Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Sharing is essential to your security

Daniel_Schulte ‎01-15-2016 10:19 AM - edited ‎01-15-2016 01:34 PM

I recently attended a CISO-only event and one thing is for certain: We’ve come a long way in my 20+ year security career. I remember the days where sharing information about your security environment was taboo. We would not share products we were using, what malware we had running rampant on our networks, or security architecture. Within this event, I constantly heard CISOs asking questions to their peers regarding specific issues, products and even how they communicate with their board.

I am so glad that we have finally evolved to see that this is absolutely necessary to help protect our environments. I remember the moment that opened my eyes to this need. I was working through an incident where I was seeing Poison Ivy malware on my network. We were aware and reacting to a breach from a nation state, but were having difficulty finding the actor and removing them from our environment. I received a call from the consulting firm (we hired an organization who specialized in removing these types of attackers) to notify me that we had a Poison Ivy infection which was beaconing to a specific IP address known to the attack group. We needed to get on this immediately. We did, and soon we had eyes on everything that actor was performing on our systems.

Later that same weekend, we had another event where our IPS sensors were notifying us of Poison Ivy reaching out of our network. I called our IR consulting firm which notified me that this was just commodity malware. Note taken… Two separate malware infections being identified as Poison Ivy was beaconing out of our environment, but one was a much lower priority. The point is, without sharing the knowledge on the specific threat, we would have never known. Our security solutions had identified both of these as “Posion Ivy,” but there was no way of knowing commodity vs nation state attack without having specific intelligence on our attackers. We would have treated each of these threats in the same manner. I needed a way to have the same knowledge as my consulting firm.

In recent years, we have seen an explosion of Information Sharing platforms and groups. These give me the opportunity to gain insight I am not getting from my AV, IPS and firewall vendors. Threat sharing platforms, such  as Threat Central, will allow customers to compare their threats with what other  companies are seeing in their networks, understand what their threats are and how other organizations are protecting themselves. The current statistic for finding an intruder in your network is 240 days. After which, it typically takes another 40 plus days to remediate this threat. Threat intelligence solutions can dramatically reduce that dwell time and give the organizations the ability to identify unknown threats in their environment before data is exfiltrated.

My recommendation is to share as much as possible with your peers. Share your architecture regarding what’s working and what’s not. Share your positive and negative interactions with vendors and products. Ask questions to vendors, strategist teams and your peers as to how they are tackling specific issues in their environments. Perhaps most importantly, get involved. Get involved in threat sharing platforms (products and groups). Get involved in conferences or lunch and learns in your region to better understand the security landscape. Get involved in ISACA, ISSA, ISC2, Infragard and other organizations so that we can all benefit from each other’s experiences.

0 Kudos
About the Author

Daniel_Schulte

Comments
David Simpfendorfer
on ‎01-18-2016 09:34 PM

This makes a lot of sense. Organisations, while needing to maintain strict secrecy in some matters, in many areas have common threats. Appropriate trust in each other is surely the lesser evil compared to building and maintaining your own very leaky fortress.

 

Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Each Month in 2017
Online
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all