The relentless push for cyberthreat information sharing and the proliferation of cybersecurity tools have left many enterprise CISOs feeling overwhelmed, officials and executives told an audience at a cybersecurity conference in Washington, D.C., Thursday.
“The biggest challenge we have as an industry is fragmentation within the security organization” of enterprises, said ThreatConnect CEO Adam Vincent at the Security Innovation Network showcase in Washington Thursday.
“If you look at the market for information sharing, the ecosystem, it’s really, really, inefficient,” added Department of Homeland Security Assistant Secretary for Cyber Policy Robert Silvers. “There’s a lot of legacy, manual processes, sending emails of PDFs. You have incomplete information awareness with some people just talking to others bilaterally … all the information isn’t getting out to all the people. It’s the kind of market an innovator would want to disrupt.”
But the problems aren’t limited replacing legacy systems.
“When I go into security organizations, even when I’m talking to the CISO, in many cases they don’t have a good picture of what their architecture is, it’s highly fragmented across the different parts of their ecosystem with different products, different strategies, different people … they aren’t communicating well,” said Vincent.
Part of the challenge, said Marcus Sachs, chief security officer at the North American Electric Reliability Corporation, was that technology wasn’t the issue with information sharing.
“Machines will trust other machines when we tell them to, but people aren’t like that,” he said. “Where we struggle is how do you get what you’ve got processed by somebody’s eyes? … The eyes are the portal to the brain.”
But that interface has limitations, he explained. “Lines and lines of code aren’t so good” at conveying information.
As an example, he said his eye could immediately pick out those members of the audience not wearing jackets. “They are the outliers,” he said, like the tiny anomalies security personnel were supposed to find in vast volumes of log data.
David Hahn, the chief information security officer for Hearst Corp., said that he had “developed an ecosystem of technologies, of service providers, of vendors that are all helping protect … It’s not just me and my team.”
He said he had contracts with “probably all of the leading security companies.”
“It gets very noisy and dysfunctional at times,” he said.
When considering a new security product, he said, “another feed of really great stuff is always fine,” but what he needs to pay attention to to is: “What is my architecture, where’s it going to fit?”
“Right now I’m just collecting all of it,” he said of the multiple inputs. “It becomes very complex.”
His approach, he said, was to “bring my vendors together to look at it from a total ecosystem point of view — to figure out what am I managing?”
Silvers said DHS was attempting to help by creating what he called a “world clearing-house for cyber threat indicators … Shared at machine speed” through the Automated Indicator Sharing program.
“The vision for this product is that an attack seen anywhere in the world can only be used one time because it’s then reported in and shared out without everyone else” who can then protect themselves against it, he said.