Threat Insights: Information Sharing in Cybersecurity Today Q&A with Derek Manky

By John Welton | February 10, 2017

Information sharing continues to be a topic that remains timely and vital in global cybersecurity. As an industry, it is well understood that turning the tide on cybercrime requires actionable information sharing across networks, borders, and vendors. Fortinet’s Derek Manky offers some perspective ahead of RSA 2017 in San Francisco.

Why is information sharing so important today?

Sharing information proactively across all verticals and public or private organizations is essential moving forward. Organizations continue to struggle against ever-evolving threats, an expanding attack surface, and a growing security skills shortage. Actionable information is the best way to move from being reactive to proactive in cybersecurity today, and to catch and make examples of cyber criminals.

Why is information sharing easier said than done?

The problem has been context. It is hard to put raw information into its larger context around the attacker of who, what, when, where, and how. In today’s big data world, any information being shared also needs to be suitable for automation, and not everyone has experience with sharing information that is suitable for automation. Information sharing also needs to be quick, on par with or ahead of the black hat attacker movement. – and it needs to be trusted, especially when dealing with automation. And finally, confidentiality and privacy issues complicate the situation even further, but this can be managed through the sharing of only non-personally identifiable information.

What does this mean for security vendors today?

Security controls need to be able to automatically trust and digest threat intelligence and use it to take action. The vast amount of threat intelligence that exists today, with even more coming tomorrow, cannot be managed otherwise. The challenge is that today’s security teams monitor an average of 14 separate security consoles to try and manage, assess, and secure the expanding array of devices and technologies deployed across their hybrid and distributed networks. Many times, they end up having to compare log files, hand correlate data, and manually change policies between devices in order to address threats. Which means that far too many threats go undetected, and for the ones that are, response times are too slow for attacks that operate at machine speeds. This is essentially a growing big data problem for cybersecurity today. And until recently, attempts to exchange information between disparate entities have been complicated by the ad-hoc methods being used. This will be a big topic of conversation at RSA this year.

People often talk about information sharing as being a two-way street. Is that really happening?

While consuming, consolidating, and correlating information provides obvious benefits, always consider how you and your organization can also contribute back to these information feeds. There are tangible benefits to your organization for doing so – particularly given the evolution from broad-based attacks focused on specific platforms to today’s highly complicated, multi-vector targeted attacks. So the wider the scope of visibility (i.e. by sharing threat information) the more able we will be to detect and mitigate these attacks.

The Cyber Threat Alliance (CTA) is a good example of vendors coming together to improve information sharing for the better of the industry. Even as competitors, we have worked hard together to put our vision into practice through the collaboration and sharing of intelligence.

What is Fortinet doing to help further information sharing?

The Fortinet Security Fabric can already correlate threat intelligence to determine a risk level and automatically synchronize a coordinated response. It can also dynamically isolate affected devices, partition network segments, update rules, push out new policies, and remove malware.

Fortinet is also taking action in this area by actively directing the future of threat intelligence standards and protocols through our ongoing collaboration with global law enforcement and government and industry organizations.

Fortinet has been an active member of an expert working group with INTERPOL for more than a year, and we helped catch a global cyber criminal gang last year. Additionally, Fortinet announced an industry partnership agreement within the framework of the NATO Industry Cyber Partnership (NICP) with the NATO Communications and Information (NCI) Agency in 2016.

Again, as a founding member of the Cyber Threat Alliance (CTA) we are dedicated to working closely with our partners in the industry and law enforcement to detect and disrupt cybercrime campaigns. CTA’s “Cracking the code on Cryptowall” campaign, which provided critical research into the Cryptowall ransomware that was responsible for US$325 million in losses, is a great example.

We are also a member of the OASIS Cyber Threat Intelligence (CTI) group, helping drive collaborative threat intelligence and information sharing forward for the benefit of global welfare and economies.

There is a greater mission on the part of every security vendor to make the world safer and more secure for people to interact, do business, and communicate ideas. Sharing critical threat intelligence is a critical part of that responsibility. Public and private sector partnerships in this area will continue to be a major focus for Fortinet in the future.


Attending RSA 2017 in San Francisco? Visit the Fortinet booth #N3627 and hear more about the Fortinet Security Fabric-protecting from IoT to the cloud!