CloudCISC Working Group
Introduction to the CloudCISC Working Group
- Organizations are increasingly overwhelmed by information security attacks with huge consequences in financial, legal and reputational damage.
- Malicious actors collaborate with skill and agility, effectively moving from target to target at a breakneck pace.
- A major impediment to protecting information assets in an enterprise is the unwillingness and/or inability to share cybersecurity incident information. Fear of public exposure and resulting legal ramifications has caused organizations to withhold critical attack signatures that could have impeded or even prevented several of the industry’s most notable breaches.
- Cloud computing is fast becoming the world’s prime information technology. As such, cloud providers have a tremendous opportunity to solve the incident sharing dilemma and level the playing field respective to malicious actors.
- Cloud Security Alliance (CSA) has founded the Cloud Cyber Incident Sharing Center (Cloud-CISC). Leveraging innovations in anonymization, and benefitting from a changing legal landscape, Cloud-CISC seeks to eliminate existing security “stovepipes” by incubating trusted communities of cloud providers for the purpose of sharing cyber incident information anonymously. We believe that verifiable anonymity will usher in an unprecedented era of incident sharing.
- Our industry cannot afford to let another year pass without the good guys collaborating in a serious way. Now is the time to join CSA’s Cloud-CISC efforts to make cyber incident sharing pervasive.
Cloud-CISC: Anonymize – Share – Collaborate
New and increasingly significant cybersecurity breaches are reported practically every day. For most companies, it is no longer a matter of whether they will be attacked, but rather how long ago they were attacked. Enterprises and cloud providers alike face a constant barrage of threats and attacks. They all have a distinct need to understand the types of incidents that peers and technology partners are experiencing, so that they can better protect themselves and their customers. For cloud providers, which play a unique and central role in the IT infrastructure, the challenge is especially acute given the potential widespread implications of a successful attack.
In this environment, sophisticated organizations, particularly cloud providers, understand that the difference between a minor incident and massive breach often comes down to the ability to quickly detect, contain, and mitigate an attack. Unfortunately, evidence suggests that we are not succeeding at improving these capabilities despite a growing number of security tools and solutions at our disposal. To wit:
“It took retailers 197 days on average to identify that they’d been hit with an advanced threat, and took them 39 days to contain it; it took financial services organizations 98 days to identify, and 26 to contain.”
– Advanced Threats in Financial Services – A Study of North America & EMEA by Ponemon Institute LLC (May 2015), and Advanced Threats in Retail Companies – A Study of North America & EMEA by Ponemon Institute LLC (May 2015)
“Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise. Even worse, the two lines are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders. We think it highlights one of the primary challenges to the security industry.”
– 2015 Verizon Data Breach Investigations Report (page 6)
“Based on attacks observed by RiskAnalytics during 2014, 75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours). Over 40% hit the second organization in less than an hour…. We need to close the gap between sharing speed and attack speed.”
– 2015 Verizon Data Breach Investigations Report (page 11)
A key reason the delta between compromise and detection is growing is the increasing sophistication of attackers to quickly disseminate and act upon vulnerability and exploit information. Once an exploit is shown to be effective, or a zero-day vulnerability discovered, it is often quickly disseminated via a number of underground channels and rapidly used by a variety of bad actors against a large number of potential targets. For example, immediately after the Target breach, 18 other companies were attacked using the same methods.
Yet despite this disturbing trend, due to a longstanding and pervasive corporate reluctance to share information about cyber incidents, those who defend networks rarely have the same opportunities to collaborate about mitigation or provide early warnings to other potential victims. Companies are understandably hesitant to externally disclose any information about an incident until they fully understand their exposure and ensuing legal responsibilities.
Even when companies decide to share the incident information, it is often very late in the response process. Although well intentioned, this typically means coordination is accomplished too late to be meaningful to remediation efforts, and shared intelligence arrives too slowly to prevent others from also being victimized. As such, information sharing is often regarded as a reactive, one-directional effort of laudable but limited value.
Time for a New Approach
But what if we could remove this pervasive corporate reluctance to share information about cyber incidents and defense measures, and rather safely share information about attacks as they are happening among cloud providers and cloud customers?
What if, rather than picking up the phone and reaching out to one or two trusted peers for advice, you could safely reach out to a hundred trusted peers in minutes?
What if you knew in real-time if other incident response teams at companies similar to yours were experiencing the same problem?
What if, rather than trying to sort out the threat alone, you could join a rapidly-formed team of responders from across the industry to review what is being seen and collaborate on defense strategies?
What many information-sharing efforts have failed to fully address is the simple truth that a CSO’s first responsibility is to the enterprise they are working to protect. No matter how well intentioned, hurriedly sharing actual incident data presents risk – legal, market and/or reputational – to the enterprise. The only way to unlock the real power of incident sharing is to directly address and minimize the risk to the enterprise, and the way to accomplish that is through anonymity.
It is time to take a page from attackers and leverage advances in encryption, authentication and data analysis to bring verifiable anonymity to incident sharing. By ensuring that the incident data being shared cannot be attributed to its source, the risk to the enterprise is greatly reduced if not eliminated altogether. Incident information can be shared quickly, and collaboration can begin early. In this way, sharing incident data becomes integral to the response process, rather than happening after the threat has been resolved.
