Business & Technology

Threat Intelligence Sharing: Why is it Important?

By Ken Xie | March 09, 2018

IIn today’s digital economy, speed and efficiency are essential. So is the ability to access data from anywhere and from any device. These demands are forcing the network to change, increasing the amount of data that networks need to manage and the number of devices connected to those networks. This is responsible for growing the potential attack surface of today’s networks.

The security challenge is about much more than just network expansion. Everything is also connected to everything else through the growth of applications, shared services, and distributed resources. These growing levels of hyper-connectivity are compounding the challenge of protecting networks because data and resources are always in flux, with new attack vectors constantly being created as a result.

However, data and resources still need to be protected, especially as they move from remote devices, through the network, and out into the multi-cloud. But most traditional security devices were never designed to do this, so the security industry is under pressure to create new solutions that can seamlessly provide the expanded protection that today’s networks need.

Threat Intelligence Sharing: Why is it Important? 

Companies can’t protect what they can’t see. So, in addition to increased performance and integrated security devices, IT teams also need access to real-time threat intelligence. Advanced threat intelligence from security professionals helps IT teams quickly detect and identify threats and automatically respond at digital speeds so they can better protect their networks. 

Threat intelligence gathered from multiple sources, which is then processed and correlated, is the most effective, valuable, and actionable form of data out there. It’s what organizations with huge security resources use to better protect their networks. The problem is that this sort of higher-level intelligence has historically been out of the reach of most companies. So, in 2014, Fortinet took steps that would eventually lead to the formation of the Cyber Threat Alliance (CTA). We and other founding members, including McAfee, Symantec, and Palo Alto Networks, understood how critical it was to provide security professionals with the intelligence and technology they needed to identify an attack. We also knew they needed to be able to use that information immediately to stop an attack along the kill chain.

Security companies like Fortinet, who were actively engaged in threat research, knew how much we relied on threat intelligence to protect our customers. We also knew that converting raw intelligence into something that was actionable required a level of expertise that many organizations didn’t possess.

Our answer was to bring together participants from across the cybersecurity industry to correlate and share actionable threat intelligence in as close to real-time as possible. We knew that threat intelligence sharing would not only help organizations better defend themselves against cyberattacks but that it would also help improve the overall security of the Internet.

After a few years, the founding members decided that to better meet these goals, the CTA should be established as an independent organization. Since announcing the new organization, including the addition of Cisco, Checkpoint, and a leadership team over the last year, the CTA has expanded its ability to protect organizations around the world. It has done this by growing the number of organizations that share threat intelligence, and by improving the tools used to collect, process, and correlate intelligence in order to protect millions of customers.

The CTA is working to improve the cybersecurity of its global digital ecosystem by significantly reducing time to detection and closing the gap in the detection-to-deployment lifecycle. It does this through near real-time, high-quality cyber threat information sharing and operational coordination between companies and organizations in the cybersecurity field. This approach brings together companies with different interests while enabling them to work together for the greater good.

The CTA: An Essential Part of any Threat Intelligence Strategy

While sharing threat intelligence is an important part of any security strategy, it’s only half the battle. External threat intelligence provides obvious benefits, but to demonstrate its true value, this information must be woven into an integrated threat intelligence strategy.

Good threat intelligence starts with conducting an inventory of all the devices on a company’s network. This includes listing manufacturers, devices, OS versions, patch levels, etc. This data will help companies identify devices that are vulnerable to exploits and, in turn, decide what threat intelligence is most likely to help their network. Once companies are tracking all the physical and virtual devices on their network, they must begin to gather and correlate threat intelligence from log files and management consoles. This data needs to include endpoint and IoT devices, virtualized data centers, and SaaS and IaaS multi-cloud devices and traffic. This will require a centralized collection and analysis system.

Next, organizations must evaluate and update logging and analytics platforms to make sure that local data can be combined with external intelligence. Correlating local and global intelligence provides critical insights, but because of the speed of today’s attacks, this needs to be done quickly. This means threat intelligence must provide actionable information rather than just raw data, as the latter will require a lot of manual processing. Further, companies must use open standards to efficiently combine and correlate different data sets, as this will help to efficiently identify indicators of compromise and prioritize the response to potential threats. 

This is where the value of the CTA is critical. It enables cybersecurity providers to share intelligence and cooperate in incident response. Each of the CTA’s members may have access to different pieces of the intelligence puzzle, and the CTA helps bring them together to reveal the broader picture. This approach enables CTA members to gain rapid access to information they otherwise would not have, which in turn allows them to better protect their customers. A cooperative strategy such as this allows cybersecurity companies to work together operationally during large-scale cyber incidents, such as WannaCry and NotPetya, or to address newly discovered vulnerabilities, such as Meltdown. This approach dramatically improves the efficiency and effectiveness of our response efforts. 

Finally, producers or consumers of threat intelligence should consider joining the CTA. Centrally collecting, analyzing, and distributing actionable threat information among members makes everyone safer. End-user companies should consider joining an ISAC (Information Sharing and Analysis Center) group associated with their region or industry. Data sharing between peer organizations provides another layer of analysis, allowing companies to compare their threat status against what is happening in similar networks.

Threat intelligence needs to be a cycle. Our FortiGuard Labs team, for example, uses the intelligence we collect from participating customers to improve our threat database. We then share that intelligence with the CTA, which in turn is used by customers. As a result, threat intelligence is constantly being recycled and refined.

Threat Intelligence Sharing Should Be Prioritized Across Organizations  

There are strong benefits to any organization that participates in collecting, processing, and sharing threat intelligence. One of the most important is that the wider the scope and scale of visibility into threats that we can create, the more everyone will be able to detect and mitigate new and emerging threats.

Because of its collaborative approach to collecting threat intelligence from cybersecurity experts, the Cyber Threat Alliance is unique in both its mission and its model. The cyber community as a whole would do well to use CTA as a model for how different, even competing organizations can come together across private and public sectors, including critical infrastructure, to address emerging cyber threats, especially those with far-reaching social and economic implications.