What is an Information Sharing and Analysis Organization (ISAO)?
An Information Sharing and Analysis Organization (ISAO) is a threat intelligence sharing community for organizations with common cybersecurity concerns and similar risk environments.
ISAOs may choose to function as either for-profit or nonprofit entities and can be formed on the basis of industry sector, geography, or “any other affinity, including in response to particular emerging threats or vulnerabilities.” ISAO community Members, also referred to colloquially as Members, may be drawn from either the private or the public sector, or both.
The concept was first introduced in a US government Executive Order (EO) on promoting private sector cybersecurity information sharing, in 2015. The EO strongly encouraged the voluntary formation of “organizations
engaged in the sharing of information related to cybersecurity risks and incidents”. This would both help individual member organizations strengthen their security posture, and improve the collective cybersecurity of the United States by addressing cyber threats to critical infrastructure, essential services, public health, and national security.
What is the difference between an ISAO and an ISAC?
While ISACs are specific to an industry or sector
and focused on cybersecurity collaboration for protecting critical infrastructure, ISAOs can be created for all kinds of cyber threat information sharing, with membership drawn from any sector or interest group. The purpose and membership requirements of an ISAO are determined by the ISAO itself, and its style of functioning can be more flexible than that of an ISAC. Furthermore, many large enterprise conglomerates, industry, and interest groups are forming their own ISAOs to foster security collaboration through bidirectional threat intelligence sharing.
Why is Cybersecurity Collaboration Important?
Cyber threats today are not isolated by perimeters - a single successful attack on a single company can have an impact that spans organizations and governments across sectors and geographies. Computing activities and day-to-day operations in organizations are increasingly internet-dependent, which means that they rely on a common underlying IT infrastructure with multiple connected components. One of the consequences of this growing interconnectedness is that neither industry nor government can function in isolation when fighting sophisticated adversaries. To get wider visibility into an expanding attack surface and proactively mitigate attacks backed by nation-states or well-funded criminal groups, both private and public organizations need to collaborate and share cyber threat information in real time
Creating Your Own Information Sharing Community (ISAO)
ISAOs were envisioned as trusted cyber intel sharing and collaboration communities that organizations could join to draw from a common pool of threat intelligence and cybersecurity expertise. Because ISAOs have the flexibility and freedom to determine their own goals, business models, and operating styles, they are simpler to form and manage than other, more strictly monitored, and controlled sharing networks. In this guide, we’ve put together a short list of foundational, operational, and organizational factors to keep in mind when planning a new ISAO. If you are planning to start your own ISAO
, treat this as a starting point or a basic checklist to make sure you’ve thought everything through before formally launching your sharing community.
Vision, Mission, and Purpose
Start by clearly defining the purpose of your ISAO. On what basis will it be formed? ISAOs, unlike ISACs, don’t need to be industry-specific. While it may be sector-specific, it can also have a narrower or a wider focus, such as:
- a specific threat or risk factor,
- a common geographical region,
- a large business and its subsidiaries (conglomerates),
- an organization and its extended supply-chain partners.
Once the common uniting factor is established, determine the purpose and goals of the ISAO. There needs to be a larger vision for the ISAO which is shared by all its members, and more specific goals and outcomes that can be measured periodically. A new ISAO must also differentiate itself from other groups in the same space that are catering to similar needs.
Membership Criteria and Vetting Mechanisms
Membership criteria will flow from the overall purpose and expected outcomes of information sharing via the ISAO. Members are drawn from the specific industry, interest group, region, or community that the ISAO is catering to, but there also need to be more specific membership criteria like whether it will be open to just organizations or also individuals, or the size of member organizations and their capacity to contribute or participate. Many ISAOs also require organizations to fulfill certain security compliance requirements to become members.
Value Proposition for Members
The benefits of the ISAO and information sharing, in general, must be clearly understood and communicated to potential member organizations. What value will the ISAO provide to individual members and how will its effectiveness be measured? The core benefits of membership like information and resources that will be provided to members that they cannot source from elsewhere, capacity-building initiatives that the ISAO will organize, and real-time collaboration options need to be clearly documented.
In addition to information sharing, ISAOs can build programs for members’ capacity building, provide mentorship and training, and organize joint learning exercises with the whole group to both increase engagement and help members create more effective security programs. Some ISAOs may also offer collaboration platforms to members for support during ongoing threat resolution (collaborative threat response).
Conditions for Continued Membership
New ISAOs may either choose to be flexible about member participation expectations or institute strict requirements for regular information sharing and engagement in order to maintain continued membership. Contributions and expected participation may also depend on membership tiers, if there are any. There may or may not be membership fees. Some ISAOs base membership tiers on fee structure, with non-paying members getting limited access to services and benefits, and paying members getting the whole suite. Tiers may also be based on contributions, participation, and research sharing capacity.
A Formal Governance Structure
A governance structure provides a foundation for effective decision-making at all levels and ensures accountability and transparency among those managing the community. Even small ISAOs benefit from a formal governance model that organizes operational, financial and risk management, and conflict resolution processes. Conflict resolution is especially important for ISAOs because they bring together a large and varied set of member organizations that may have different needs and priorities. All of the members’ different approaches may need reconciliation from time to time.
