Adequate Attack Data and Threat Information Sharing No Longer a Luxury

November 15, 2012

Michael Mimoso

BOSTON – While some industry groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and cross-industry groups such as the Advanced Cyber Security Center (ACSC) facilitate the exchange of threat information, for the most part organizations are still hamstrung by legal constraints and other business factors that prevent an adequate flow of actionable information.

Yet more than ever, enterprises and government agencies need adequate data on attacks in order to have any hope of keeping up in the rat race that is today’s threat landscape. The inherent weaknesses in signature-based tools have been exposed by attackers who are more nimble than those defending corporate networks as they are currently architected. Intelligence, experts said Thursday at the ACSC Annual Conference, must be the backbone of policy and new security technology.

“Attackers have better sharing networks,” said Tom Heiser, president of RSA Security. “The complexity of the privacy laws we must follow as well as legal liabilities are tying our hands. We must find a way to increase our sharing and the visibility of networks while still protecting the privacy of our citizens.”

With groups such as ACSC, which hosts bi-weekly Cyber Tuesday meetings where representatives from 30 of its member organizations meet inside a secure room at the Federal Reserve Bank to exchange threat intelligence, there are efforts under way to facilitate this exchange without a mandate from government for example. And as more boards of directors ask harder questions about information security and threats to the overall business, it’s imperative that executives have an answer and best practices to implement that cut across all industries.

“We need vertical and horizontal sharing,” Heiser said. “And researchers need to share too. Too often, their efforts are still stove-piped.”

Another meme bandied about Thursday’s event was the need for all aspects of the business to be well versed in information security and risks to the business.