Cyberthreat info-sharing on the rise: Fortinet expert
By Benjamin Cher December 3, 2015
- Need for info-sharing to be automated, as well as more channels
- Public-private sector partnership important in securing the future
WITH cyber-attacks on the increase and the threat landscape continuing to evolve, the need for the cybersecurity industry to come together in some way has never been more apparent.
And coming together it is, according to Derek Manky, global security strategist at Fortinet Inc, who assures us that the industry is moving in the right direction.
“The Cyber Threat Alliance (CTA) is currently working on an information-sharing framework,” he told Digital News Asia (DNA) in Singapore, referring to the group of cybersecurity organisations which have chosen to work together to share threat information.
However, the industry has been stuck on looking for the big three indicators of compromise (IOCs), he conceded.
“These are IP (Internet Protocol) addresses, URLs (universal resource locators), and ‘fingerprints’ like hashes from malware,” Manky said.
“The problem has been context – it’s hard to put information in context for two reasons,” he added.
The first is that the information being shared must be suitable for automation in today’s big data world, and vendors lack experience with sharing information that is suitable for automation.
“The second issue is confidentiality and privacy – moving forward, how we would want to work with them would be to share non-personally identifiable information,” Manky said.
“The context has to be around the attacker rather than the victim,” he added.
The industry is however coming around to the idea of creating context and a framework around those two concerns, according to Manky.
Fortinet has been involved with the STIX and TAXII initiatives, which have transitioned into Oasis, which the company is also part of.
“It’s a standards organisation and we joined the cyberthreat intelligence technical committee, trying to ratify the STIX and TAXII standards for sharing information within the industry,” Manky said.
“The framework itself is great, and it is easy to take information and put that into syntactically-correct language – but to turn that into actionable threat intelligence on an automated level, that’s the challenge,” he added.
That is what the CTA is tackling right now, by taking the intelligence, digesting it, and automatically taking it to security controls, according to Manky.
The rest of the industry needs to move in that same direction, he argued.
“Right now, what’s happening is that security vendors can consume a whole bunch of information, from IP reputation to URLs,” Manky said.
“But for the attackers, it is low-cost to change an IP address or URL – it’s a constant whack-a-mole,” he added.
Strategic approach
Keeping in mind cyber-attacker thinking, Fortinet is now looking for advanced IOCs, according to Manky (pic above).
“For example, we are gathering information from Sandbox and wrapping it with CybOX controls, a language from the STIX initiative that describes the IOCs,” allowing for greater automation in terms of intelligence sharing, he said.
“That’s the direction the industry should take,” he added.
Fortinet has also been building up a computer emergency response strategy, a subject that is close to Manky’s heart.
“I’ve been working with First (Forum of Incident Response and Security Teams), a forum of Computer Incident Response Teams (CIRTs), for about four years now,” he said.
“We have been setting up non-commercial intelligence exchange with the appropriate stakeholders,” he added.
An example Manky cited was his work with the Singapore police and different CIRTs like Interpol, to take relevant information about an attacker, and connect that to a computer emergency response strategy.
“We have a global infrastructure, and when we detect a DDoS (Distributed Denial of Service) attack or a botnet activity, we can share that through the channels we’re building,” he said.
Currently, there is no global channel for this, which is why Fortinet is building these one-on-one relationships with the various stakeholders, according to Manky.
“We share through these channels so that the relevant authorities can act,” he said.
“It’s through this public-private sector relationship, which is a huge strategy moving forward,” he added.
Increasing cooperation
It is not all the gloom-and-doom that most security vendors’ threat reports would have you believe, with Manky pointing to some good news a-brewing.
“The industry is taking action, and the CTA and public-private sector relationships are happening,” he said.
“While threat intelligence is still a little behind – the industry has to figure out actionable threat intelligence and proactive protection – but we’re on the way there,” he added.
Related Stories:
Companies resist mandatory disclosure, cybersecurity suffers
The threat landscape runneth over, here’s what we need to do
Security weaknesses must be shared openly: Facebook CSO
Privacy laws: Why we have them, and who benefits
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.