Nature of Threat Intelligence to be Shared
The nature and types of threat intelligence shared by an ISAO are determined by the purpose of sharing and members’ needs. The ISAO management will need to decide on sources of relevant intelligence other than information about incidents, events, and threats that are received from member organizations. The ISAO also needs to make sure that the intel provided is relevant to each tier of member organizations and that organizations of all sizes can use it for improving their individual security outcomes.
Threat Intelligence Sharing Models and Technologies
Along with the types of cyber threat intelligence to be shared, ISAOs need to consider the different ways in which information will be disseminated, and what technologies will be needed to do this effectively. Different ISAOs use different sharing models to ingest cyber threat intelligence from and disseminate usable intel to member organizations. One of these is the hub-and-spoke model
, where the ISAO acts as the central hub
for intel aggregation from different sources including member organizations. The aggregated intel, after analysis and enrichment, is disseminated to member organizations (the “spokes” in this case).
Information being shared must also be tagged and categorized using the traffic light protocol (TLP)
or other commonly used classification methods, and sensitive intelligence must be masked or anonymized. A new ISAO will need to establish mechanisms to do this right at the outset. It may also leverage a platform that automates much of the information aggregation, analysis, and sharing in real time, with features to allow collaboration and crisis alerting.
Establishing Trust Among Members
In any sharing information sharing community, especially where the nature of the threat intelligence shared is sensitive or can be used to harm an organization in any way, there need to be clearly defined mechanisms (such as non-disclosure agreements) to maintain confidentiality and anonymity where necessary. The ISAO must provide clear data handling, protection, and usage terms so that members are not hesitant to share information. Clear rules regarding whether shared data can be further disseminated to non-members and under what circumstances, are especially important.
It also helps to start small, as it’s easier to build and maintain trust in a smaller community than in a larger network. However, this may also limit the amount and types of information being shared and will not be possible for many ISAOs.
One way to build trust is to organize participative activities like joint tabletop exercises, industry events, conferences, and meetings where possible. Greater face-to-face interaction among members increases their willingness to share information while also increasing engagement in general.
Collaboration with Other Sharing Communities
The ISAO, at the inception stage, must decide on whether or how it will collaborate with other ISAOs and information sharing communities such as ISACs. With digital interdependencies introducing more unknown elements into organizations’ attack surfaces, and IT-OT convergence exposing critical infrastructure and essential services to advanced risks, cross-sectoral collaborations
are becoming more important. During the initial stage, an ISAO may look to other ISAOs or ISACs for mentorship and guidance. As it progresses, it will continue to benefit from the collective intelligence, capabilities, and shared knowledge base of a wider network of communities. Additionally, the ISAO will need to consider how it will interact and engage with government agencies and law enforcement.
Business Model and Financial Management
ISAOs may choose to function as either non-profit or for-profit entities. In either case, a new ISAO will need to plan for long-term and short-term expenditures (technology acquisition and maintenance, office space, promotion costs, licenses and accreditations, ongoing operational costs, and more) and how the organization will be funded. Some of these costs can be met through membership fees (if any), member contributions, and funding from elsewhere. ISAOs may also choose to offer services and create a self-sustainable model that removes the need for public funding or contributions.
The Initial Steps and the Way Forward
ISAOs at their inception stage must plan and prepare well before getting down to business, but while a well-thought-through plan is critical to early success, almost every component of it will evolve as the ISAO matures. New ISAOs must expect change and grow as membership increases, as member needs change, and the threat landscape evolves. To this end, ISAOs can build mechanisms to periodically assess members’ needs and refine processes accordingly.
It also bears repeating that trust is the foundation of successful collaboration, especially in the information security space. If the member organizations in an ISAO lack mutual trust or are unsure of how their information will be protected, they may not contribute enough to the initiative, rendering it less effective. That is why it is critical to establish mechanisms for information protection and confidentiality right at the outset, while actively working on trust building via ongoing collaborative activities among members.
Build Your Own Information Sharing Community with Cyware's Solutions
Cyware’s threat intelligence sharing solutions enable technology-driven, real-time security collaboration for more than 20 large information sharing communities (ISACs and ISAOs) across industry sectors. The Cyware Situational Awareness Platform (CSAP) is designed for real-time threat alert sharing and collaboration within and across organizations and communities in a secure and trusted environment. The platform allows organizations to build trusted sharing communities and helps enhance situational awareness for improved predictive capabilities and proactive defense. Cyware also recently launched the industry’s first automated ISAC-to-ISAC security collaboration initiative to remove barriers to cross-sectoral intel sharing. While CSAP is ideal for strategic threat intelligence sharing, ISAOs can also consider Cyware’s Threat Intelligence eXchange platform, CTIX, for technical and tactical micro-intelligence sharing among members using a hub-and-spoke model. To learn more about Cyware’s security collaboration solutions for ISAOs and ISACs, book a free demo with us.