The fanciest cybersecurity tools in the world are not going to help America keep up with the advanced hacking threats the nation faces unless more emphasis is placed on collaboration between the people using the technology.
That was the message from current and former public- and private-sector cybersecurity professionals Friday during a panel at an International Information Systems Security Certification Consortium event in Washington D.C.
The four panelists all agreed that it’s time to lean on people sharing, disseminating and understanding threat information in order to move from being reactionary to every cyber incident.
“We need to make sure we get some degree of collaboration between the various parties in order to bring talent to this party,” said Chris Inglis, a former Deputy Director of the National Security Agency. “The notion that the private sector will do ‘A’ and the government will do ‘B’ and never the twain shall meet is the old story of division of effort. That’s actually an agreement not to collaborate. That’s a disaster in this space.”
Inglis framed collaboration as the human equivalent of integrating various security technology together, with the two ideas forming a more holistic view of how malicious actors are behaving in cyberspace.
“We need to stop shooting bullets with bullets and turn this from a transaction approach where we are going at this tactic by tactic or event by event, and turn it to where we are understanding the connection all of those transactions to a behavior and we can look at this from the standpoint of ‘can we actually determine that this behavior against this thing of value?” Inglis said.
The government, particularly the Department of Homeland Security has spent the past year standing up their Automated Indicator Sharing system for precisely this purpose — to bridge the gap between the public and private sector in order to better communicate on what security professionals are dealing with in a real-time basis.
While the panelists generally viewed the department’s efforts as positive, more needs to be done to get companies to truly understand the threats to their systems.
Leo Scanlon, Acting Chief Information Security Officer at Department of Health and Human Services said a lot of the people who could benefit from the information flowing through AIS still need to be taught how to pull meaning out of the threat indicators.
“The first problem you run into is that not everybody can consume this stuff,” Scanlon said. “There is a whole long chain of folks that just can’t consume this information without a different type of analytical process topped onto it. It takes an analytical path to communicate across entities, especially entities that don’t have electronic integration at a sophisticated level.”
Scanlon praised the ISAC model as a way for more companies to be collaborative in how they defend against threats.
“I think it’s a very effective step,” Scanlon said. “I think it’s introducing a capability that’s particularly useful in places that we don’t expect to be able to field full blown IT security SOC capabilities.”
The government is moving to embrace this model. Earlier this week, the Information Sharing Analysis Organization Standards Organization released their framework envisaged by executive order, which will help with the development and formation of a new generation of information-sharing organizations that — unlike ISAC’s — won’t be limited to the 16 business sectors that the government defines as critical infrastructure.
Jeff Six, VP Enterprise Security for T. Rowe Price said the FS-ISAC — the global financial industry’s resource for sharing threat intelligence — has been crucial in bringing everyone into the fold when it comes to relaying the importance of sharing this information.
“Seeing everyone from small credit unions to your big investment banks, sharing this type of data has been fantastic,” Six said. “We get to see stuff before we see it directly. We can then act on that as we see it directly.”
Inglis said these groups’ efforts, in combination with the right technology will eventually allows information security professionals to see, know, and understand threats from the first time they come to their attention.
“We need to get this the point where we react well, but we can also track well and anticipate well,” Inglis said.
“Technology can and should help us do that. But it will be hopeless if we don’t get role assignments right. We can no longer delegate this to technologists when you bring this in and say this is an operational issue. We need to figure out how we do this side-by-side in a complementary way, as opposed to figuring out who goes first and who owns the silver bullet.”
Contact the reporter on this story via email at firstname.lastname@example.org, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.