Both public and private sector stakeholders have been calling for Collective Defense in cybersecurity for quite some time. The long-standing fear that data sharing places data privacy and data security at risk, however, makes many companies reluctant to adopt this new model of cyber defense. But the reality is that operational controls can provide reliable protection on these fronts — and that sharing is the only way to increase cyber defenses to a level that truly can be effective against coordinated, well-funded nation-state attacks.
Why? Because the more data sharing for the sake of Collective Defense, the better organizations are able to tighten up vulnerabilities and protectively defend against adversaries. This position rings especially true when securing networks, where data sharing is essential for faster detection of, and response to, unknown cyber threats on those networks.
The only way to strengthen cybersecurity: anonymized data sharing
The urgent need for real-time, automated data sharing is simple and clear: it helps companies and organizations defend against cyber attacks more quickly and more effectively than within sharing ecosystems that rely on manual forms of communication. Take the SolarWinds supply chain attack, for example. We know that 18,000 public agencies and private companies were affected by the SUNBURST malware. Presumably carried out by a Russian group at the nation-state level, the SolarWinds breach reveals the sophisticated and aggressive nature of threat adversaries. In this case, they were willing to expose thousands of networks to victimize a few of their targets (i.e., federal agencies).
Data sharing within and between sectors can enable threat detection earlier in the intrusion cycle (before, for instance, a singular attack reaches 18,000 companies). Being able to see correlated alerts with situational context helps analysts raise more relevant alarms.
How does IronNet anonymize data to facilitate Collective Defense?
IronNet’s Collective Defense platform, IronDome, anonymously shares data from alerts and events detected by IronDefense, our network detection and response platform. Each IronDome participant (company, agency, or government) has a subscription to IronDefense. Metadata is shared from the alerts and events detected from each IronDefense instance.
It is crucial to realize that the data flows extracted from each participating organization’s raw network traffic never leave the organization, which owns the data. Instead, minimized events and alerts are parsed from the flows and then sent to IronDome without any identifying information.
It is also important to note that metadata by definition is a set of data that describes other data. It does not provide the actual message content from a communication.
Within this context, IronNet follows a GDPR-compliant, four-step approach to stripping sensitive data, or data minimization:
Step 1: Prerequisites
Analytic definitions define which analytics and fields are shareable. In addition, CIDR ranges (for IPs) as well as regular expressions (for domains) are manually entered.
Step 2: Enterprise enrichment
IronNet has a set of definitions for each behavioral analytic deployed in IronDefense that dictate which fields are labeled as enterprise. When new detections are created, the events produced are enriched using these definitions to indicate whether or not the IPs and domains are associated with enterprise entities.
Step 3: Data minimization
The enterprise IPs and domains, as well as any other fields in the analytic definition that contains sensitive company information (e.g. DNS query information which poses the risk of containing exfiltrated data), are removed prior to sending to IronDome.
Step 4: Verification/Validation of minimization
As additional protection, IronDome scans in real-time against customer-provided lists of IPs and domains to ensure the minimization of this data.
To learn more about data sharing in Collective Defense, see IronNet's "Data sharing in Collective Defense: Myths v. Reality" white paper or watch the on-demand webinar below.