How Mature are your Enterprise Security Data Sharing Practices?
Last month I wrote about attending a Department of Homeland Security (DHS) conference on its effort to create a new wave of Information Sharing Analysis Organizations (ISAOs). Along with many in the industry, I believe the future of cybersecurity surely holds a rich networked hub of security data sharing systems and organizations. And that through these systems, we’ll all become part of a more effective cyber-immune system and obtain much richer data on threats (both for prediction and attribution) as well as actuarial data on risks, and on control effectiveness.
But how do we get there from here? How do we who believe this attach ourselves to this fascinating trend?
Beyond blogging about community-based defense in theory and occasionally participating in Industrial Control Systems (ICS) ISAC and other forums in practice, my partners and will assist with the work that needs to be done by organizations from the bottom up if we’re going to reap the benefits of sharing.
Articulating the Business Case for Sharing
First, many organizations still need to be convinced the value is there. At the ISAO conference I attended, General Greg Touhill asserted that “through security information sharing, organizations can buy down their risk by 15%.” That’s the sort of quantitative information executives like to hear, and the U.S. government is certainly trying to make Touhill’s assertion into reality through various DHS, NIST, FBI and CERT initiatives. In a future post, I’ll try to get to the business case data behind the General’s number and/or how to leverage those government-provided resources.
Taking Legal and Privacy Concerns off the Table?
Echoing Chris Blask from the ICS ISAC: Sharing should be about “getting you information you can use.” We strongly encourage organizations to become consumers of security data sharing services while at the same time remaining in full compliance with all their policies on privacy and public communications as well as confidentiality surrounding internal security configurations and vendor dealings. Requests for liability protection for sharing one’s data with the government and other entities are, in my view, a red herring. While its necessary to map global threat intelligence to local context, neither the government nor your security vendors should need to know any non-public information about your business (under normal circumstances) in order to be able to help you proactively.
As organizations mature and start getting benefits from sharing, their staff will often become part of trust circles generally protected through non-disclosure agreement (NDA) processes. Organization’s normal legal reviews accompanying NDAs may in the future mature to contain detailed guidelines on what should or should not be shared upstream, with whom and under what circumstances. Meanwhile, both ISAOs and standards for ISAOs should be consumer-friendly and not push organizations outside their comfort zone.
A key point is not to overload policies for security data sharing under normal circumstances with requirements for incident response circumstances that likely require upstream sharing of confidential information. Those must be addressed by additional processes that have additional maturity criteria beyond the ones detailed below.
Maturity Assessment Criteria for Security Data Sharing Under Normal Circumstances
Security Architects Partners is working on adding a new capability to its service catalog, along the lines of “Leveraging threat intelligence and knowledge sharing communities.” We sincerely hope you’ll be able to use the information below for self-assessment. Clients can also contract with us to perform this service as a standalone activity, or we can include it with one of our other rapid security assessment offerings. The goal is to assess the maturity of an organization’s sharing practices, and suggest improvements for the organization’s security roadmap.
Security assessments such as ours are performed against a “control framework,” or set of recommended people, process and technology practices and mechanisms that – holistically – comprise an effective security program. Security Architects Partners uses a reference control framework based on ISO 27001 Annex A as well as NIST 800-53.
Here’s how we assess against the security data sharing-related ISO 27001 Annex A controls shown in the figure above.
Security Architects Partners’ A.6.1.3 maturity criteria: Liaisons with law enforcement and other external security agencies are in place and effectively supporting investigations and forensic activities.
We currently use the following elicitation questions to benchmark maturity against A.6.1.3:
- Which law enforcement or national security agencies does the enterprise work with on cybersecurity issues?
- Who interfaces with these agencies, through what programs, and how often?
- How is internal communication about investigations handled?
Security Architects Partners’ A.6.1.4 maturity criteria: The organization gathers threat intelligence from multiple sources. Staff participate in industry associations, conferences and security knowledge sharing groups as appropriate for their roles, and bring back actionable information to enhance performance of security functions.
We currently use the following elicitation questions to benchmark maturity against A.6.1.4:
- Which specialized threat intelligence services does the organization engage?
- How does the organization obtain and use threat intelligence from its strategic vendors?
- How are global threat intelligence services plugged into the enterprise security monitoring architecture, and into incident response and investigation processes?
- In which industry associations and knowledge sharing groups do the organization’s staff maintain memberships and relationships, and what is their typical budget (time and money) to participate in these forums?
- How does the organization cross-pollinate threat intelligence and security best practices to ensure actionable knowledge transfer from the industry, to staff, to other parts of the organization?
Please contact us for more information on sharing and other aspects of assessments, and watch this blog for more to come. We also recommend the following…