Threat information sharing is becoming the new infosec pro buzz phrase, in part because President Barak Obama is encouraging the public and private sector to let not only government agencies but also competitors know of threats being discovered.
Aside from the legal problems of sharing certain information — CISOs have to be careful in making allegations against particular individuals or Web sites — there’s the problem of the format.
A number of specifications have emerged including CybOX (Cyber Observable eXpression), STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information),
In a recent blog IBM’s Doug Franklin explains what these and others are and why CISOs should pay attention to them.
Support for these and other standards being added to a number of security products so they can link to security management software, as well as to threat repositories. (see this site for those supporting STIX and TAXII)
The U.S.-based Health Information Trust Alliance’s cyber threat exchange uses STIX to automate collecting and analyzing cyber threats and distributing actionable indicators to customers.
Among vendors, McAfee’s Advanced Threat Defense software sends CybOX STIX-formatted indicator of compromise artifacts to its Enterprise Security Manager for action.
Unfortunately, there isn’t an internationally-accepted standard, which would help make threat information sharing smoother. But as Hamilton points out until we get to that time these will have to do.
“Attackers have been painfully successful lately,” writes Franklin, “and we defenders must up our game. Threat intelligence sharing can help us do that.”