Boston—Cybersecurity experts and those new to the space gathered together at the Federal Reserve Bank to join the Advanced Cyber Security Center (ACSC) for Massachusetts Cybersecurity 2.0: Preparing for the Next Wave of Cyber Challenges.
Whether it’s securing self-driving cars, cloud computing, or exposing criminals in the Darknet, the industry will face many challenges in the near and distant future. Cybersecurity leaders across all sectors are struggling to understand the most effective ways to share threat data without creating additional harm.
So, the focus of this year’s ACSC conference highlighted the value of using information sharing as a means of helping others to defend against malicious cyber activity.
After a welcome by Kenneth C. Montgomery, first vice president and chief operating officer, Federal Reserve Bank and vice chair, ACSC, a panel took the stage to discuss, “The case for collaborative defense: Beyond threat sharing.”
Moderator, William Gunther, chairman, CEO and founder, Mass Insight Global Partnerships, and chair, ACSC posed the question of how collaboration can benefit security practitioners before, during, and after an incident.
Across all of the larger enterprises and government entities, there indeed are some fantastic intelligence teams. Those intelligence teams and operations teams could be beneficial to the industry at large, but to the SMBs in particular.
Still, there are legal impediments to collaboration and information sharing that need to be considered. “ The better educated legal teams can be, the better they are going to understand the liability of risk,” said Michael Darling, director, cybersecurity and privacy, PwC.
For most events, there is not a lot that can help in the middle of an incident response. “If you did a good job of the proactive piece, then your incident response time shrinks to minutes or hours instead of months or years,” Darling said.
Keynote speaker, Richard Puckett, vice president, cybersecurity, product and commercial security at GE Digital, said that the security practitioners have two goals. “Either make incidents not happen or make them less bad.”
Accepting that incidents will happen has become commonplace, so the best they can do pre-incident is a thorough self-examination. Look at the existing controls and policies and ask, “Have I segregated? What are the best practices associated with that? In the pre-incident phase, there is forensic sharing to help with understanding techniques,” Puckett said.
Differing slightly from the opinion of his panel colleagues, Puckett said, “During an incident there is an opportunity for shared purchasing power. Can you make it cheaper because you have a prearranged retainer and you bought it in bulk?”
When collaborative defense has great value, though, is in the aftermath of an attack. After discerning not only the ‘what’ but the ‘how’ of the events, the response can then serve as a model to guide industry peers within or across sectors.
“Now that the incident is done, how does one member’s response become everyone else’s protection? What led to the incident and how can we share information and intelligence to help protect others?” Puckett said.
Taking the opportunity to discuss major headline breaches can be enormously fruitful, but the barriers to information sharing often result in security teams getting stuck in ‘no’, instead of ‘how’, the panel said.
Asking, “'What would happen if that happened to us?’ while walking through more publicized breaches helps them get to the ‘how’,” said Puckett. The focus then shifts from resistance to active engagement of internal and external partners across organizations and supply chains.
“Information sharing doesn’t just happen within the people at the company. They can have forums of human resources professionals around a breach. Open it up to the broad community,” said Michael Papay, vice president and CISO, Northrop Grumman.
[ MORE ON CSO: Information sharing still a heavy lift ]
The broader community, which extends far beyond the four walls of the corporation, is often the weakest link that sits beyond the control of even the most sophisticated defenses. Plunkett asked rhetorically, “What do we do about everybody else? How do we think about mid-sized firms in terms of collaboration?”
Where the digital world is interconnected in the most complex and sometimes convoluted ways, determining the trajectory that data travels, with whom it is shared, and how it is stored can be cumbersome at best. That’s why the big guys have to be sharing with the little guys. They have to strengthen what is often their weakest link.
Enterprises have a duty, not only to others but to themselves, to help out the little guys. “The bigger organizations are plowing away, and there is a corporate and social responsibility to give back by lending either knowledge experience or expertise,” Plunkett said.
As the larger organizations have a duty, so too do those SMBs, who need to actively look for guidance and instruction rather than run ahead toward things like cyber intelligence that will likely result in alert overload and yield little actionable intelligence.
“The only thing we can do is look for things that scale,” said Papay. “A synchronous teaching tool that we can record once and push out many times. We have to get smarter by levels,” Papay continued.
While there is indeed a need to look at defense from a compliance perspective, “The DOD can’t go in and say, show me that you are compliant. They don’t have a contractual relationship with those second tier, so larger organizations worked to put together a single compliance checklist at the top level,” said Papay.
But what happens as they move down to the next tier of suppliers? In order for them to trust that the second tier suppliers are able to effectively evaluate the third or even fourth tier suppliers, there need to be some clear regimes about role responsibility.
“I do feel like there are some practical regimes that can be put in place. There is a little bit of responsibility to help influence the thinking about defense, not just the standards. What it comes back to is good breach management. We have to be teaching them to think about the ‘how’ because that’s what gets them out of the compliance mindset,” Plunkett said.
One additional hurdle is deciding just how wide of a net to cast when determining with whom information is shared. “When you think about how you want to organize, whatever sector you are in, you need to decide whether you are organizing because of the commonality of issues in your sector or by geography because of the commonality of relationships. There is a value proposition at each layer,” Darling said.
If decisions are guided by outcomes, Darling continued, they have a clearer understanding of what they are trying to do, what they are protecting, and what sensitive issues they have to deal with. Everything comes down to value proposition.
While there are barriers to sharing cybersecurity information, including regulatory requirements, legal implications, and impact on reputation, Guenther said, “Collaborative defense is here to say. Large scale sharing has value, but we also heard about false positives, so the power of small groups is still a credible operating thesis.”
Before diving head first into a collaborative defense community, security teams need to build their networks with a purpose. First understand the objective, then consider what they are getting out of it, but also they must have a plan for how to measure success.