Cyber-Threat Data Sharing Off to Slow Start Despite U.S. Legislation
Moving away from that entrenched mindset will take some time, LookingGlass's Coleman said. "One of the biggest fears of collaboration with the government is that we had no legal protections," he said. "When we ran those sharing information agreements by the lawyers, they would shiver." Yet the formation of like-minded organizations to share best practices, information on ongoing attacks, and—for more advanced groups—indicators of compromise (IOCs) holds promise. Those groups—called information sharing and analysis organizations, or ISAOs—help mitigate fears that information may be leaked and collect professionals together who have the same potential issues, according to the ISAO SO's White. "Everybody needs to be part of an ISAO," he said. "That is our opinion."Smaller companies, however, often are not served by such organizations because they do not have the expertise to use the data. Yet ISAOs can share best practice information and help corporate networks collaborate with each other. "We are still trying to feel our way in what [is] the best type of information to share," said Bill Wright, director of government affairs and cyber-security partnerships at security firm Symantec. "And while it is important, there is no silver bullet here. We still need good cyber-hygiene, we still need good technology and we still need good training for end users." Yet challenges exist for such organizations. Many companies do not like participating in groups where only a few members share information and the vast majority consume the intelligence. These other organizations—often called "leeches"—just consume information. The Cyber Threat Alliance, of which Symantec is a member, requires that each member share 1,000 new attack samples every day in an attempt to resist this tendency. "The challenge in intelligence is that it is just information unless I can give you something that you care about that impacts your business," said Coleman. "So we have to make sure that we are delivering something that is relevant to your business. Otherwise, you are giving the customer the top layer of information and forcing them to determine what they care about." Yet while information sharing will not, in and of itself, make companies secure, it is an important step, said Symantec's Wright. "Cyber-security has become a team sport, and we have to be sharing," Wright said. "Government can't go at it alone, and companies cannot go at it alone."
The Department of Homeland Security selected the University of Texas at San Antonio to create standards for forming such information sharing groups. Many already exist. Businesses that are in industries deemed to be critical are likely a member of an information sharing and analysis center, or ISAC, which are now considered one type of ISAO.