CloudCISC Working Group
No open initiatives at this time.
Introduction to the CloudCISC Working Group
- Organizations are increasingly overwhelmed by information security attacks with huge consequences in financial, legal and reputational damage.
- Malicious actors collaborate with skill and agility, effectively moving from target to target at a breakneck pace.
- A major impediment to protecting information assets in an enterprise is the unwillingness and/or inability to share cybersecurity incident information. Fear of public exposure and resulting legal ramifications has caused organizations to withhold critical attack signatures that could have impeded or even prevented several of the industry’s most notable breaches.
- Cloud computing is fast becoming the world’s prime information technology. As such, cloud providers have a tremendous opportunity to solve the incident sharing dilemma and level the playing field respective to malicious actors.
- Cloud Security Alliance (CSA) has founded the Cloud Cyber Incident Sharing Center (Cloud-CISC). Leveraging innovations in anonymization, and benefitting from a changing legal landscape, Cloud-CISC seeks to eliminate existing security “stovepipes” by incubating trusted communities of cloud providers for the purpose of sharing cyber incident information anonymously. We believe that verifiable anonymity will usher in an unprecedented era of incident sharing.
- Our industry cannot afford to let another year pass without the good guys collaborating in a serious way. Now is the time to join CSA’s Cloud-CISC efforts to make cyber incident sharing pervasive.
Cloud-CISC: Anonymize – Share – Collaborate
New and increasingly significant cybersecurity breaches are reported practically every day. For most companies, it is no longer a matter of whether they will be attacked, but rather how long ago they were attacked. Enterprises and cloud providers alike face a constant barrage of threats and attacks. They all have a distinct need to understand the types of incidents that peers and technology partners are experiencing, so that they can better protect themselves and their customers. For cloud providers, which play a unique and central role in the IT infrastructure, the challenge is especially acute given the potential widespread implications of a successful attack.
In this environment, sophisticated organizations, particularly cloud providers, understand that the difference between a minor incident and massive breach often comes down to the ability to quickly detect, contain, and mitigate an attack. Unfortunately, evidence suggests that we are not succeeding at improving these capabilities despite a growing number of security tools and solutions at our disposal. To wit:
“It took retailers 197 days on average to identify that they’d been hit with an advanced threat, and took them 39 days to contain it; it took financial services organizations 98 days to identify, and 26 to contain.”
– Advanced Threats in Financial Services – A Study of North America & EMEA by Ponemon Institute LLC (May 2015), and Advanced Threats in Retail Companies – A Study of North America & EMEA by Ponemon Institute LLC (May 2015)
“Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise. Even worse, the two lines are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders. We think it highlights one of the primary challenges to the security industry.”
– 2015 Verizon Data Breach Investigations Report (page 6)
“Based on attacks observed by RiskAnalytics during 2014, 75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours). Over 40% hit the second organization in less than an hour…. We need to close the gap between sharing speed and attack speed.”
– 2015 Verizon Data Breach Investigations Report (page 11)
A key reason the delta between compromise and detection is growing is the increasing sophistication of attackers to quickly disseminate and act upon vulnerability and exploit information. Once an exploit is shown to be effective, or a zero-day vulnerability discovered, it is often quickly disseminated via a number of underground channels and rapidly used by a variety of bad actors against a large number of potential targets. For example, immediately after the Target breach, 18 other companies were attacked using the same methods.
Yet despite this disturbing trend, due to a longstanding and pervasive corporate reluctance to share information about cyber incidents, those who defend networks rarely have the same opportunities to collaborate about mitigation or provide early warnings to other potential victims. Companies are understandably hesitant to externally disclose any information about an incident until they fully understand their exposure and ensuing legal responsibilities.
Even when companies decide to share the incident information, it is often very late in the response process. Although well intentioned, this typically means coordination is accomplished too late to be meaningful to remediation efforts, and shared intelligence arrives too slowly to prevent others from also being victimized. As such, information sharing is often regarded as a reactive, one-directional effort of laudable but limited value.
Time for a New Approach
But what if we could remove this pervasive corporate reluctance to share information about cyber incidents and defense measures, and rather safely share information about attacks as they are happening among cloud providers and cloud customers?
What if, rather than picking up the phone and reaching out to one or two trusted peers for advice, you could safely reach out to a hundred trusted peers in minutes?
What if you knew in real-time if other incident response teams at companies similar to yours were experiencing the same problem?
What if, rather than trying to sort out the threat alone, you could join a rapidly-formed team of responders from across the industry to review what is being seen and collaborate on defense strategies?
What many information-sharing efforts have failed to fully address is the simple truth that a CSO’s first responsibility is to the enterprise they are working to protect. No matter how well intentioned, hurriedly sharing actual incident data presents risk – legal, market and/or reputational – to the enterprise. The only way to unlock the real power of incident sharing is to directly address and minimize the risk to the enterprise, and the way to accomplish that is through anonymity.
It is time to take a page from attackers and leverage advances in encryption, authentication and data analysis to bring verifiable anonymity to incident sharing. By ensuring that the incident data being shared cannot be attributed to its source, the risk to the enterprise is greatly reduced if not eliminated altogether. Incident information can be shared quickly, and collaboration can begin early. In this way, sharing incident data becomes integral to the response process, rather than happening after the threat has been resolved.
