Sharing information to boost cyber security
Today's cybercriminals share with each other. Whether they share ideas, code or compromised systems, and whether for a price or for free, the point is they collaborate effectively.
The cyber security industry has historically shared samples, meaning each vendor completed their own analysis, created their own protection controls and wrote their own intelligence reports. However, the security industry, together with businesses, needs to be as effective as the criminals in sharing actionable intelligence to stop attacks.
So says Greg Day VP & CSO, EMEA at Palo Alto Networks, who will be presenting on 'Crowd-sourcing to beat the bad guys' during the 2016 ITWeb Security Summit, to be held at Vodaworld in Midrand from 17 to 19 May.
Day adds that even when a cyber attack is discovered, typically only the current binary is blocked. "As a result, the costs for the criminal to return to business are typically low, as the underlying infrastructure behind the attacks remains in place. Imagine if both companies and the security industry collaborated around all the potential insight they had on an attacker, so they could be identified and the whole attack infrastructure, rather than just the latest binaries being used."
He says for this to be effective, enough technologies would need to be able to automatically apply this to their prevention controls. "How do we get such insight?" he asks. "The answer is that we do this by gathering broader insight on each attack and collaborating on threat analysis. Seeing and correlating across companies, industries and regions can allow us to build the big picture of the attacker and then work together to map out the whole attack infrastructure and shut it down."
According to Day, if the entire attack can be seen, and analysis worked on collaboratively to shut down the whole campaign, the cost of success for criminals can be significantly increased, at no cost to the industry, other than its willingness to share information. "This challenges the perspective on cooperation: we must stop trying to place commercial value on intelligence, likewise companies that may previously have been embarrassed to share due to the resulting admission that they had come under attack, need to see the value."
He says the reality today is that every company will come under attack. "But consider if you were to come under attack from something that had been previously seen, but found out no one was willing to share the information that could have helped you. This would be hugely frustrating."
Day says that although businesses have the insight on what is really happening to them, the industry needs to gather that insight and look at the big picture
. "If we can collaborate we move businesses to a point where confidence in what is being flagged as bad is much higher, so businesses can automate their defence. Until this happens they will rely on human validation, but if we can look at the whole picture we can better link each attack back to the group or source, and more importantly we can shut down the whole infrastructure. When we work together we have way more CPU power to have complete insight."