Building Security Threat Intelligence Networks: 10 Best Practices
Information Should Be Shared in Increments
Open threat sharing requires more detailed, incremental programs for sharing; ones that start out with simple statistical sharing and then ramp up through programs of threat agent information (such as information about unsuccessful attacks and indicators of compromise information from discovered compromised hosts). Full data sharing of issues, such as breach details and successful threat actor attribution, will remain within a more limited audience.
IT security providers have spent more than a decade debating the need for greater sharing of security data as the most effective way to raise the cost of entry and lower the return on investment for criminals and spies alike. The issue is far from settled, however, and an implementation worthy of the promise has yet to be created. There has been a start on this effort, however. In February 2012, AlienVault launched Open Threat Exchange, a system for sharing threat intelligence among users of the company’s Open Source Security Information Management (OSSIM) platform. Open Threat Exchange cleanses, aggregates, validates and publishes threat data streaming in from a wide range of security devices across a community of more than 18,000 OSSIM deployments. Using Open Threat Exchange, an attack on any member of the community alerts and arms the entire community with timely intelligence required to better manage a similar attack. Art Coviello, president of RSA Security, told eWEEK at the RSA Conference in February that security vendors must join together to share what they know about intruders for the good of all. Here are 10 key things that need to happen in order for security threat sharing to finally become a reality across the board. Input for this slide show came from Conrad Constantine, research engineer at AlienVault, as well as RSA Security and eWEEK's own research.