Promising Legal Developments
Under current law, U.S. companies can face civil and possibly even criminal liability should they share the details of a cyber attack on their organization. This may finally be changing. In the U.S., Congress has been taking significant action to minimize the legal risks for companies that voluntarily share cyber incident information. In April of 2015, the House of Representatives passed the Protecting Cyber Networks Act (HR-1560) and the National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731). These bills provide liability protection for companies that share cyber threat indicators and defensive measures amongst themselves, and, if they choose, with the government. They mirror similar proposals currently under debate in the Senate, and follow closely on the Executive Order signed in February of 2015 by President Obama that promotes private sector sharing of cyber threat information. Taken together, there is reason to be optimistic that the legal barriers to sharing cyber incident information may soon start disappearing.
Our Call to Action
Given the longstanding and fervent belief in the value for incident sharing, new advancements in enabling technology, and the promising shifts in the legal landscape, the Cloud Security Alliance believes now is the time to act. For this reason we introduce the Cloud Cyber Incident Sharing Center or Cloud-CISC.
Since incident sharing is of clear service to the community, Cloud-CISC has designed an incident-sharing program that not only supports the common good, but also benefits CSA members in the following ways:
- ENABLE SHARING: Share meaningful cyber incident data safely, easily and early in the response process, in order to leverage external expertise during remediation efforts and provide early warning to help others reduce their own exposure.
- EXPAND EXPERTISE: Collaborate with skilled security analysts from vetted cloud providers and cloud customers, in order to analyze attack indicators, develop defensive strategies and decrease time to mitigation.
- PROVIDE CONTEXT AND SUPPORT DECISION-MAKING: Avoid duplication of effort and benefit from what others have already learned.
Once an incident report is shared, the Cloud-CISC platform’s unique algorithms provide near real-time correlation with reports supplied by other vetted members. If similarities are discovered, members can be alerted and provided with the related reports that contain additional attack indicators, valuable context and mitigation advice. Members might also decide to collaborate in other ways, such as joining in on response efforts.
We hope that you share our enthusiasm for the Cloud-CISC. To ensure it meets your needs, we will undertake a collaborative development approach. We believe that a four-stage process is appropriate:
- Establish a small steering committee (8-10 people) with representation from both cloud providers and cloud customers
- Provision steering committee members to access the Cloud-CISC platform, giving each the ability to transmit and access incident reports
- Over a 90-day period, evaluate the Cloud-CISC platform and make recommendations for improvements and modifications
CloudCISC Working Group News
September 05, 2012
CSA today signed a Memorandum of Understanding with ASTRI to advance cloud computing security and build capabilities that will accelerate the development of the cloud ecosystem in Hong Kong.
May 21, 2012
CSA announced today the appointment of information and communications technology veteran John Howie to the position of Chief Operating Officer (COO).
February 15, 2011
At the CSA Summit at RSA on February 14, 2011, the Cloud Security Alliance (CSA) unveiled its 2011 roadmap, which builds on an already extensive body of work put together by the alliance in its first two years of existence.
CloudCISC Working Group Videos
No videos currently available.
CloudCISC Working Group Downloads
CloudCISC Working Group Co-chairs
Paul B. Kurtz
Chief Strategy Officer, CyberPoint
Paul Kurtz has been involved with CyberPoint since the company’s founding in 2009. He currently leads the company’s international services division. A recognized cyber security expert, he has held senior positions in both industry and government. He was the founding Executive Director of the Cyber Security Industry Alliance (CSIA), an advocacy group dedicated to ensuring the privacy, reliability, and integrity of information systems through sound public policy, technology, education, and awareness. During his government service, Paul was Special Assistant to the President and Senior Director for Critical Infrastructure Protection on the White House’s Homeland Security Council (HSC). He joined HSC from the National Security Council (NSC), where he was both Senior Director for National Security in the Office of Cyberspace Security and a member of the President’s Critical Infrastructure Protection Board. He served as an NSC Director for Counterterrorism from 1999-2001, and helped manage the response to the 9/11 terrorist attacks. Before the NSC he had a long career in the State Department, specializing in non-proliferation policy and strategic arms control. Paul earned his bachelor’s degree from Holy Cross College and his master’s in international public policy from the Johns Hopkins University’s School of Advanced International Studies.
Chairman of the CSA Board | VP Global Security & Privacy, Catalina Marketing
Dave Cullinane is the Chairman of the Cloud Security Alliance – a global alliance of industry security professionals created to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. Dave is also the Founder of TruSTAR Technology – designed to effectively address cybercrime through shared intelligence and preventive actions. Dave was the CISO and VP of Global Fraud, Risk and Security for eBay for 5+ years. Prior to joining eBay, Dave was the CISO for the sixth largest bank in the United States and the largest Thrift in the world. He is a member of the Information Security and Privacy Advisory Board that advises NIST, the Secretary of Commerce and the Director of the Office of Management and Budget on information security and privacy issues pertaining to Federal Government information systems. He is a founding member of the Global Security Risk Management Alliance. The Alliance strives to provide an emerging and collective global view of the management of all security risk.
Dave has more than 30 years of security experience and has been awarded the Certified Information Systems Security Professional (CISSP), Certified Business Continuity Professional (CBCP) and Certified Protection Professional (CPP). He is the past President and past Chairman of the IT-ISAC – an organization for sharing security related information across companies in the IT industry. He served as a member of the IT Sector Coordinating Council and the National Council of ISACs. He is an ISSA Fellow, and has been elected to the ISSA Hall of Fame. He is a member of the International Association of Privacy Professionals, served on ASIS International’s CSO Roundtable Committee and served on the Editorial Advisory Board of CSO Magazine and SC Magazine. He was awarded SC Magazine’s Global Award as Chief Security Officer of the Year for 2005 and CSO Magazine’s 2006 Compass Award as a “Visionary Leader of the Security Profession.” In 2012 he was awarded SecureWorld’s first Lifetime Achievement Award for his outstanding contributions to the advancement of the information security community.