Infosec experts have been urging governments and businesses to meet the challenge of organized and well-funded cyber attackers by sharing threat information within and across industries – and not by phoning or emailing each other.
That has led to the recent emergence of a number of open platforms that can share warning feeds from security devices to give CISOs better visibility into potential attacks.
The latest platform was released this morning by Comilion, an Israeli-based company which says its solution allows users to set up their own peer to peer networks – thus ensuring CISOs can trust who they’re dealing with — keep sensitive data in-house and deals with privacy and regulatory rules that might inhibit data sharing.
“People can take our technology and build by themselves easily and very effectively a sharing network, whether internally for a global enterprise or externally between enterprises,” CEO Kobi Freedman said in an interview.
It can draw information from security and event management (SIEM) systems, security appliances and analytics platforms like Hadoop, Splunk and others. Through a data wrapper, owners can revoke, time-limit or put other controls on shared information, including limiting exposure of your data only to organizations that are seeing a similar attack.
Comilion also includes a collaboration platform where infosec pros can share comments and ask questions that network members can also draw upon.
The idea of a threat sharing platform is to allow organizations to share indicators of compromise they encounter – URLs, IP addresses, malware code and other types of information that can be read by machines – along with reports and expert comments to allow faster response to potential attacks.
Ideal solutions use security data exchange standards such as STIX, TAXII and others that can pull information from gateways, firewalls and SIEM systems.
A few platforms are already on the market including Soltra, created for the global financial sector information sharing and analysis centre (FS-ISAC) but available for others either in a free community version or paid support, which has the most in common with Comilion. Others, like IBM’s X-Force Exchange; Microsoft’s Interflow (still in a private preview); the Malware Information Sharing Project (MISP) and Facebook’s ThreatExchange are more akin to social networks.
Comilion isn’t inexpensive. Priced by the node and initially aimed at large enterprises, Freedman estimated it would cost “a few hundred K per year.”
There are a number of ISACs, but not for every industry, which is why a group of organizations might chose to set up their own. Freedman said his company’s platform offers the advantage of allowing participants to limit members, but also to automate actionable information. Unlike others, which store shared information in the cloud, data in a Comilion network stays on-premise.
Avivah Litan, a Gartner security analyst, said in an interview that what caught her eye about Comilion is the way it can meet data privacy rules in various countries. “I think that in itself is worth a lot of money.”
“Information sharing for threat intelligence is certainly important,” she added. “The trick is making it actionable.”
The threat sharing platform market is still in the early stages. Security data sharing standards like TAXII and STIX still need more work, Litan said.
So while much of the threat information sharing is over the phone between CISOs, “there’s not enough structured electronic information sharing that makes the data actionable.”
And while she thinks Comilion has a good platform, she doubts organizations will gravitate to only one solution. So does John Wheeler, IBM’s director of services strategy and offering management, who at June’s SC Congress in Toronto told attendees that his company’s X-Force Exchange can co-exist with ISACs.
The Exchange, which is free, was set up in the spring with IBM donating some 700 Terabytes of threat data it has gathered over the years for users to research. To keep it from being downloaded by criminals, users can only search one IP address at a time.
But it’s also a work in progress, with IBM asking infosec pros what added capabilities they’d like to see in the threat information platform. At the moment, for example, users can’t pull data into their threat analysis systems. While IBM doesn’t vet membership at the moment, Wheeler said he envisions it could help organizations set up communities and — for a fee — creating a vetting process with tiered access for sensitive information.
“Nobody wants to talk about their breaches, nobody wants to talk about the issues they had yesterday,” Wheeler said at the conference, “but if we don’t talk about the type of activity we’re seeing against our organization and what’s been successful we just make it easier for that attacker to move onto the next corporation.”