Few organizations like to share information unless it’s non-competitive with competitors for obvious reasons. But with the encouragement of Public Safety Canada, critical infrastructure firms have been setting up forums for the exchange of security information.
However, two experts say Canadian organizations need to do more confidential threat intelligence sharing if they are going to stay ahead of attackers.
Kevvie Fowler, a partner in KPGM Canada’s risk consulting services and Vivek Khindria, head of information security at Bell Canada [TSX: BCE], urged more co-operation during this week’s Canadian Telecom Summit, where they were on a panel on the importance of threat intelligence.
“Most sectors have learned that trying to hoard (security) information is not going to be a competitive advantage,” Khindria said during the session. “The bad guys are really good at sharing information, and we have to get better. And that may mean laws have to change, my mean more support at the federal level, but it also means that each of us as companies and organizations have to go about figuring out how to share that information.”
“The amount of information sharing (in the private sector) is improving,” Fowler said in an interview. “Is it enough, No, we still need more information sharing … As we get up to the executive level it would be great to see more.
“(Threat) information isn’t just to be shared by managers, (line of business) directors or VPs, it should also be done at the board level.” (During his panel presentation he said some boards are doing it).
Not only should organizations share knowledge of a threat, he added, if there was an incident they also ought to reveal what happened, how they responded, what worked and what didn’t work.”
The financial sector already does a lot of information sharing around the world, Khindria said in an interview, as the U.S.-based Financial Sector Information Sharing and Analytics Center (FS-ISAC) has expanded to include other countries. There are also other sector ISACs in the U.S .
”What does Canada need? Maybe it’s not building an ISAC for every sector, maybe it’s to build one that’s shared and cross-sector,” he said. “This could be a unique approach for Canada given our slightly different size and distribution compared to the U.S.”
During the panel he noted the recent federal budget surplus allocated $36 million to a vital cyber system program, which could in part help the private sector focus on mechanisms and processes for sharing cyber security threat information.
As Fowler said during the panel discussion, many Canadian organizations want to expand their IT defences to include threat intelligence — which he called a “must have”. It can come in a variety of ways, from vendors selling intelligence-gathering services to internal security staff compiling it themselves from open sources (such as computer emergency response teams CERTs) or monitoring Web sites commonly used to buy and sell malware.
But he added, some don’t know how to handle all the information they’re pulling in. What they should be doing, Fowler said, is identifying important corporate assets likely to be targeted by attackers, looking at the threats they currently face and then identifying possible threat actors. That will help them decide what sources they need to search to get information about threat actors and the risks the organization faces.
Finally, he added, smart organizations are using threat intelligence to figure out if they’ve already been breached.
Panellist Daniel Thanos, head of advanced cybersecurity and strategic programs at Telus Corp. [TSX: T], cautioned CSOs that they have to establish trust in where they are getting threat intelligence from before relying on it. Open intelligence feeds are monitored by attackers, he pointed out, so can be alerted to change their tactics.
Khindria added that questions about the veracity of some threat information sources is one obstacle to automating intelligence feeds into IT security systems. Another is the speed of change: A Web site that should be blocked to employees one day because it hosts malware could be okay two days later after it’s been sanitized.
CSOs still have to understand what IT assets threat intelligence will apply to, Thanos added. And all staff have to understand their responsibility not to engage in risky behaviour.
Thanos is also among those who think organizations should use threat intelligence to create tools to go after hackers rather than wait to be a victim.