Taking the Cyber No-Fly List to the Skies

In our last post, we talked about how companies can use the concept of a No-Fly list to keep malicious actors out of their networks. So how does a cyber No-Fly list work in a real situation? We spoke with one of our customers, Alaska Airlines, about how they make the most of threat intelligence and the threat intelligence sharing community to protect their networks from malicious attacks.

Jessica Ferguson, Director of Information Security Architecture at Alaska Airlines, has implemented threat intelligence programs at multiple large enterprises. “Threat intelligence gives us visibility into known security threats, letting my team focus more time on hunting for unknown threats,” says Ferguson.

Threat intelligence in action

At Alaska Airlines, Ms. Ferguson collects threat intelligence from research partners, internal sources and even other airlines. She then integrates this intelligence with security infrastructure, including firewalls, intrusion detection systems, endpoint monitoring tools and security monitoring solutions. In doing so, she automates detection and blocking of known threats in the network and on the endpoint wherever possible.

Ms. Ferguson states threat “indicators” (malicious cyber “fingerprints”) vary in confidence. I.e., certain indicators are very high confidence, meaning there is near certainty that the traffic is malicious. The network can take automated action in response to these high confidence threats, including blocking traffic from that source. In other instances, there is lower confidence, in which case Ms. Ferguson puts these events through a cyber “secondary screening” process. This involves a more manual investigation into the traffic, understanding what took place, what process initiated traffic, what changes were made, whether files were downloaded, etc.

In fact, “the hunt begins in the gray area” according to Ms. Ferguson, referring to the need to examine less obvious security threats. “The beauty of this approach is we may detect potential threats based on suspicious behavior or strange network activity. We then dig into the traffic and may discover a unique, specific threat indicator, which then feeds into our threat intelligence program – and gets integrated with all our security infrastructure – which starts the whole process loop again.” In many cases an investigation into one suspicious indicator will lead to a discovery of an entire new family of threats – taking unknown threats and making them known.

The web of known threats becomes much wider as companies share and exchange this kind of information. Threat sharing has become a critical element of Ms. Ferguson’s security arsenal, “just as the TSA shares no-fly list dossiers with other intelligence agencies.” In the last few years numerous Information Sharing and Analysis Centers (ISACs) have formed. These are communities of organizations, often aligned with a specific industry (e.g., Aviation ISAC, Financial Services ISAC, Automotive ISAC), where members collaborate with each other on cybersecurity topics and share intelligence. Ms. Ferguson frequently engages other airline security teams to discuss threats targeting their sector.

To pinpoint malicious humans, the FBI recognized that knowledge of their activities outside of what’s observable at the last point of entry is a necessity. While airline passengers and digital traffic are not interchangeable, enterprises need to recognize that the same level of knowledge is required to better identify and stop dangerous digital traffic.

* Missed part 1 of this series? Check it out here. Want to read the original article, posted on Harvard Business Review? Read it here