Cyber Threat Intelligence provider Anomali appeared before Congress on Wednesday, November 15th to provide threat-sharing expertise before the U.S. House of Representatives Homeland Security Committee. The purpose of this hearing was to discuss methods for improving the value of cyber threat information shared by the government and increasing participation of threat-sharing with the private sector.
Anomali was the first company to automatically share threat intelligence with the Department of Homeland Security’s Automated Indicator Sharing program (AIS), and the only cybersecurity vendor invited by the Homeland Security Committee to testify before Congress. Anomali was represented by Patricia Cagliostro, Senior Manager of Global Government Solution Architects, joined by Chris Smith, CRO.
Ms. Cagliostro began by explaining the current state of cyber threat intelligence sharing in the private sector, citing the 2017 Ponemon Institute Report, The Value of Threat Intelligence: A Study of North American and United Kingdom Companies that included over 1000 respondents. According to the report, 80% of organizations use threat intelligence, with 84% identifying threat intelligence as essential to a strong security posture.
Ms. Cagliostro continued by describing two key factors noted within the study that deter cyber threat intelligence sharing, excessive volumes of threat data (70% of respondents) and a lack of threat intelligence expertise. In regard to the first issue, Ms. Cagliostro noted the benefits of utilizing a threat intelligence platform to manage mass quantities of data and streamline the process of sharing. The second issue, a lack of threat intelligence expertise, was identified as the primary reason organizations do not share intelligence. The following statistics from the report detail a concerning trend for government-led initiatives such as the DHS’ AIS.
Organizations that reported sharing intelligence - 62%
Organizations that reported sharing intelligence with trusted security vendors - 50%
Organizations that reported sharing with trusted peer groups - 43%
Organizations that reported sharing with the government - 30%
Organizations are often unaware of what constitutes useful intelligence, Ms. Cagliostro explained, and are afraid of looking immature for sharing irrelevant information. This is especially true in the small and mid-sized market. Many are concerned with providing “net-new indicators,” although providing additional context for existing indicators could prove useful for companies within the same industry verticals. Many organizations already participate in same-industry or region sharing initiatives such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). Anomali acts as the trusted partner for many of these ISACs and Information Sharing and Analysis Organizations (ISAOs).
In regard to the DHS’ sharing program, Ms. Cagliostro explained that “the level of effort to share intelligence within the program and lack of expertise in threat intelligence act as barriers to entry through AIS.”
Organizations connecting to AIS must:
2) Set up a TAXII client
3) Purchase a PKI certificate from a commercial provider
4) Provide their IP address to the DHS
5) Sign an Interconnection Security Agreement
This process can take private organizations weeks to complete due to legal reviews and change control processes. In the public sector this can be even more time consuming because additional processes and requirements can cause delays due to the time required to get new technologies online.
Once connected to AIS, organizations often find it difficult to share intelligence. There are a variety of methods available for sharing within the program, but each adds an additional task for overburdened analysts outside of their typical workflow. Organizations that already struggle with limited resources are not likely to expend further time and effort to stand up additional technology for little perceived gain.
Beyond the operational aspects, these analysts and security personnel such as Chief Information Security Officers (CISOs) must justify sharing intelligence to executives. Ms. Cagliostro explained, “Information sharing is a cost like any other process, new tool, or technique that is brought online. In order for that cost to make sense we have to empower organizations with the answer for the ROI question.”
The answer to that ROI could one of the government’s unique advantages - unmatched visibility. This is something that cannot be developed by companies internally, nor bought from a vendor. Up until now though the DHS has struggled to supply large quantities of high-quality and high-context indicators. Information is declassified at a slow rate, and context that would make intelligence actionable is often missing. Ms. Cagliostro offered the acceleration and increase of declassification of information as a possible solution for the DHS, as well as conversion of the process from manual to machine-to-machine. Part of accelerating the declassification process could include aggregating publicly available information to determine what indicators currently exist in the public domain. Such intelligence (barring more sensitive information such as the association to an actor and how the information was obtained) could then be released.
Throughout her testimony and responses, Ms. Cagliostro encouraged the DHS to make threat sharing as simple and mutually beneficial a process as possible.
“When I first started at Anomali, people often asked how we forced people to share intelligence. People assumed that when we talked about sharing, we had to be forcing people because no one would choose to share unless they had to. Our approach wasn’t to force people to share, but to create an environment where sharing was easy and organizations received value.
The AIS program has come a long way since its inception and, as the barriers to entry are reduced, more organizations will participate and increase the quality of the data provided.”