A perplexing question for those in IT security is why are so many in government pushing for “information sharing” as their solution to the cyber crisis?
The crisis is apparent and shows up as the preamble to every proposed bill and National Cybersecurity Strategy.
But what about information sharing? If one where to create a prioritized list of actions Congress could take to reduce the exposure to cyber attacks of critical infrastructure such as energy, transportation, and communications, it may look something like this:
1.Require utilities, oil and gas pipelines, and critical manufacturing to engage in good endpoint hygiene, including patch management, vulnerability scanning, and white listing of applications. There is, after all, some indication that a worm infecting endpoints may have exacerbated the great blackout of 2003.
2.Require critical infrastructure to engage in regular security assessments.
3.Perform continuous network monitoring.
4.Deploy two-factor authentication for administration of servers.
5.Perform code reviews of software used to maintain critical infrastructure.
6.Practice strict air-gap segmentation of critical networks from public networks.
7.Deploy firewalls at every gateway to third parties and review firewall policies.
But no, Mike Rogers, retiring chair of the House Intelligence Committee, argues that without real-time information sharing, U.S. companies cannot adapt and respond to cyber attackers’ constantly changing tactics. Rogers has been pushing for CISPA (Cyber Intelligence and Sharing Protection Act) for years now. The bill in its many forms seeks to:
-Allow the Federal government to provide classified cyber threat information to the private sector to help American companies better protect themselves from advanced cyber threats;
-Empower American businesses to share cyber threat information with others in the private sector and enable the private sector to share information with the government on a purely voluntary basis, all while providing strong protections for privacy and civil liberties;
-Provides liability protection for companies acting in good faith to protect their own networks or share threat information.
First of all, what is keeping the government from sharing cyber threat information? Is a new law required or should they re-look at the government’s overly aggressive stance on classifying threat information? If there were a threat against the power grid why would they withhold that information? Is a law really needed to expand the security clearance bureaucracy that has been demonstrated to be drastically flawed? Couldn’t the president use his pen to issue an Executive Order that declassifies known bad IP addresses and key Indicators of Compromise (IoC)?
Second, real-time information sharing is already an indispensable component of a myriad of security products used by most organizations. A few examples:
Users of McAfee’s IPS products take advantage of McAfee’s Global Threat Intelligence network to get near real-time updates. Data is collected from a global network of participating devices and assigned a threat score based on association with bad behavior such as participation in a botnet or DDoS attack. IPS administrators can use these threat scores to determine what action to take based on policy.
Juniper Networks is another vendor that has incorporated IP reputation into their IPS appliances. Each deployed appliance can report back to the cloud new suspicious sources of attacks that get incorporated into the threat database and pushed to all appliances that are subscribed to the service.
The HP TippingPoint Reputation Digital Vaccine (RepDV) is a product of HP DVLabs. Globally deployed sensors in their ThreatLinQ network as well as customer IPS appliances participate in providing a constant stream of known attacks and misbehavior on the part of IP addresses.
Cisco derives reputation from its Sensor Base: all the IPS, firewall, web proxies, and IronPort gateways that have enrolled. The assigning of reputation scores from 1-10 is done automatically in the Cisco Security Information Operation (SIO), a cloud hosted database of signatures and reputations.
Practically every Secure Web Gateway, from Bluecoat, Fortinet, Webroot Software, and dozens of others, take advantage of information sharing to quickly identify and score new websites.
Any Anti-Virus product is an example of information sharing. The AV vendor develops and deploys tens of thousands of new signatures to every endpoint every day.
Aside from all the products that most organizations have already deployed there are already communities established for information sharing. The Information Sharing and Analysis Centers (ISACs) has fifteen member ISACs with the Financial Services ISAC having the best reputation for effectiveness.
Commercial information sharing hubs are being developed too. RedSky Alliance is a paid membership organization. Members get research reports and analysis of attacker identities and methodologies.
Subscription services for threat intelligence are available from Threatgrid, Lastline, and others. In depth threat actor ‘play books’ are available from iSIGHT Partners.
Why is Congress spinning its wheels on information sharing when it is already a widely deployed component of the IT security eco-system?