Industry-wide, security teams are duplicating time and resources to complete similar investigations, workflows and threat responses. With a skilled staffing shortage of an anticipated 3.5 million security jobs by 2021, the security industry can’t afford to continue to duplicate efforts.
Instead, consider an alternative: Multiple organizations have investigation teams who agree to collaborate. One does an in-depth investigation, hunt or mitigation, and they are able to share that process in real time with another organization. There are now multiple organizations and teams leveraging their skills and expertise to increase the efficacy of their collective security operations centers (SOC). They are armed with the resources to prevent breaches and hunt for other threats while bolstering the security industry as a whole. This is the future of collaborative security.
At present, organizations are open and somewhat participatory in sharing some forms of information, like indicators of compromise (IOCs)—i.e. an IP address, file hash, email address, a domain or a URL. As an example, if an analyst identifies an unknown IP address trying to connect to his or her infrastructure, that analyst will decide the IP address is potentially malicious. Then, the analyst saves that into a threat intel platform or publishes it somewhere. Finally, the analyst’s peers are able to pull down the information provided and say something like, “Okay, that’s interesting. Should I look for indicators of that in my own environment? Should I add that to any of my rule sets to say that my firewall should no longer allow any type of data transfer to that IP address?”
This type of sharing information currently happens in Information Sharing and Analysis Centers (ISAC).Sector-based ISACs collaborate with each other via the National Council of ISACs (NCI), allowing organizations who compete against each other in their respective industries to collaborate within their SOCs. While this kind of collaboration arms organizations with great information, it’s only focused on detection based on rudimentary, preventive capabilities.
It’s time to take the next step.
On October 3, 2018, I hosted a tech talk with Pedro Haworth, McAfee’s head of technology, security innovation alliance at Integrated Cyber Fall 2018.
Hosted by the Johns Hopkins University Applied Physics Laboratoryin collaboration with the National Security Agency (NSA)and the Department of Homeland Security (DHS), Integrated Cyber brought together thought leaders and innovators from the Integrated Adaptive Cyber Defense (IACD), Automated Indicator Sharing and Cyber Information Sharing communities. The goal of the two-day event was to “dramatically change the timeline and effectiveness of cyber defense via integration, automation and information sharing.”
In the attempt to get closer to achieving Integrated Cyber’s goal, Haworth and I discussed how to move beyond the whatof a threat and instead focus on the how. Instead of simply sharing information about IOCs, we should be sharing our techniques for detecting potential malicious behavior. This degree of collaboration can empower our collective SOCs to take threat hunting to the next level, optimizing protection from breaches.
Currently, security operations threat hunting consists of searching for known IOCs. Although more challenging, effective threat hunting begins with a hypothesis like “If I was going to try to break into this organization, how would I do that? What methodology would I use?”
The analyst who answers those questions by searching for behaviors instead of specific data points is better equipped to stop threats because data points can change rapidly. And then once that analyst shares those answers—and the operational mechanisms in place to address the potentially malicious behavior—the game changes from many against one to many against many.
No one can build perfect, impenetrable security. But working as a collective raises the barrier to entry and gives us a chance to stay ahead of increasingly sophisticated bad actors.
About Cody Cornell
As Swimlane’s Cofounder and CEO, Cody is responsible for the overall strategic direction of Swimlane and their Security Automation and Orchestration platform. As an advocate for the open exchange of security information and deep technology integration, he constantly strives to enable organizations to maximize the value of their investments in security technology and staff.
Cody began his career in the U.S. Coast Guard and has spent 15 years in IT and security including roles with the U.S. Defense Information Systems Agency, the Department of Homeland Security (DHS), American Express and IBM Global Business Services. He has also had the pleasure of presenting at information security at forums such as the U.S. Secret Service Electronic Crimes Task Force, the DHS Security Subcommittee on Privacy, and National Public Radio.
Swimlane is at the forefront of the growing market of security automation, orchestration and response (SOAR) solutions and was founded to deliver scalable and flexible security solutions to organizations struggling with alert fatigue, vendor proliferation and chronic staffing shortages. Swimlane’s solution helps organizations address all security operations (SecOps) needs, including prioritizing alerts, orchestrating tools and automating the remediation of threats—improving performance across the entire organization. Swimlane is headquartered in Denver, Colorado with operations throughout North America and Europe. For more information, visit www.Swimlane.com.