Promising Legal Developments
Under current law, U.S. companies can face civil and possibly even criminal liability should they share the details of a cyber attack on their organization. This may finally be changing. In the U.S., Congress has been taking significant action to minimize the legal risks for companies that voluntarily share cyber incident information. In April of 2015, the House of Representatives passed the Protecting Cyber Networks Act (HR-1560) and the National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731). These bills provide liability protection for companies that share cyber threat indicators and defensive measures amongst themselves, and, if they choose, with the government. They mirror similar proposals currently under debate in the Senate, and follow closely on the Executive Order signed in February of 2015 by President Obama that promotes private sector sharing of cyber threat information. Taken together, there is reason to be optimistic that the legal barriers to sharing cyber incident information may soon start disappearing.
Our Call to Action
Given the longstanding and fervent belief in the value for incident sharing, new advancements in enabling technology, and the promising shifts in the legal landscape, the Cloud Security Alliance believes now is the time to act. For this reason we introduce the Cloud Cyber Incident Sharing Center or Cloud-CISC.
Since incident sharing is of clear service to the community, Cloud-CISC has designed an incident-sharing program that not only supports the common good, but also benefits CSA members in the following ways:
- ENABLE SHARING: Share meaningful cyber incident data safely, easily and early in the response process, in order to leverage external expertise during remediation efforts and provide early warning to help others reduce their own exposure.
- EXPAND EXPERTISE: Collaborate with skilled security analysts from vetted cloud providers and cloud customers, in order to analyze attack indicators, develop defensive strategies and decrease time to mitigation.
- PROVIDE CONTEXT AND SUPPORT DECISION-MAKING: Avoid duplication of effort and benefit from what others have already learned.
Once an incident report is shared, the Cloud-CISC platform’s unique algorithms provide near real-time correlation with reports supplied by other vetted members. If similarities are discovered, members can be alerted and provided with the related reports that contain additional attack indicators, valuable context and mitigation advice. Members might also decide to collaborate in other ways, such as joining in on response efforts.
We hope that you share our enthusiasm for the Cloud-CISC. To ensure it meets your needs, we will undertake a collaborative development approach. We believe that a four-stage process is appropriate:
- Establish a small steering committee (8-10 people) with representation from both cloud providers and cloud customers
- Provision steering committee members to access the Cloud-CISC platform, giving each the ability to transmit and access incident reports
- Over a 90-day period, evaluate the Cloud-CISC platform and make recommendations for improvements and modifications
CloudCISC Working Group Leadership
As the Chief Security Officer of Rackspace, Brian Kelly is responsible for the safety and security of Rackers and Rackspace facilities, infrastructure, and data.
Brian joined Rackspace in October 2014 after three decades of leadership in security, special operations, and intelligence with the U.S. Government, the Department of Defense, and the private sector. He led the Giuliani Advanced Security Center in New York and served as executive director of IT risk transformation for Ernst and Young.
Brian graduated from the U.S. Air Force Academy, where he earned a degree in management. He later earned an MBA from Rensselaer Polytechnic Institute and an MS from the Air Force Institute of Technology.
In the Air Force, Brian rose to the rank of lieutenant colonel. He led teams involved in satellite surveillance, cyber security, cyber warfare, and management of highly sensitive operations around the globe. He advised the Joint Chiefs of Staff and the Secretary of Defense and received a Department of Defense meritorious service medal.
After leaving the Air Force, Brian led business operations for Trident Data Systems, providing industry-leading security research and technology to both the public and private sectors. He later served as a partner (select) at Deloitte and Touche, president of Newbrook Technologies, and CEO of iDefense, the first cyber threat intelligence provider for the private sector. In each role, he honed his skills in executive leadership, personnel, data and facility security, incident response, and forensic evidence collection. He has worked closely with senior executives for leading companies in global financial services, technology, health care, and manufacturing.
A frequent speaker at industry conferences on security, Brian is the author of From Stone to Silicon: a Revolution in Information Technology and Implications for Military Command and Control.
Dave Cullinane is the Founder of TruSTAR Technology. Prior to TruSTAR, Dave served
for 5+ years as the Chief Information Security Officer and VP of Global Fraud, Risk and
Security for eBay and its many global businesses (StubHub, InternetAuction.co, GSI
Commerce). He has more than 30 years of professional security experience building and
managing cyber security and incident response teams.
Dave is also the past President and Chairman of the IT-Information Sharing and
Analysis Center (IT-ISAC) – an organization for sharing security related information
across companies in the IT industry, and was a founding member of the FS-ISAC for the
financial services industry under Presidential Decision Directive 63. He served as a
member of the IT Sector Coordinating Council and the National Council of ISACs. He
has been selected to serve on the Information Security and Privacy Advisory Board for
NIST, along with the Secretary of Commerce and representatives from other US
Government agencies. He is also the Founder and Chairman of the Cloud Security
Dave is an Information Systems Security Association (ISSA) Fellow, and has been
elected to the ISSA Hall of Fame. He was awarded SC Magazine’s Global Award as
Chief Security Officer of the Year for 2005 and CSO Magazine’s 2006 Compass Award
as a “Visionary Leader of the Security Profession.” In 2012 he was awarded
SecureWorld’s first Lifetime Achievement Award for his outstanding contributions to the
advancement of the information security community.
CloudCISC Working Group Initiatives
There are no documents currently in peer review.
Other ways to Connect
CloudCISC Working Group News
No news at this time.
CloudCISC Working Group Downloads
New and increasingly significant cybersecurity breaches are reported practically every day. For most companies, it is no longer a matter of whether they will be attacked, but rather how long ago they were attacked. Enterprises and cloud providers alike need to understand the types of incidents that peers and technology partners are experiencing so that…
Release Date: June 13, 2015