The Value of Collaborative Threat Intelligence Sharing
In today’s digital economy, speed and efficiency are essential. So is the ability to access data from anywhere and from any device. These demands are forcing the network to change, increasing the amount of data that networks need to manage and the number of devices connected to those networks. This is responsible for growing the potential attack surface of today’s networks.
The security challenge is about much more than just network expansion. Everything is also being connected to everything else through the growth of applications, shared services, and distributed resources. These growing levels of hyper-connectivity are compounding the challenge of protecting networks because data and resources are always in flux, with new attack vectors constantly being created as a result.
However, data and resources still need to be protected, especially as they move from remote devices, through the network, and out into the multi-cloud. But most traditional security devices were never designed to do this, so the security industry is under pressure to create new solutions that can seamlessly provide the expanded protection that today’s networks need.
Companies can’t protect what they can’t see. So, in addition to increased performance and integrated security devices, IT teams also need access to real-time threat intelligence. Advanced threat intelligence from security professionals helps IT teams quickly detect and identify threats and automatically respond at digital speeds.
Why the Cyber Threat Alliance is Necessary
Threat intelligence gathered from multiple sources, and then processed and correlated, is the most effective, valuable, and actionable. It’s what organizations with huge security resources use to better protect their networks. The problem is that this sort of higher-level intelligence has historically been out of the reach of most companies. So, in 2014, Fortinet took steps that would eventually lead to the formation of the Cyber Threat Alliance (CTA). We and other founding members, including McAfee, Symantec, and Palo Alto Networks, understood how critical it was to provide security professionals with the intelligence and technology they needed to identify an attack. We also knew they needed to be able to use that information immediately to stop an attack along the kill chain.
Security companies like Fortinet, who were actively engaged in threat research, knew how much we relied on threat intelligence to protect our customers. We also knew that converting raw intelligence into something that was actionable required a level of expertise that many organizations didn’t possess.
Our answer was to bring together participants from across the cybersecurity industry to correlate and share actionable threat intelligence in as close to real time as possible. We knew that organizations not only need this type of threat intelligence to better defend against cyberattacks, but that sharing threat intelligence also helps improve the overall security of the Internet.
After a few years, the founding members decided that to better meet these goals, the CTA should be established as an independent organization. Since announcing the new organization, including the addition of Cisco, Checkpoint and a leadership team over the last year, the CTA has expanded its ability to protect organizations around the world. It has done this by growing the number of organizations that share threat intelligence, and by improving the tools used to collect, process, and correlate intelligence in order to protect millions of customers.
The CTA is working to improve the cybersecurity of its global digital ecosystem by significantly reducing time to detection and closing the gap in the detection-to-deployment lifecycle. It does this through near real-time, high-quality cyber threat information sharing and operational coordination between companies and organizations in the cybersecurity field. This approach brings together companies with different interests but enables them to work together for the greater good.
The CTA: An Essential Part of any Threat Intelligence Strategy
While sharing threat intelligence is an important part of any security strategy, it’s only half the battle. External threat intelligence provides obvious benefits, but it also needs to be part of an integrated threat intelligence strategy.
- Good threat intelligence starts with conducting an inventory of all the devices on a company’s network. This includes listing manufacturers, devices, OS versions, patch levels, etc. This data will help companies identify devices that are vulnerable to exploits, as well as decide what threat intelligence is most likely to help their network.
- Once companies are tracking all the physical and virtual devices on their network, they need to begin to gather and correlate threat intelligence from log files and management consoles. This data needs to include endpoint and IoT devices, virtualized data centers, and SaaS and IaaS multi-cloud devices and traffic. This will require a centralized collection and analysis system.
- Next, organizations need to evaluate and update logging and analytics platforms to make sure that local data can be combined with external intelligence. Correlating local and global intelligence provides critical insights, but because of the speed of today’s attacks, this needs to be done quickly. This means threat intelligence must provide actionable information rather than just raw data, because that will require a lot of manual processing. Companies must use open standards to efficiently combine and correlate different data sets. This will help to efficiently identify indicators of compromise and prioritize the response to potential threats.
This is where the value of the CTA is critical. It enables cybersecurity providers to share intelligence and cooperate in incident response. Each of the CTA’s members may have access to different pieces of the intelligence puzzle, and the CTA helps bring them together to reveal the broader picture. This approach enables CTA members to gain rapid access to information they otherwise would not have, which in turn allows them to better protect their customers.
This sort of cooperative strategy allows cybersecurity companies to work together operationally during large-scale cyber incidents, such as WannaCry and NotPetya, or to address newly discovered vulnerabilities, such as Meltdown. This approach dramatically improves the efficiency and effectiveness of our response efforts.
- Finally, producers or consumers of threat intelligence should consider joining the CTA. Centrally collecting, analyzing, and distributing actionable threat information among members makes everyone safer.
End-user companies should consider joining an ISAC (Information Sharing and Analysis Center) group associated with their region or industry. Data sharing between peer organizations provides another layer of analysis, allowing companies to compare their threat status against what is happening in similar networks.
Threat intelligence needs to be a cycle. Our FortiGuard Labs team, for example, uses the intelligence we collect from participating customers to improve our threat database. We then share that intelligence back to the CTA, which in turn is used by customers. As a result, threat intelligence is constantly being recycled and refined.
Why Companies Should Participate in the CTA
There are strong benefits to any organization that participates in collecting, processing, and sharing threat intelligence. One of the most important is that the wider the scope and scale of visibility into threats that we can create, the more everyone will be able to detect and mitigate new and emerging threats.
Because of its collaborative approach to collecting threat intelligence from cybersecurity experts, the Cyber Threat Alliance is unique in both its mission and its model. The cyber community as a whole would do well to use CTA as a model for how different, even competing organizations can come together across private and public sectors, including critical infrastructure, to address emerging cyber threats ¾ especially those with far-reaching social and economic implications.