Building a Foundation for Successful Cyber Threat Intelligence Exchange: A New Guide from CSA
Blog Article Published: 04/16/2018
By Brian Kelly, Co-chair/Cloud Cyber Incident Sharing Center (CISC) Working Group, and CSO/Rackspace No organization is immune from cyber attack. Malicious actors collaborate with skill and agility, moving from target to target at a breakneck pace. With new attacks spreading from dozens of companies to a few hundred within a matter of days, visibility into the past cyber environment won’t cut it anymore. Visibility into what’s coming next is critical to staying alive. Sophisticated organizations, particularly cloud providers, know the difference between a minor incident and massive breach lies in their ability to quickly detect, contain, and mitigate an attack. To facilitate this, they are increasingly participating in cyber intelligence and cyber incident exchanges, programs that enable cloud providers to share cyber-event information with others who may be experiencing the same issue or who are at risk for the same type of attack. To help organizations navigate the sometimes treacherous waters of cyber-intelligence sharing programs, CSA’s Cloud Cyber Incident Sharing Center (Cloud-CISC) Working Group has produced Building a Foundation for Successful Cyber Threat Intelligence Exchange. This free report is the first in a series that will provide a framework to help corporations seeking to participate in cyber intelligence exchange programs that enhance their event data and incident response capabilities. The paper addresses such challenges as:
- determining what event data to share. This is essential (and fundamental) information for those organizations that struggle to understand their internal event data
- incorporating cyber intelligence provided by others via email, a format which by its very nature limits the ability to integrate it into ones own.
- scaling laterally to other sectors and vertically with one’s supply chains.
- understanding that the motive for sharing is not necessarily helping others, but rather supporting internal response capabilities.
Past, Present, FuturePrevious programs were more focused on sharing information about cyber security incidents after the fact and acted more as a public service to others than as a tool to support rapid incident response. That’s changed, and today’s Computer Security Incident Response Teams have matured. New tools and technologies in cyber intelligence, data analytics and security incident management have created new opportunities for faster and actionable cyber intelligence exchange. Suspicious event data can now be rapidly shared and analyzed across teams, tools and even companies as part of the immediate response process. Even so, there are questions and concerns beyond simply understanding the basics of the exchange process itself:
- How do I share this information without compromising my organization’s sensitive data?
- How do I select an exchange platform that best meets my company’s needs?
- Which capabilities and business requirements should I consider when building a value-driven cyber intelligence exchange program?