Editor’s note: Brian Kelly, who serves as Rackspace Chief Security Officer, is also co-chair of the CSA’s Cloud Cyber Incident Sharing Center Working Group.
No organisation is immune from cyber attack. Malicious actors collaborate with skill and agility, moving from target to target at a breakneck pace. With new attacks spreading from dosens of companies to a few hundred within a matter of days, visibility into the past threat environment won’t cut it anymore. Visibility into what’s coming next is critical to staying alive.
Sophisticated organisations, particularly cloud providers, know the difference between a minor incident and massive breach lies in their ability to quickly detect, contain, and mitigate an attack. To facilitate this, they are increasingly participating in threat intelligence and cyber incident exchanges, programs that enable cloud providers to share cyber-event information with others who may be experiencing the same issue or who are at risk for the same type of attack.
To help organisations navigate the sometimes treacherous waters of threat-intelligence sharing programs, CSA’s Cloud Cyber Incident Sharing Center (CloudCISC) Working Group has produced Building a Foundation for Successful Threat Intelligence Exchange. This free report is the first in a series that will provide a framework to help corporations seeking to participate in threat intelligence exchange programs that enhance their event data and incident response capabilities.
The paper addresses such challenges as:
- determining what event data to share. This is essential (and fundamental) information for those organisations that struggle to understand their internal event data
- incorporating threat intelligence provided by others via email, a format which by its very nature limits the ability to integrate it into ones own.
- scaling laterally to other sectors and vertically with one’s supply chains.
- understanding that the motive for sharing is not necessarily helping others, but rather supporting internal response capabilities.
Past, present, future
Previous programs were more focused on sharing information about cyber security incidents after the fact and acted more as a public service to others than as a tool to support rapid incident response. That’s changed, and today’s Computer Security Incident Response Teams have matured.
New tools and technologies in threat intelligence, data analytics and security incident management have created new opportunities for faster and actionable threat intelligence exchange. Suspicious event data can now be rapidly shared and analysed across teams, tools and even companies as part of the immediate response process.
Even so, there are questions and concerns beyond simply understanding the basics of the exchange process itself:
- How do I share this information without compromising my organisation’s sensitive data?
- How do I select an exchange platform that best meets my company’s needs?
- Which capabilities and business requirements should I consider when building a value-driven threat intelligence exchange program?
Because the cloud industry is already taking advantage of many of the advanced technologies that support threat intelligence exchange — and has such a unique and large footprint across the IT infrastructure — we believe that we have a real opportunity to take the lead and make threat-intelligence sharing pervasive.
The Working Group’s recommendations are based largely on the lessons learned through their own development and operation of CloudCISC, as well as their individual experiences in managing these programs for their companies.
Our industry cannot afford to let another year pass working in silos while malicious actors collaborate against us. It is time to level the playing field, and perhaps even gain an advantage. Come join us.