With each day, cyberspace grows larger, more complex, and more integral to our societies and economies. The increased dependence on the Internet means that incidents that would have been merely annoying fifteen years ago can now cause catastrophic damage. Cybersecurity has made a parallel transition, shifting from a “nice to have” to a “really should have” to a mission critical “must have.”
However, the cybersecurity of our digital ecosystem is not increasing as fast as one might think given this broad agreement about its criticality. While multiple factors hinder effective cybersecurity, one characteristic of the cybersecurity industry makes it harder – a highly fragmented market. The Cyber Threat Alliance (CTA) was created to help mitigate this problem.
The cybersecurity industry evolved through individual entrepreneurs developing point solutions to point problems. While some large integrators have emerged in recent years, venture capital funders understand the point solution model and the ecosystem largely reinforces it. The result is a cybersecurity market consisting of thousands of companies, fielding a bewildering array of technologies and services, very little of which is interoperable. Even for experienced cybersecurity practitioners, managing this complexity is a daunting task. Inevitably, the patchwork of tools, technology, services, and people that organizations assemble to defend themselves leave gaps and seams which malicious cyber actors exploit. They rely on the fact that sharing intelligence across these products and services is difficult, giving them more time to use tools and techniques after they have been exposed.
Many individuals across the industry work hard to close these gaps. They share information with their peers at the individual level, they create formal and informal sharing relationships among companies, and everyone agrees in principle that more sharing would be good. Yet, the scope, scale, speed, and sustainability of these efforts is not sufficient to meet the threat.
That’s where CTA comes in. It is designed to meet the challenge of scope, scale, speed, and sustainability across organizational boundaries. For example, our 33 members now share more than 200,000 contextualized malicious indicators per day through our automated system; the indicators include 11 different types, while the context ranges from kill chain phase to the industry where the indicator was found. We use standard formats, languages, and interfaces for our automated sharing.
Automation is only one tool we use to meet the fragmentation challenge. We also enable analytic sharing at human speed. Three to four times per week, one of our members will provide other members with an early look at research papers, blogs, or threat reports they plan to publish. Our researchers and analysts meet virtually on a regular basis to exchange ideas and build relationships. We maintain regular instant messaging and email distribution channels. These activities also reduce the fragmentation.
Our business rules and organizational structure also contribute to intelligence sharing. The business rules are designed to ensure equity among our members and provide assurance that every participant is contributing. As a non-profit, we are an independent, neutral party. Beyond that, CTA’s permanent staff relentlessly focus on maintain, growing, and improving our sharing activities as their primary job. The resulting trust, independence, and focused analysis allow our sharing to grow and become more valuable over time. CTA enables information to flow across organizational boundaries in a way that can make everyone more effective at closing gaps and seams – and more competitive, too.
We will turn five years old at the end of January 2022. Although five years may not be a long time in some ways, that time span amply demonstrates that CTA’s model is sustainable. As we head into 2022 and look forward to our sixth year, CTA will continue its efforts to make intelligence sharing work. If we can enable the right information to flow across these boundaries, we can turn the weakness created by fragmentation into a strength. Instead of finding exploitable seams, malicious actors will face highly adaptable, multi-faceted defenders, using their multiple viewpoints and distributed nature to generate capabilities far in excess of the sum of the parts. That’s a goal worth working towards.