We all learned the importance of sharing in kindergarten, yet in the world of cybersecurity, many enterprises still prefer to go it alone. But as attackers become more organized, and coordinated, it’s urgent that we change this mindset and collaborate more effectively to realize the benefits of Collective Defense. The organizations and technology exist for making this happen – now we need to make it a priority.
CISA recently unveiled its first comprehensive strategic plan, and one of the four major goals is “Operational Collaboration” to strengthen critical information sharing nationwide. Closely following this, The White House released a National Security Strategy that calls for “Transformative Cooperation” to solve some of the toughest security challenges that we face. According to CISA, “we must enhance multidirectional communications with external partners, including timely incident reporting and the sharing of threats and vulnerabilities.”
The need for better threat intelligence platforms (TIP) seems obvious. As attackers launch increasingly advanced campaigns, they can target thousands of organizations simultaneously, and are very effective at sharing attack vectors and criminal intel across extended networks. While we all hope not to be the first hit by a cyberattack, it’s not an adequate defense strategy to wait until knowledge of the latest exploit trickles down by happenstance.
The Three Musketeers understood Collective Defense. Granted, the threats of 17th-century France moved a bit more slowly than today’s, but the spirit of “one for all, and all for one” still applies. The goal of Collective Defense is to respond immediately when any member of a community is attacked, share details rapidly, and automate responses so no other members of the community remain vulnerable.
While the goals of threat intelligence sharing and TIPs are not new, the organizations and technology required to make security collaboration effective have come a long way. In fact, Collective Defense is not a pipedream – it’s available today. Here are four steps we recommend to start the process of intel sharing or improve on threat-sharing systems already in place.
Step 1: Join an ISAC or ISAO
Since their inception more than 20 years ago, dozens of Information Security and Analysis Centers (ISACs) have been organized to provide threat sharing to a range of communities including financial services, healthcare, elections infrastructure, aviation, automotive, education, energy, and more.
Similarly, other Information Security and Analysis Organizations (ISAOs) have been organized in the public and private sectors to share threat intelligence with a broad range of communities including health insurance networks, national sports organizations, legal services, and more. For example, in 2022, Motorola launched an ISAO for public safety systems. Cyware has been at the forefront of building the technology that the majority of ISACs and ISAOs use to aggregate threat intelligence and disseminate it automatically to their communities. Cyware Threat Intelligence Platform (TIP) has been deployed by over 30 major ISAC/ISAOs, while real-time updates are automatically delivered to over 25,000 member businesses through the Cyware Collaborate (CSAP) platform.
Step 2: Share Bi-directionally
It’s good to receive timely threat intel through a hub-and-spoke model, but the concept of Collective Defense requires sharing in both directions to be effective. While there has been some resistance to sharing intelligence with potential competitors, businesses increasingly recognize that the benefits far outweigh the risks. While most ISACs encourage bi-directional sharing, it has often been left to the members to manually respond with their own intel.
To support this process, Cyware has built a hub-and-spoke system that enables ISACs and their members to automate intel sharing in both directions. The results improve the quality and timeliness of intel sharing for the entire community.
Step 3: Automate Threat Intel Sharing within Your Organization
Receiving timely and actionable threat intelligence from a sharing community can be invaluable. However, the weak links for many organizations are internal functional silos, and cumbersome, manually triggered collaboration tools. For example, while a healthcare provider may receive real-time alerts from Health-ISAC through Cyware Collaborate, SecOps admins often must cut and paste these alerts, share them by email, or Slack, and decide on a case-by-case basis who should receive which alerts.
Cyware has addressed this challenge as well by deploying the Collaborate platform within ISAC member networks. The system provides granular controls that automate which groups or users receive specific types of alerts.
Step 4: Automate Response Based on Threat Intel
It’s a common adage in security that intelligence and threat detection only go so far, and how quickly and accurately you respond makes the difference between stopping attacks or being devastated by them. Unfortunately, most enterprises complain that there is too much security noise, requiring excessive manual analysis by overstretched analysts before anyone takes action.
Many SOAR products have emerged to try to improve alert triage and automate response through playbooks. While these can help, most SOAR products only automate predetermined functions and lack the flexibility and intelligence to respond to unpredictable situations (which is most of them…).
In this area, Cyware has also pioneered technology by integrating its threat intelligence platform (TIP), SOAR, case management, and collaboration tools into Cyber Fusion Centers. Leveraging AI and advanced decision automation, these systems ingest threat intel from any source, including ISACs/ISAOs, connect the dots to provide critical context, reduce false positives, and intelligently automate response actions.
For example, a major biotechnology leader has expanded intel sharing internally and with their supply chain, and now has deployed a full Cyber Fusion Center to manage and act upon threat intelligence from end to end.
Why Should You Share?
Sharing may feel good and be altruistic, but it’s also okay to share threat intel for purely selfish reasons. Collaboration with other organizations will directly improve the security of your business. Receiving timely, frontline intelligence from peers throughout your industry gives you the jump you need to alert your organization and orchestrate an intelligent response. And the next time you get hit first, you’ll be glad that others in your community have your back.
With over twenty years of cybersecurity experience, Willy focuses on product innovation, close collaboration with enterprise customers, and delivering effective security solutions. He has extensive experience in many security domains including threat intelligence, security automation, cloud data protection, authentication, and encryption.