Executives from two of the country’s biggest enterprises behind the fledgling Canadian Cyber Threat Exchange say the service will help Canadian organizations of all sizes better fight the mounting amount of malware and breaches they face.
Threat sharing “is a powerful tool,” Glenn Foster, senior vice-president and head of technology risk managment and information security at TD Bank, told infosec pros in Toronto on Wednesday at the annual SC Congress conference. He said knows because Canadian banks have had their own private threat exchange for almost two decades.
Cyber crime is cheap for nation-states and criminals, he said, in part because they share intelligence — so the private and public sector should too. “With CCTX I think being an enabler for us is going to be extending that value proposition across Canada to all connected entities to really flip that cost curve. So now at the end of the day our job is to make it more expensive for the adversary to be successful in what they’re doing.”
Colin Penny, senior vice-president of technology and chief information officer at Ontario’s Hydro One power distributor, said Canadian electric utilities – who have their own threat exchange – can contribute their knowledge about vulnerabilities in network-connected industrial controls to other industries such as manufacturing and transportation.
“As with any other complex system we’re only as strong as our weakest link. So it’s very important that and cross-sector collaboration and information sharing across the entire supply chain big and small in our sector brings the bar up for everybody. It’s not about the largest that can afford it should be the most protected, it’s that everybody should be protected.”
Both are on the nine-person board of the CCTX, announced last December to give municipalities, regions and the private sector the ability to join a threat exchange that only few – like banks and utilities – have set up.
Also meeting the infosec community this week at SC Congress and at the Anti-Phishing Working Group’s Toronto conference was the CCTX’s new executive director Robert Gordon, a former senior official at Public Safety Canada who helped design the government’s cyber threat strategy and a former senior civil servant at the Communications Security Establishment (CSE), the country’s electronic spy agency, and the Canadian Security Intelligence Service (CSIS). Most recently he was a director in the global cybersecurity service at consulting and integration firm CGI.
In fact when he was with Public Safety Gordon helped get the private sector companies together to sketch the outline of the exchange when Ottawa heard firms were talking about the idea just under two years ago.
Gordon told both conferences the non-profit CCTX expects to go online at the end of this year, largely for enterprise-sized companies who will pay $50,000 a year for service and the right to contribute. In addition to the nine initial supporting enterprises, he hopes to add 20 more by then.
Early in 2017 service for small ($5,000 a year) and medium-sized ($20,000) companies will be available. Organizations can join for free and get more limited services.
Meanwhile CCTX expects to shortly pick an IT platform that will handle the data exchange and collaboration capabilites, and a managed security service provider that will host it.
Still to be worked out before the end of the year are exactly what services will be offered to enterprises and SMB members – and Gordon said CCTX would fail if SMBs don’t see value in it.
So far Gordon has said threat data will be exchanged in near-real time through protocols like TAXII and STIX for those that can handle it, with all data will be anonomized – privacy will be an essential element, he added. There will also be threat trend reports and the ability for security analysts to collaborate across sectors, particularly if they are looking at the same threat. For others there will be the ability to form so-called communities of trust for infosec pros, as well as security training courses.
For security named members to the exchange will be vetted, with Gordon suggesting the federal government could play a role.
Both Gordon and Foster emphasized they expect paying members to contribute to the exchange and not merely take data from it.
There are some who wonder if having another source of threat information added to the ones they already subscribe to will merely add “noise” not substance. That was one question thrown at Gordon, Foster and Penny by John Del Grande, director of architecture and information security solutions at President’s Choice Financial, the retail banking arm of Loblaws.
Gordon said that CCTX doesn’t want to duplicate the work of other international threat exchanges and analysis centres it will link to, and will provide “unique value.”
“The power of CCTX is going to be the communities, the people,” added Foster, with cross-sector communities putting in “sweat equity.” CCTX will also stress Canadian content, he said.
In an interview Del Grande said “I’m worried about the noise that comes through because we already have a hard time sorting through all the threat intel that comes in, in terms of what’s valid and what’s not … Now you’ll be getting stuff from cross-industry, which is a good but it’s going to add significantly to more things to filter through, potentially more one-0f things to look at, more false leads. That’s still a concern for me.”
Showing value will be “critically important,” Gordon said. “CCTX is taking money from companies, they’d better see some value. So I think broadly defined somehow we’ve got to be reducing the risk factor coming through the door so companies should be getting information they can actually action to reduce that threat.”