​The Age of Collaborative Security

Written by: Philippe Humeau, CEO, CrowdSec

The Cloud Security Alliance was born from a need, the need to collaborate, whether we are partners or competitors, for the greater good of our industry and its customers. That’s what alliances are made for, to become stronger together.

Security wise, few alliances are born that are sustainable. The very nature of security intelligence is the opposite of sharing. One could argue that co-financing an organization or a project alongside your competitors is also a hard decision to justify. But here, we are as close to counter-spying as possible. Data is scarce, valuable and usually internal knowledge that you don’t share.

Finally, seeing a competitor struggling with an attack is not such a bad thing right?

Well, I beg to differ. Any attacks on anyone in our industry is just bad for all business. Customers don’t remember the company name after a few months, just the fact that the “cloud is scary” or “data is stolen every day”.

In addition, hackers are syndicating. They have structured their industry and even if they often predate on the same ground, they DO share information, way more than their SecOps counterparts.

Hackers are ahead because the game is rigged

As we all know, time is critical when dealing with security. But what are the odds you can be ahead of the bad guys? Close to zero. They chose the when, the how and the where. It takes minutes for them to breach and weeks for you to find them.

When a vulnerability is detected, if white hats are behind the discovery, you’ll get a patch within weeks from the editor. And it will probably take several more weeks for you to deploy it and secure yourself. Time is never on the side of the defender. This is the first asymmetrical advantage in favor of hackers.

The second strong force at play is the filtering, or rather the absence of it. Most of the flux of data is now cyphered. If you want to tap into them, this is both complex and costly, at best. Also, most of the firewalls will just let all HTTP, Mail, DNS, and APP protocol go through. With a bit of luck, a WAF will try to catch up on knives later on, but that’s not even sure. To put it mildly, 80+% of what is coming to your door is unfiltered.

Perimeters are a thing from the 80’s. You know that “castle strategy” that all 40+ CTOs one day saw on their desks (or authored themselves)... Well, having a “perimeter” my friend is no longer a thing. Due to Covid, VPNs are now being used by millions to allow workforces to maintain activity. How many companies were actually ready to do so? How many audited their password policies, or their filtering to avoid cases such as an employee’s Junior’s PlayStation 4 or an employee’s Android device spilling its malware right into the core of the company? Moreover, our data is all over the place: in cloud drives, SaaS environments, on-premise, in Cubes or VMs. To put it short, the company’s data is scattered all across the globe. Not that all of this is bad, but at best, those perimeters have an uneven level of security, if any for some of them.

Not to forget that when you spend money on compliance, appliances, licenses, DevOps, SecOps, and all that jazz, they just use stolen resources and open source tools. Here again, the asymmetry is so blatant that little space is left to question why businesses spending hundreds of millions of dollars, yet still get hacked.

When you see that, you will realize that money can’t buy you a solution, it’s just that the game is rigged. It’s like getting on a Formula One circuit, with your million-dollar car and getting beaten up by a 1980 Chevy pickup… Not possible right? Well except online.

We are a community, our individual fates are linked

To hackers, IPs are like anonymity tokens, the more the merrier.

They have at their disposal day-to-day tools, rented or acquired, used to make their work easier. No decent hacker would use his own IP. In many cases, a hacker needs several IPs, over several ranges, to achieve his nefarious activities.

IPs are the only “value” to them, along with their time, since most of the resources they invest are stolen servers and open source tools. To rebalance this game, we need to strike on those two wallets: time & IPs.

The time approach is just about making it “not worth it.” If a target is complex enough to attack compared to the potential outcome of the heist, hackers are just going to skip to the next one. Maybe not those “elite Russian hackers” that guessed the xxxxx123 password of a major software editor by brute-forcing (or to be accurate making a hybrid dictionary attack) but the average one, for sure. Today, we can defend ourselves, by making it just painful enough, for a very low cost, which makes the global game is a bit more fair.

We can really impair the bad boys, and remove their masks. If they can’t harness the power of thousands of IPs, they are left naked and less efficient than ever. That is why we should all band to make this a reality and create the biggest ever Hacker interferometer. By burning the IPs one by one, tirelessly, efficiently and without false positives, we peel the onion, and trust me, we won’t be the one crying.

This is where open source is a game-changer, and open data as well. By providing free, quality software (like CrowdSec and other projects do) and making users collaborate and share their sightings, this interferometer would grow exponentially. Anyone partaking would easily make the system stronger, not unlike Waze proposed to “outsmart the traffic, altogether” back in the days where we had cars, drove, and were free to move anywhere.

Banding together, acting as a crowd, is the only way

SecOps and DevOps are just outnumbering hackers 1 to 1000. By teaming up, we are unstoppable. Wallstreetbets just spanked a major hedge fund. If the street can beat the wall, then why not apply the same thinking to our industry? Crowds teaming together have revolutionized so many lines of work already: hospitality, GPS, jobs, friendships, dating, etc. But have we ever seen a movement in cybersecurity of regrouping a million people to rebalance the odds? Not yet.

It is our responsibility and one that I endorse with joy. Please, join me in this movement, for the greater good. I sincerely hope that one day we will all be able to share threat intelligence with each other. Creating this community and having people contribute their knowledge to such an important cause will bring trust back in our digital lives and will ultimately make the world a much safer place.

About the Author

Philippe Humeau started his first company back in 1999, when security was the last thing prioritized after all others. A Pentester and CTO for years, he then spent the last decade on the business side of things. He created CrowdSec in 2019, to engineer the first free, open-source, Massively Multiplayer Firewall. CrowdSec identifies threats based on behavior analysis and shares malevolent IPs across the whole community so people can protect each other, creating a form of Digital Herd Immunity.