This is the tenth in our series of cybersecurity predictions for 2016. Stay tuned for more through the end of the year.
There are few areas of cybersecurity that present more promise than the concept of sharing threat intelligence to make online communities, and the Internet as a whole, a safer place.
No single organization is capable of achieving complete visibility into the threat landscape. But by joining together and sharing threat intelligence across the industry, we can enhance our collective immune system. The challenge, as is often the case, has been around putting that into practice.
There have been pockets of innovation, such as the Information Sharing and Analysis Centers (ISACs) or security vendors sharing intelligence between their customers. But as attackers continue to conduct successful cyberattacks around the world, this is clearly not enough. Current efforts provide value, but they are often cumbersome and only accessible to larger and more sophisticated security operations teams. There is essentially a high “barrier to entry,” with manual analysis required to consume, verify, analyze and implement any changes to an organization’s policy, even with adequately shared intelligence.
This requirement has limited the number of organizations who share intelligence, meaning we have less of it available than we should. Now, imagine a world where every security team can turn their network into a sensor and automatically implement protections for new attacks as they happen. This puts malicious actors at a disadvantage, requiring them to spend immense resources to discover new exploits, construct new malware, and employ new techniques.
The past year has shown us early indicators that 2016 will be the year organizations truly embrace – and reap the benefits of – shared threat intelligence. We will see this change the way both security vendors and the security community at large operate. I anticipate three specific changes:
1. Threat intelligence is not intellectual property
Organizations have historically been hesitant to share data on threats. From a security vendor side, this stems from a common belief that their product differentiation is dependent on keeping this intelligence a closely guarded secret.
From a user perspective, many organizations have also operated under the assumption that sharing intelligence with their competitors could expose sensitive information or put them at a competitive disadvantage. But, in 2016, we will see more vendors come to the realization that their users, and the community, have come to expect more from them. In order to offer the best protections possible, vendors will begin to share intelligence with each other on a wider scale.
2. Public and private data sharing
There has never been more focus from the United States government on the sharing of threat intelligence, with President Obama directing the Department of Homeland Security (DHS) to lead the charge to enable public and private entities to share intelligence with each other inExecutive Order 13691.
This coming year will see the result of these efforts formalized and put into practice, withInformation Sharing and Analysis Organizations (ISAOs) being established and intelligence shared across private, non-profit and government agencies. Spurred by this innovation, we will see governments beyond the U.S. adopt similar policies.
3. Campaigns, not samples
We will see an evolution in what is being shared, with a move toward more adversary- and campaign-oriented intelligence. Traditional efforts have been focused on indicators such as hash values, which provide minimal actionable value to the organizations receiving them. Instead, we will see more effort around malware family and adversary attribution, which provide the context needed to understand the threat and develop relevant protections against them. Simply sharing data will no longer be good enough; we have to share the right intelligence, with actionable recommendations.
The coming year represents the fruition of the great promise in threat intelligence sharing. The world is changing, and both vendors and users must adopt a more proactive stance to sharing, lest they risk being left in the dust by those who do.
We have a responsibility as a security community to do everything in our power to prevent cyberattacks, which includes sharing as much intelligence as possible. While there is a great deal of momentum in 2016, we can do more to reap the benefits of this trend. Ask yourself how your organization can integrate and contribute to keeping our community safe online.
Want to explore more of our top 2016 cybersecurity predictions? Register now for Ignite 2016.
[Palo Alto Networks Blog]