Recently, we sat down with Dr. Tomas Sander, Senior Research Engineer at HP Labs in Princeton New Jersey, to discuss the state of cybersecurity. As the conversation progressed he had some interesting insights into collaborative defense and how, if organizations can overcome issues of trust and share vital information, our national cybersecurity posture will be greatly strengthened.
Traditionally, we’ve all approached network security as a problem to be solved alone and not discussed for fear of revealing vulnerabilities, or avenues for additional attacks. This attitude is changing and it would seem that collaboration is the new buzzword – what’s changed to make that possible?
First the sophisticated cyber attacks that organizations have been under in the last year have made it clear that we need to do a better job of threat information sharing. Without it we simply can’t defend ourselves effectively. This has not only been recognized by private industry, and some forward-thinking government organizations, but also by our political leaders. In February 2013, the President’s Executive Order for Improving Critical Infrastructure Cybersecurity explicitly asked government agencies to find better ways to share threat intelligence with both government agencies and private sector critical infrastructure. We have evolved our security philosophy from a “need to know” to a “need to share.” And although manual sharing efforts have existed for many years, we finally have technology now, such as HP’s Threat Central, which can automate much of the data collection and sharing, making it a lot more attractive for organizations to participate.
What are some of the benefits of HP’s Threat Central for government agencies?
Clearly better sharing allows agencies to respond more quickly to unfolding threats and attacks. They will learn more about the overall threat landscape, and increase their situational awareness. That capability essentially automates today’s manual information sharing processes using email, web portals and phone calls. The really interesting capabilities that we spent a lot of time and energy researching is in the policy framework, which supports fine-grained control about both the information they are sharing and with whom. This framework is essential to developing trust among users, and across the privacy spectrum.
Populating a threat sharing environment is hard work. Although it is not required, Threat Central customers can leverage their existing HP ArcSight install base to be up and running quickly with their own information. ArcSight already helps many government agencies collect data in a common format. This is crucial to make sharing initiatives practical, since collecting and normalizing data is often a major task that slows and event prevents adoption of initiatives like this.
We intend Threat Central to be an open platform and will support standards such as TAXII/STIX sponsored by the Department of Homeland Security. This, and other international standards support, will allow organizations to participate in the sharing community using a variety of supporting applications.
Are there any pitfalls that agency CIOs should be aware of?
Trust is at the heart of any information sharing program. It is difficult enough to establish trust within an organization and here, we are talking about both cross-agency and cross-industry sharing. Participants will need to establish strict guidelines about what to share and with whom to enable the benefits of automation, while preserving both user and the public trust.
It is a good idea to start your automated sharing program with some well-defined, simple security indicators and allowing the community to realize the value from correlating these data and sharing the results. From there one can gradually move on to sharing more complex indicators. Starting with complex indicators too early could introduce too many unknowns requiring manual intervention and make it harder to realize the benefits of automation.
Tell us about HP’s Zero Day Initiative
Since 2005, HP’s TippingPoint group has been managing the Zero Day Initiative (ZDI). It is a worldwide community of over 3,000 senior security researchers that submit vulnerabilities to the program in exchange for cash, similar to the bug bounty programs sponsored by Microsoft, Google, and others. The difference is that HP ZDI covers all vendors. The initiative then performs a responsible disclosure to the affected software vendor so they can fix the issue, while also using the information to actively protect TippingPoint customers from these zero day vulnerabilities. This information is also combined with other threat intelligence from HP’s DVLabs and used to provide highly effective and timely reputation services to our worldwide customers. These feeds and more will serve as a key intelligence component in Threat Central.
How will collaborative defense improve cyber response?
Our research shows that attackers use the power of rapid communications, ad-hoc communities, and market incentives to ply their trade. Whether we are talking about homegrown attacks or the most sophisticated versions, adversaries typically re-use successful techniques across a wide range of targets in both the government and private sector. Imagine a successful attack using a specific phishing technique on a member of the Defense Industrial Base. Today, the discovery and remediation of the technique is often manual, and sharing that information with the community is not only cumbersome, but it can take weeks or months to cascade and be applied across the entire community. By that time, the damage is done and the attackers are long gone.
With collaborative defenses, as soon as an attack is discovered it can be uploaded to the community instantly. The community can work on it collaboratively, and successful mitigations can be shared in an actionable way so that our security personnel can simply click a button to apply the protection. This action will break the attacker’s time advantage, increase their cost, and force them to work harder on each and every target. That is a game changer for the good guys!
