communities more easily. In addition, he said, the push for faster exchange of machine-readable information could speed response to incidents much more quickly.

 

Rocket Fuel