Collective Defense

What it is and how it works

Collective Defense is a proactive, collaborative approach to cybersecurity that involves
organizations working together within and across sectors to defend against targeted
cyber threats.

Evolution of
Collective Defense

The notion of Collective Defense is nothing new. From a geopolitical standpoint, NATO has upheld the principles of Collective Defense for decades through its long-standing military alliance. As NATO famously stated in article 5 of its founding treaty: an attack against one member is considered an attack against all members.

The same principle applies in this new approach to cybersecurity, where organizations face constant threat of cyber attack from nation states, hackers, and criminals. These threat actors are known to work together to share techniques, forming an effective “collective offense” to infiltrate organizations.

To combat this growing cyber threat, companies are increasingly adopting a Collective Defense strategy to
actively share cyber threat intelligence with peer organizations to improve the detection capabilities of the
collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights,
collaborative organizations can more effectively spot malicious activity and greatly reduce attacker dwell time
to mitigate threats before damage occurs.
  • Increase visibility into
    threat landscape

    By shifting cyber defense from reacting to attacks to proactively defending against threats.

    By improving the organization’s confidence and security readiness to defend what is coming around the corner.

  • Reduce impact
    of an attack

    By increasing the ability to prioritize detection of high-risk threats.

    By improving visibility, detection time, and speed of remediation.

  • Improve effectiveness of
    cybersecurity investments

    By maximizing existing tools and investments and their ability to close security gaps.

    By improving security outcomes through the sharing of knowledge and insights with subject matter experts across peers across a business ecosystem, industry sector, or region.

General (Ret.) Keith Alexander | Founder and Co-CEO

“As commander of U.S. Cyber Command, one of the issues I saw was that we couldn’t see attacks in cyber against our nation. So the government’s response was always that of incident response — after the attack. We wanted to come up with a way to help companies stop the attacks before something bad happened, not after. IronNet was created to help fill that void.”
General (Ret.) Keith B. – Alexander, IronNet Chairman and Co-CEO, former Director of the U.S. National Security Agency and Founding Commander of the U.S. Cyber Command

How Collective Defense works

The concept of Collective Defense covers the three critical areas of a holistic cybersecurity strategy for protecting people, process, and technology. Network-speed detection and rapid response reduce attacker dwell time but, equally as important, knowledge sharing is critical so that everyone can defend, at the same time.


Today’s attackers can easily bypass cyber defenses using a number of basic techniques — from
changing their command and control infrastructure, modifying malware toolkits, or leveraging non-malware
based methods such as stolen credentials to hide their activity from signature-based and simple anomaly or
outlier-based behavioral analysis systems. Additionally, the sheer scale of devices and network communications in
a modern enterprise — coupled with the need to work with a multitude of partners, suppliers, public cloud providers,
and other third-party entities — increases the difficulty of identifying threats in a silo.

  • Increased visibility across
    the threat landscape

    It is difficult to defend threats that your security team cannot see. While enterprises can and should fortify their cyber defenses, improving the ability to share threat insights with industry peers, business ecosystems, or other groups is critical to increasing the efficacy of all participants. Much like an air traffic control system, where individual enterprises are akin to individual radar towers, the ability to share at machine speed is critical for developing a real-time cyber map of the threat landscape that enables all participants to see where threats are coming from and, most importantly, optimize their cyber defenses to actual threats targeting their enterprise.

  • Group-level threat detection
    and peer correlation

    To identify threats early enough to make a difference, those engaged in Collective Defense must deploy a more proactive and behavioral-based detection capability to analyze network anomalies and to share those insights at machine speed to counter the evasive techniques used by many threat actors today.

  • Correlated insights in
    situational context

    Technologies such as advanced analytics, AI, and machine learning can be used to identify anomalous behavior and generate alerts in real time. However, it is often difficult at an individual enterprise level to distinguish malicious from merely anomalous behaviors without additional context from a broader community of peers. Collective Defense delivers group-level threat detection by aggregating pre-triaged anomalies at the individual enterprises and then applying high-order analysis and correlation that help identify threat campaigns targeting the collective, broader command-and-control infrastructure. Collective Defense facilitates the distribution of peer insights on the ways individual companies have triaged similar anomalies in their environments.


What makes Collective Defense such a powerful tool is the cyber threat sharing platform that allows participating organizations to become aware of and thwart cyber attacks targeting similar organizations. By sharing cyber anomalies in real time across a community of peers and within situational context, companies can identify attackers earlier in the attack cycle (that is, the cyber kill chain) when many of their methods fall below the threshold of detection. In other words, behavioral analytics can detect “unknown unknowns,” making this new approach to cybersecurity a stronger defense approach than signature-based analytics often used in NTA solutions.

  • Real-time, machine-speed sharing of detected anomalies

    Collective Defense systems are based on two types of data sharing: automatic and active. Automatic sharing is how the majority of information feeds into the Collective Defense system. With automatic sharing, all threat activity on a company’s network is anonymized and securely shared within the Collective Defense ecosystem. By automatically sharing behaviors earlier in the kill chain and to all members in the ecosystem, Collective Defense systems reduce adversarial dwell time and impact.

  • Sharing human insights across supply-chain, ecosystems, and industries

    Active data sharing goes a step further by allowing organizations to voluntarily add notes to events entering the Collective Defense system. Just as the navigation app Waze allows drivers to inform other drivers of accidents, speed traps, and other road obstacles, active and real-time sharing in Collective Defense allows companies to inform the community of any insight gathered on the threat.

