Facebook counts 90 Threat Exchange participants after six months

  • Liam Tung (CSO Online)
  • 21 August, 2015 09:04

Facebook has said little about its threat intelligence exchange platform since launching it six months ago, but today it revealed that 90 firms from seven industries have joined the effort.

Facebook wants to take a different tack to threat intelligence sharing, using its social networking know-how to one-up generic feeds and meaningless lists and tables of threat data.

“Lots of threat intelligence feeds already exist, but their noise to signal ratio is pretty low. So we designed ThreatExchange with a focus on the exchange of information, experience, and expertise,” Mark Hammell, Facebook’s Threat Infrastructure team manager, said on Thursday.

Instead, Threat Exchange, which launched six months ago, lets participants — which to date consisted mostly of Silicon Valley heavyweights — share threat data through their own apps that connect to Facebook’s Graph APIs.

Facebook in turn visualises these threats to illustrate connections between the tools and techniques levied on participants, all while ensuring those who feed data to the platform remain anonymous.

Threat Exchange tries to overcome the reluctance by companies to share information about the malware hitting their systems by using Facebook's specialty: getting people to share information about themselves in a safe environment among friends.

After launching the platform, Facebook criticised legislative proposals in the US that attempted to encourage private sector firms to share more threat data with the US government. A potential problem with the platform was law enforcement secretly singing up. As a Facebook exec said at the time, the question of law enforcement or other government agencies having access to the platform was "fraught with challenges".

But the company apparently is filtering requests to join its exchange platform and as part of today's update has improved its sign-up process to encourage others to join.

“More than 90 companies representing seven industries are sharing information with each other through ThreatExchange,” said Hammell.

“The goal is for organizations everywhere to learn from each other's discoveries and experiences, so you don't have to try to solve problems someone else has already tackled,” he addd.

Facebook launched Threat Exchange with just a handful of participants from Silicon Valley, including Pinterest, Tumblr, Twitter, Yahoo, Bitly and Dropbox as contributors. Six months on the company claims to have attracted a far wider variety of contributors.

As of today participants come from technology, security, insurance, financial services, higher education, defense, and Internet Service Providers, however Hammell said companies from retail, telecom and business consulting are hopping on board soon.

“All this sharing results in an average of over 3 million interactions on the platform every month. Currently, the most searched for information includes details about malware families and threat indicators such as attempted attacks or IP addresses,” Hammell said.

It is probably worth mentioning other social-led efforts to tackle the information sharing problem. The Open Threat Exchange (OTX) by security firm Alien Vault, which this week landed $52m in funding, crowdsources intelligence from the field, offering users free access to “indicators of compromise”, such as malware sample IDs and IP addresses used to host malware.

Facebook has its own answer to this, having added its own threat descriptors. But instead of focusing on who’s behind a particular attack, Facebook has incorporated details about who provided threat information so as to help others decide how to act on that information.

“Participants requested this feature in order to better extract value from the data by prioritizing relevance and quality over quantity,” explained Hammell.

“We encourage organizations to find the best way for ThreatExchange to work for them. For example, several organizations started small in terms of what they shared on the platform and then built up over time as they made new connections with other community members and discovered new ways to leverage threat intelligence,” he said.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list. 

Get newsletters, updates, events and more right here