101 to Cyber Information Sharing

By Aviram Zrahia posted 05-27-2015 03:27


The emergence of the cyber threat phenomenon is forcing organizations to change how they think about security in many ways. One of these changes refers to organizations’ policy on sharing cyber related information with outside parties, while creating a collaborative effort to fight the cyber war. Such sharing, represents a shift in the legacy information technology paradigm of security silos, and creates a complex, multifaceted challenge to technology, law, organizational culture, privacy and even politics.


Sharing organizational cyber information is the communication of information regarding an organization’s security to an external party that results in gain for the sharing and receiving party alike. The challenges posed by innovative attack methods, such as the Advanced Persistent Threat (APT), reduce the effectiveness of traditional security mechanisms. To a certain extent, an inter-organizational cyber information sharing infrastructure can help the identification of an attack or attacker in a given organization, and once mitigated the details of the attack and/or the inoculation can be distributed to other organizations to help prevent similar attacks.


Furthermore, related academic researchers such as “Sharing information on computer systems security: An economic analysis” (Gordon, Loeb & Lucyshyn 2003), showed that companies which shared information spent less money on security systems to reach the same level of protection attained by companies that did not share information - a direct cost saving.


Evolving implementations and standards


The last two years have seen an increase in the sharing trend as regulatory and law enforcement bodies, both local and international, are promoting this trend by means of incentives, guidelines and legislation. One example, which also raised a lot of attention among the privacy activists, is the Cybersecurity Information Sharing Act of 2014 (CISA) legislation advanced by the US government with the purpose of allowing private and public companies, in the context of cyberwar, to share information in real time with the government, law enforcement and intelligence agencies without risking lawsuits for violating secrecy or privacy. Concurrently, technological models for building the sharing infrastructure are addressed in academic research, best practice methodologies such as NIST Special Publication 800-150 are introduced, and standardization efforts are being developed.


The sharing model may exist within the same vertical market, across different sectors, between commercial enterprises and government bodies, and even between countries. A visible example is any of the Information Sharing and Analysis Center’s (ISAC) which were established years ago in the US, for selected vertical sectors such as healthcare, finance, telecommunication, and more. Another example, for an effort between countries, is NATO’s Consultation, Command and Control (C3) Cyber Security Data Exchange and Collaboration Infrastructure (CDXI) prototype aimed to facilitate information sharing and enable automation between its allies. In addition, commercial solutions for crowd-sourced threat intelligence sharing such as Facebook’s ThreatExchange are evolving to satisfy the growing trend.


All these sharing infrastructures and others, are either based on proprietary technology / API or on evolving protocols and formats still in the process of standardization, with the hope they will all eventually interoperate. The standardization effort adopted by the U.S. Department of Homeland Security (DHS), involves a family of protocols and formats such as STIX™, TAXII™, and CyBOX™, to allow the automation of cyber information sharing infrastructure. Another standardization effort called CYBEX X.1500 is led by ITU-T and used by NATO’s CDXI prototype.


The architecture of the solution and the developing standards should, in the future, make it possible to create a technological structure connecting organizations while keeping their assets separate. Most probably they will also support links among separate sharing systems that can connect one another into a hierarchic structure of information, such as sharing within a market segment that will interface into cooperation at the national level. However, until this vision will become reality, some solutions like the one offered by Juniper below should be deployed.


How can Juniper Networks help?


Although standardization for cyber sharing is advancing and some implementations already exist, this field hasn’t come of age yet. To overcome the current market shortcomings, Juniper has developed a unique technical solution to the sharing challenge which allows customers to build their own cyber information sharing infrastructure today.


The offering is based on Spotlight Secure Threat Intelligence Platform which aggregates threat feeds from multiple sources to deliver open, consolidated, actionable intelligence to Juniper Networks SRX Series Services Gateways (next generation firewall) across the organization. These sources include Juniper threat feeds from our own cloud-based service, third-party threat feeds, and threat detection technologies that the customer can deploy. Administrators are able to define enforcement policies from all feeds via, Juniper Networks Space Security Director, a centralized management point for the SRX Series.


Customers can utilize the advanced protection available using Juniper Spotlight Secure threat intelligence platform for a variety of use cases, including protection from advanced malware (related to Command and Control botnet activity) at an enterprise edge central HQ and/or remote locations, Web application protection for critical business applications in the data center and to enforce policies for monitoring and controlling traffic from specific countries. In addition, customers can integrate custom or third-party feeds, and other advanced protection technologies into Spotlight Secure for protection against threats specific to their industry or vertical. Financial and government verticals often have specific feeds that they need to use for compliance and security needs, and being able to use an OPEN threat intelligence platform to consolidate such feed data for policy enforcement can be highly beneficial.


Final thoughts and insights


We are fighting an asymmetric cyber war where the attackers have the upper hand is many areas. One of them is the fact they are sharing information and cooperating between them while the defenders usually work in silos. As described in the “Markets for Cybercrime Tools and Stolen Data” study Juniper has conducted with RAND Corporation, the attackers maintain a flourishing, structured community with internal order and a supporting system of financing, allowing easy, rapid sharing of attack information. It seems that the realization of the community model on the defensive side and transitioning from a paradigm of isolated organizations to an information sharing initiative will lead to better results in protecting the organizations assets. In a broader view, one of the most significant resources coming into being in the 21st century is the wisdom of crowds as demonstrated in many fields, and in this sense, cyberspace is no exception.

The transition to models of sharing is supported by the congruence of interests of most market forces involved, including regulatory bodies, governments, law and intelligence agencies, solution manufacturers and service provides, and of course the organizations themselves. The value of sharing with external elements is, among other things, a product of the inability of the isolated organization to fight the cyberwar on its own. According to related academic researches, sharing contributes not only to significantly strengthening the security posture of the organization and its survivability, but also to the organization’s business success as it saves on both CAPEX and OPEX investments, it might be granted preferential treatment by the regulatory bodies, and more.


The argument between the supporters and opponents of information sharing, and the legislative process that allows for such sharing to happen, will continue. However, the question that must be asked remains: is there any paradigm in the world of information technology that would allow dealing with current and future cyber challenges without the need for sharing, or is there no real choice but to join forces in the battle and rapidly adopt uniform standards for a sharing infrastructure? Either way, such an infrastructure must maintain a balance between individual rights and the state’s ability to defend its infrastructures, assets and citizens.


For more on the topic refer to the full article “A Multidisciplinary Analysis of Cyber Information Sharing” as published in the Military and Strategic Affairs program of INSS.