IronNet Blog

What a “Collective Defense” model can do for cybersecurity

Written by Oliver Wai | Apr 29, 2019 7:17:25 PM

Collective defense is a powerful and age-old notion. You can see the concept at work in everything from the founding of NATO to the 13 American colonies banding together in 1776 for collective defense against England. Now, in today’s digital age, what if businesses formed a similar alliance of collective defense, or collective security, against cyber threats?

It turns out there’s a wealth of logic and value for just such a strategic alliance in cyberspace — especially when we consider the scope and severity of today’s threats, the benefits of collaboration and the relative inadequacies of individual efforts at cyber defense. While advocacy on information sharing for better cybersecurity is nothing new, success in carrying it out involves doubling down on what collective defense for cybersecurity should actually look like in a practical business environment.

Pitfalls to Avoid

While the goal of collective cyber defense is to get multiple organizations working together to achieve more than they could alone, much of the sharing that goes on today — particularly in the private sector — is insufficient. Most sharing between organizations today doesn’t happen in real time, and the choices companies make about what to share are often driven by outsized proprietary or legal liability concerns that result in delayed, limited reporting.

Furthermore, the process is often manual, meaning it’s hard to scale and share insights at the speed of business. And most of the information sharing that goes on today involves the “known bad” threats, meaning someone has already gone through the process of breach detection, reverse engineering and assessment — all of which takes time that hackers can use to exploit systems before anyone realizes it.

These shortcomings lead some companies to conclude that there’s simply not enough ROI in collective cybersecurity. But before giving up, remember that ROI also involves the cost of doing nothing — in this case, months spent oblivious to threats or active attacks, and possibly years of remediation and costly cleanup.

A Better Approach

The real takeaway is that there’s plenty of ROI in collective cyberdefense — but only if the effort is well-designed and well-executed.

The starting point is to make information sharing in collective cyber defense as close to real-time as possible. Otherwise, the recipient of that information is more like an end user of potentially old information, instead of an active collaborator in ongoing threat hunting and remediation. In addition, the larger the enterprise, the more important automation is. Given the volume, variety and velocity of information today, manual efforts quickly break down at scale.

Ultimately the value of collective security in cyberdefense comes in cooperatively interpreting streams of raw network intelligence — granular-level data on characteristics and behaviors that, when analyzed collectively across multiple organizations, give wide-scale visibility into shared threats that a security team in any single company might miss by just looking down their own soda straw.

Conclusion

Hopefully it’s becoming clear how a successful model for collective defense in cybersecurity needs to be tailored to real-time threats and real-world enterprise needs. As we’ll see in a future post, the right approach can do all this without jeopardizing the organization in other ways. In that post, we’ll a take a deeper, step-by-step look at how a well-orchestrated, real-time collective defense model in cybersecurity can be effectively deployed without running afoul of valid legal, IP and other concerns executives have around information sharing.