Collaborating to beat the bad guys

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 18 May 2016
Greg Day, VP and regional chief security officer, Palo Alto Networks.
Greg Day, VP and regional chief security officer, Palo Alto Networks.

Today's cyber criminals are collaborating with each other, sharing ideas or compromised systems. They are collaborating more and more efficiently, reusing one another's code to breach their targets.

On the other hand, vendors within the security industry each solve their own problems in their own right. "Although the industry shares samples, with each vendor doing their own analysis, creating their own protection controls and writing their own intelligence reports,- this approach is not as effective as working together to share actionable intelligence, that has a better longevity, to stop attacks."

"Nobody should pay for intelligence. The more we collaborate the more we can crowdsource the criminals," said Greg Day, VP and CSO, EMEA, at Palo Alto Networks, during his keynote on 'Crowdsourcing to beat the bad guys' at the ITWeb Security Summit 2016 this week at Vodacom World in Midrand.

Unfavourable economics

Palo Alto did some research last year looking at the economics of cyber security, he explained. "For cyber criminals, the cost of launching an attack is ludicrously low. Moreover, you only need to get through once to be successful. The reverse is true for the security industry. The cost of defending against attacks is very high, and all incidents need to be prevented."

Day said the question is how to make the cost higher for the criminal, and at the same time, reduce the costs for the industry. "The economics are not balanced in our favour."

A move in this direction would be for the security industry to collaborate around all the insight and data they had on an attacker, so the criminal could be identified along with the entire attack infrastructure, instead of just the latest binaries being employed, suggested Day.

"Currently, with over 10 000 security events per month, we are finding that 64% are duplicates, and 52% are false positives. This could be avoided, through information sharing and taking a community view."

Building the attacker's profile

"Working together will allow us to gather a wider insight on each attack and collaborate on threat analysis, he continued. "Pooling our tools and resources to get a better understanding, to enable us to build the big picture, a DNA profile and photo fit of the criminal and then work collaboratively to map out the entire attack infrastructure and shut it down."

If this is done, the cost of success for criminals can be greatly increased, at no cost to the industry, other than its willingness to collaborate and share data, he pointed out.

"If we can just keep the attacker out for longer, bearing in mind they are lazy they will go where it's easier, the more we can impact their infrastructure, and make it harder for them to carry out the attacks."

He says the Cyber Threat Alliance is taking a step in the right direction. It is a group of cyber security professionals from several companies that are working together to share threat information with the intention of boosting defences against today's adversaries. It was founded by Fortinet, Intel Security, Palo Alto Networks and Symantec.