  • Sharing that complements what Information Security and Analysis (ISAC) groups and Threat Intelligence Platforms (TIPs) do today

    While ISACs and TIPs provide a critical and essential role of sharing important Indicators of Compromise (IOCs), these usually focus primarily on signature-based indicators, and knowledge sharing happens only after a long period of investigation, triage, and sometimes legal review by the affected enterprise. As such, threats can last weeks, if not months, before they are shared.

    Whether automatic or active, suspicious activity fed into the Collective Defense system allows technology to be applied by the host system to search for correlations in all threat activities. This ability to identify and correlate patterns of behaviors in seemingly unrelated anomalies enables the system to identify threat groups that use similar strategies to target enterprises.

  • Optional sharing with government

    Collective Defense improves the visibility and coordination between private sector enterprises with their public sector counterparts. This is especially important in sectors such as energy, finance, healthcare, defense, and critical infrastructure industries. By providing an anonymized view to the government from enterprises that have opted-in to Collective Defense threat sharing, governments will get additional insights to nation-state activity or advanced cyber criminal organizations activity that they may be tracking so that they may be able to take action or to provide early warnings to companies.


The final step is taking action against threats. While Collective Defense systems do not actively respond to threats facing individual organizations — by learning about possible threats earlier in the cyber kill chain — enterprises, industries, and nations can act faster using their own tools and tactics. The contextual data and added threat intelligence from the Collective Defense members give response teams a head start on mitigation.

  • Individual-level response

    Whenever a threat is identified in the Collective Defense system, member organizations receive a malicious alert notification. This approach spurs evasive action such as creating firewall rules or using SOAR systems to block the malicious traffic. Work is typically done by in-house SOC teams or third-party cybersecurity service providers.

  • Collective-level response

    The distribution of threat insights of malicious activity detected in a member to all enterprises in the Collective Defense community enables all to take defensive actions. Much like in the physical world of how an attack on one NATO member results in a response by all members, responding together in cyber at the collective level degrades the ability of a threat actor to target members one-by-one using the same Tactics, Techniques, and Procedures (TTPs). Taken at scale, this approach can slow down the speed of attacks and effectiveness of threat campaigns by forcing threat actors to continually create new TTP playbooks instead of reusing existing TTPs with minor modifications to target multitudes of individual enterprises.

  • National-level response

    Providing an anonymous, opt-in view to governments allows them to see threats targeting critical infrastructure, assess the risk, and, in turn, take action using all powers at their disposal. This adds an additional level defense at the national level by allowing law enforcement takedown of malicious infrastructure or to leverage cyber, political, economic, diplomatic, or other elements of power at their disposal to stop threat actors from targeting enterprises within the country.

Data-driven insights on Collective Defense

"The survey concludes that in the face of adversaries who are increasingly collaborating for a collective offense, organizations must mature their Collective Defense to meet these powerful and ever-changing threats."

Collective Offense Calls for Collective Defense

To test the appetite for cyber collaboration among senior cybersecurity executives, independent research firm Vanson Bourne interviewed 200 U.S. security IT decision makers from multiple industries. Findings show strong support for Collective Defense.

Among the study’s key findings

Current systems are inadequate against today’s threats

  • 85% of respondents are most likely to rate their organization’s cybersecurity technology, systems, and tools as advanced.
  • 1 in 3 respondents suffered an average of one cybersecurity incident every three months.
  • 80% of respondents say that the severity was such that C-level/board meetings were required afterwards.

Cybersecurity leaders have an appetite for Collective Defense

  • 94% of respondents say their organization would be willing to increase the level of threat sharing with industry peers if it demonstrably improved their ability to detect threats.
  • 92% of respondents say they would increase their level of threat sharing with government if it enabled the government to use political, economic, cyber or other national-level capabilities to deter cyber attacks.

Collective Defense Case Study: Con Edison

11 million New Yorkers rely on Con Edison for power, making cybersecurity a top enterprise risk. But despite huge investments in technology, Con Edison remained concerned over its ability to analyze network traffic and defend against known threats to outside organizations. Investing in Collective Defense with IronNet’s IronDome solution gave Con Edison peace of mind.

“The value proposition associated with the Dome is not just about Con Edison. It’s about the entire sector — and other sectors — that are at risk from a cyberattack. Understanding what’s going on in those networks compared to ours makes us collectively stronger and better able to mitigate those risks.”
Manny Cancel | former VP and CIO of Con Edison

Who’s using Collective Defense?

Most industries working to defend against fast-evolving cyber threats recognize the value in Collective Defense. By sharing cyber threat
intelligence with each other in near real-time, organizations are able to shift from a reactive posture to a proactive one.

Get Collective Defense with IronDome

IronDome is the cybersecurity industry’s first Collective Defense solution. IronDome takes alerts and cyber anomalies generated from IronDefense – IronNet’s scalable network traffic analysis platform – and shares them quickly, safely, and anonymously across IronDome members. These events are then correlated across industry peers to identify sector-wide adversarial campaigns that would be challenging to detect alone. Notification of these correlations is provided in real-time to IronDome participants, giving them faster visibility into potential threat campaigns targeting their industry.



Who benefits from IronDome Collective Defense?

With IronDome, companies of all sizes can implement Collective Defense. Whether you’re a Fortune 500 enterprise, a midsize company
or a small business, IronDome can be tailored to provide a world-class threat detection capability for any budget.