The Cyber Threat Alliance, a group of 14 security providers who share information about threats every day, seems more likely than a friendship between a kitten and a shark. Security professionals often have trust issues. And their companies compete with each other in a lucrative market that is expected to grow to $ 96.3 billion in 2018.
So, why do Cisco, McAfee, Fortinet and others work together?
"We all recognize to a large extent that the attackers are collaborating," said Vincent Weafer, vice president of McAfee Labs. "So the question is: why are not we doing the same?"
The group's founding security providers, Fortinet, McAfee, Palo Alto Networks and Symantec, agreed in 2014 to share intelligence.
"To be honest, at first there was not a great acceptance," said Derek Menky, Fortinet global security strategist. He took a lot of conference calls with these four founders. Show me what you have, I'll show you what I have, that's something very uncommon. "
But they realized that they were not going to beat the bad guys on their own. In addition, their customers generally use multiple security products from multiple providers.
"At the end of the day, all these customers are essentially mutual customers, and it's our job to protect them," said Matt Watchinski, principal director who oversees Cisco Talos. "The better we can share data, the better we can protect our mutual customers."
Member companies often see threats at different points in the network, Weafer added. "What I see as an endpoint system is very different from a gateway, there is still a lot of room for us to be unique in this market as a company, but what we see and how we see it and how we risk voting is something in which we are all better if we share it. "
Without Freeloaders
Sharing information is a key component of the CTA. Difference to the group of the traditional Analysis and Information Exchange Centers (ISAC) or the Analysis and Information Exchange Organizations (ISAO), said the CTA President, Michael Daniel. Prior to joining the CTA, he served as special assistant to President Obama and cybersecurity coordinator in the National Security Council.
Traditional groups that share threats tend to have low participation rates. They also do not share information in real time or provide context. The CTA, on the other hand, requires members to submit a daily minimum. Use a scoring algorithm to reward the quantity, quality and speed of sending.
"We say that he must present an average of 10,000 intelligence points per day," said Daniel. "We consider the context and punctuality very highly, do not tell me that this is a bad binary, tell me what malware family is a part, what stage of the chain of murders do you think belongs, do you think it is a criminal state? or national?
Watchinski considers that the daily requirement of intelligence on threats is "how high should be to meet the requirement to walk." It prevents the use of chargers, he said. "It ensures that members have unique visibility or something that is useful to the rest of the members, so they do not get any special benefits without including data."
CTA team wins
In 2015, member companies published a white paper on the CryptoWall ransomware. They discovered that the $ 325 million in revenues that went to the attackers included ransoms paid by the victims to decrypt and access their files. They also discovered 406,887 attempts of CryptoWall infections and 4,046 malware samples.
"We discovered so much information about them that the day after they released the technical document, they stopped that version of CryptoWall," Menky said. "It was a good victory to form a team and make it more expensive for the attackers."
The white paper also showed member companies the value of working together. "We learned that everyone had some degree of unique knowledge," said Weafer. "Eighty percent probably overlapped, but that 20 percent was incredibly valuable to fill the pieces."
Watchinski points out the group's response to the May WannaCry ransomware attack as another success story. "We were all on the phone, basically we gathered everyone in a virtual room to analyze what we knew about the incident and what we could do to protect our customers," he said. "That has never happened before."
While initial reports stated that WannaCry was an email attack, it only took a couple of hours for CTA members to determine that this was not the case. "We had 12 of the largest cybersecurity companies in this conference, all saying no, we're not seeing email as a vector, it sure is another vector that disseminates this thing," said Daniel.
The companies also provided this information to the US government. UU So the Department of Homeland Security could better investigate the malware attack.
Cybersecurity campaigns
The group was relaunched as an independent organization with dedicated staff and a platform to share threats in February at RSA.
Currently, CTA has 14 associated companies: Check Point Software Technologies, Cisco, Fortinet, McAfee, Palo Alto Networks, Symantec, IntSights, Rapid7, RSA, Reversing Labs, Saint Security, SK Infosec, Sophos and ElevenPaths of Telefónica. The group is actively recruiting new members and will probably form alliances with other organizations in 2018, partners say.
The CTA also seeks to better protect customers by focusing on the tactics used by hackers, rather than just the hackers themselves. "There is a finite number of such tactics, so we are defining what those tactics are, how they work, how we track them, and how we provide protections for each of the products that member companies create," Watchinski said. "If we can get the attackers to incur development costs in their tools, that will slow down their ability to attack our customers."
The objective is to reduce the time between detection of threats and the mitigation of threats of days or weeks to hours only.
"This model really requires a lot of investment from companies," said Daniel. "Do not passively join CTA, but you have a great chance of moving the needle in the cybersecurity industry."
No comments:
Post a Comment
Note: only a member of this blog may post a comment.