Defense in Depth: Shared Threat Intelligence

We all know that shared intelligence has value, yet we’re reticent to share our threat intelligence. What prevents us from doing it and what more could we know if shared threat intelligence was mandated?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Joel Bork (@cincision), senior threat hunter, IronNet Cybersecurity.

Thanks to this week’s podcast sponsor, IronNet Cybersecurity

To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity.

Got feedback? Join the conversation on LinkedIn.

On this episode of Defense in Depth, you’ll learn:

  • We all benefit from sharing threat intelligence, so why don’t we do it?
  • If threat data is public, is it useful? The argument is that if the good guys know about the threat intelligence, then all the bad guys know as well. But that’s if it’s in a public forum.
  • If threat intelligence was shared in a more rapid, comprehensive, and secure manner it would have more utility.
  • Sometimes the “intelligence” a company first gets is just a data feed.
  • There has to be a greater discussion of the risks of sharing as compared to the upside. Often, it’s so easy to shut the doors and not share with the benefit never calculated into the equation.
  • When an organization is in the middle of their security maturity curve, they hold all their data as close to their chest as possible. As they continue on their journey and continue to learn lessons along they way, they begin to understand that collaboration will help the community as a whole – including themselves.
  • Threat data is really not what professionals need. What they need is intelligence. And this requires a way to onboard and make sense of the data on its own and in aggregate and over time.
  • Each of us are collecting different pieces of the threat landscape puzzle. If someone doesn’t provide their piece, then we have an incomplete puzzle and there are now holes in our knowledge and ability to protect ourselves.
  • Threat intelligence does not hold the same weight for every user. What’s valuable to someone may not be of value to another. And you may be holding onto that data that you don’t necessarily think is valuable.
  • You want threat intel to be actionable, not necessarily responding automatically.
  • We spoke of threat intel with the analogy of animals traveling in herds for protection. The attackers often pick off the weak ones, but when everyone is working together, the stronger animals can actually protect the weak.
  • Even with everything we know and value with shared threat intel, there is still a ton of paranoia around sharing. While there is lots of discussion about data not being identifiable, most choose to opt out of sharing threat intel.

Defense in Depth