The Right Way to Collaborate on Cyber Defense
In a previous blog, we laid out the value of a collective security approach for businesses willing to collaborate on cyber defense. We saw how crowdsourcing insights in real time creates a more complete, clear and actionable picture of digital threats and how to fight them. At the same time, we flagged valid concerns about not revealing certain kinds of information that should be shielded for proprietary or competitive reasons.
In this post, let’s take a closer look at how to thread that needle: to provide what needs to be shared in the interest of collective cyber defense — without creating legal issues, compliance hazards or unwanted visibility into business operations, proprietary information, IP and other company assets.
A Recipe for Effective Collaboration
The good news is that the right collective security approach will let organizations exchange valuable information about threats — granular level data, raw network intelligence and behavioral patterns in the digital noise — as anonymously summarized “participant events” that don’t reveal sensitive information about company operations. When multiple organizations share this data, ideally at automated machine-speed on a trusted platform, the result is a fast-acting consortium of organizations detecting targeted campaigns that would otherwise be difficult to identify by any single company working in isolation.
All this can happen without any single company’s IP addresses, internal hostings, server configurations or other sensitive information ever being shared with peers. Events can be scored and shared automatically based on anonymized characteristics of behavior. As consortium members contribute more information back, seasoned analysts can be automatically alerted to vet the most suspicious patterns and share vital insights, warnings and proactive recommendations throughout the community of participating organizations.
The size of this collective security ecosystem can become very large. As cyber situational awareness and threat insights grow across communities of similar risk profiles, these insights can be further integrated to facilitate cross-sector exchanges — giving regional or national-level visibility and empowering a unified response to threats.
Beaconing Malware as a Use Case
Let’s use the example of beaconing malware to see how the process should ideally work. Beaconing malware is an early indicator of trouble — first contact for malware searching to infect a vulnerable host and initiate a command and control channel for a threat actor to wreak havoc.
As the beaconing malware circulates the internet in search of making a connection, patterns emerge — who is doing the beaconing; whom it’s trying to connect with; the frequency and duration of the attempts and so forth. A collective security model allows companies to share what they know about these patterns for early insight and protections that they couldn’t hope to gain on their own.
Some of the first insights might involve characteristics of behaviors that a particular company is experiencing — shared in real time as soon they’re detected. At this early stage, there may still be uncertainty about whether what’s going on is benign and malicious. Subsequently, the system would gather insights from other members of the consortium to see who may be experiencing the same things, and when.
Because the process is automated, this information gathering happens at scale, in near-real time and in a way that deploys human analysts in the most strategic way — looking at real or likely threats instead of sifting through raw data. Ultimately, the result is the entire pool of companies learns more about who may be targeted and how best to protect everyone from the threat.
Choosing the Right Approach
Everything we’re describing here is what happens with IronNet’s IronDome — the industry's first collective defense system that shares cyber anomalies across an industry sector to deliver machine-speed visibility of threats targeting peer members. But whatever your exact approach, you should look for a similar level of expertise, insight and security. Among other things, your solution should reflect the logic and benefits of collaboration; the solution should be automated and near-real time; and you should share across the cyber kill chain quickly to reduce adversarial dwell time.
These are just some of the considerations that go into an effective model for collaborating on cyber defense. And while it’s all easier said than done, it’s well worth the effort in terms of ROI and added security for your data and operations.