July 15, 2014
The sharing of threat intelligence is a hot topic these days. When I do conference speeches, I typically ask how many organizations see value in sharing, and most in the room will raise their hand. Next, I ask how many organizations are actually sharing threat intelligence, and roughly 25% to 30% in the room raises their hand. When our 2014 Security Survey data comes in, I will have some empirical data to quote, but anecdotally, there seems to be more interest than action when it comes to sharing. I wrote about some of the challenges around sharing in “Four Best Practices To Maximize The Value Of Using And Sharing Threat Intelligence.” Trust is at the epicenter of sharing and just like in "Meet the Parents," you have to be in the circle of trust. You can enable sharing, but automating trust does take time.
There are a number of standards that have emerged to facilitate sharing. The Department of Homeland Security along with MITRE are driving the TAXII, STIX, CybOX specifications "to automate and structure operational cybersecurity information-sharing techniques across the globe." The FS-ISAC has been an early adopter and supporter of these specifications. The Security Automation Working Group leverages Avalanche, “a federated network of STIX-based repositories sharing intelligence in real-time.” Financial institutions (FIs) are among the more mature when it comes to threat intelligence, but that doesn't mean they've solved the problem. As one FI security leader told me, "We just have more money to waste trying to solve the problem." To support / win business from the largest FIs in the world, the vendor community appears to be embracing these standards. I am hearing more and more security vendors state, "We have STIX integrations." Stop; what does that even mean? Do you produce STIX content? Can you consume STIX content? Please provide details and a road map for actual use case integrations. If you email me and say you have STICKS integrations, I'm giving you a red card.
To learn more, I emailed the STIX discussion list asking for vendors to provide feedback on integrations. The last time I checked, the email thread has over 60 responses. There is much ambiguity regarding the capabilities/integrations that are available (desired/needed) today. I am working on a Threat Intelligence Market Overview, and as a part of that research I am going to look at the state of standards-based threat intelligence-sharing. Notice I said standards; I don't want to exclude standards like IODEF or OpenIOC.
If you are a vendor offering some sort of integration, please let me know. If you are an enterprise and would like to provide feedback on the use cases that you need, please let me know. rick dot holland at forrester dot com