It Takes a Network to Fight Networks

At the RSA pre-conference Cloud Security Alliance (CSA) Summit both Philippe Courtot (CEO, Qualys) and Marc Goodman (Author, “Future Crimes”) highlighted the need for a paradigm shift in how enterprises and societies address cloud security.

Courtot finds parallels between Doctors Without Borders and the Cloud Security Alliance. Both, he notes, are volunteer organizations. But there the commonalities stop. Whereas the impact of biological epidemics has been reduced dramatically over the years, the impact of cyber-epidemics (or breaches) is increasing on a more exponential trajectory.

Exponential in a Bad Way

Goodman observed that this exponential increase in cybercrime is a sinsister facet of  the same Moore’s Law that affects so many things related to computing. But although cybercrime increases may appear exponential, governments’ and other institutions’ ability to react to them improves only at a “decidedly linear” rate. Ouch.

I don’t know if Courtot and Goodman even talked to each other before the show, or if the synergies between their respective messages is just coincidental.  

For instance, Courtot also dinged the inability of “command and control” structures to keep up and called for the industry to:

• Rethink architecture: In a world of “cloud without borders,” security must be embedded in the cloud.
• Break down collaboration silos
• De-centralize command and control structures

Considering that criminals’ botnets and crimeware-as-a-service facilities are networks: “It takes a network to fight networks.” Courtot likens the battle for cyberspace with the battle for Afghanistan – both call for new tactics.

Defenders – We Have to Up Our Game

Goodman went further, noting that although to some of us the Internet seems old it is only in its “first few minutes” in timescale of human history and the rate of  cybercriminals’ progress is most disturbing. “Cybercrime,” he said, “is going 3D.” Goodman gave examples of criminals flying drugs and weapons into prisons via drones, and said law enforcement is way behind the curve. Goodman went so far as to say we “need a Manhattan project” to confront cybercrime.

I don’t know if I’m ready to go as far as Goodman yet, but I liked Courtot’s concept very much – its quite in sync with what I’ve written previously on security data sharing here and here. 

More Signs of Progress on Security Data Sharing

After the CSA Summit, I met with Mark Clancy, former CISO of DTCC and now CEO of Soltra in the threat intelligence and data sharing space. Soltra is working to provide data sharing services for private clients and ISACs – among whom FS-ISAC, NH-ISAC and MS-ISAC already use the system.

Soltra is creating a “network to fight a network.” It can act as a hub for and between these ISACs by natively supporting the STIX (Structured Threat Information eXpression language) and TAXII (a protocol service that allows STIX XML instances to be exchanged). Soltra also provides adapters to SIEM solutions as well as other IT and security products. 

Clancy likens Soltra to an email gateway in the days before SMTP became the lingra franca for interpersonal messaging. I plan another more detailed sharing post soon!

 Tuesday @ RSAC Update!

More good news: Last night I read emails from the OASIS standards committee – they are taking in STIX and TAXII for further development. Additionally, I got this from Splunk: 

Splunk App for Enterprise Security 3.3 now includes enhanced response and threat detection, including STIX / TAXII and openIOC integration, security analytics collaboration and faster investigation. The app also allows for  faster deployment, management and maintenance for continuity of security operations through quicker incident response management.

Its a good day for security data sharing!