I recently had the opportunity to host a panel discussion with two good friends and colleagues, discussing topics and trends of the landscape of threat intelligence. Michael Anderson, VP of Partnerships at Intel 471, and Tommy McDowell, General Manager at Celerium, brought valuable insight and experience from their current positions within our industry as well as decades of intelligence experience from time spent on the defender, vendor, and sharing community fronts.
Audience discussion, questions and overall participation covered a wide variety of items but could be consolidated into one of two topics: the evolution of intelligence sharing, and the role of intelligence within an organization.
In this two part blog series I will cover the evolution of sharing in more detail.
Part I – Evolution of Sharing
ISACs and ISAOs have done a lot to break the ice and pave the way for sharing between companies as well as between the public and private sector; however, there is still large room for improvement. Over the past few years, membership in organized sharing communities has continued to climb but a skewed relationship still exists between those who actively share and those who passively consume that shared data. This has been immensely valuable in identifying trends and bolstering constrained resources or lower maturity members. However, the ROI on this model of sharing is not equal across the community base.
What we are beginning to see is diversification of sharing community memberships across enterprises as well as a movement towards collaboration rather than just sharing of intelligence. Companies are increasingly participating in more than one formal community, such as an ISAC, and joining more focused ISAOs or creating informal ‘micro-exchanges’ of 2-5 industry peers. An example is a healthcare organization that participates in the Health-ISAC, but are also members of a smaller healthcare and/or regional cross-vertical ISAO.
Within these communities, the volume of intelligence sharing is increasing but the quality remains somewhat limited and is largely constrained to IOCs or phishing attempts. This isn’t to say that this method of sharing isn’t valuable to some members, but other members are beginning to seek more meaningful collaboration. However, there is a tremendous difference between sharing and collaborating – although we often see those words used interchangeably in conversations these days.
Sharing communities have begun creating dedicated working groups or special interest groups, consisting of a limited, and more exclusive, memberbase who are focused on actively working together to create shared product or insight. Such as: threat actors, campaign analysis and tracking. The interaction and output here is significantly different from more basic exchange of indicators or STIX packages.
Another twist we’ve seen vis a vis sharing is the implementation of quality and quantity standards for sharing community participation. A prominent example would be the Cyber Threat Alliance’s scoring system for intelligence sharing which encourages the sharing of not just indicators but the context of those indicators, valuing uniqueness, and leading towards and a more equal relationship of all members.
The need for collaboration – both within our own organizations and across communities – will continue to grow as will the need for us to find ways to improve how we do it and how we can make it more meaningful. Always great to hear from others on this topic so share your thoughts or experiences in comments below and let’s keep the conversation going.
Next week for Part 2, I’ll be talking about the role of Intelligence within the Enterprise so check back with us!