The Rise Of Threat Intelligence Sharing


The Target breach prompted retailers to create a formalized process for disseminating threat intelligence information to help incident responders quickly address attacks targeting payment systems and threats to servers containing sensitive customer data.

The National Retail Federation said in April that it would establish a Retail Information Sharing and Analysis Center (ISAC). The information-sharing group, which officially launched in June, includes participants from the Department of Homeland Security and the Secret Service, which investigates large-scale credit and debit card breaches.

Security experts tell CRN that it will take time for the new Retail ISAC to establish trust among its members and be effective at quickly spotting industry-specific threats and disseminating information.

[Related: True Detectives: VARs On The Case As The Need For Incident Response Strategies Gets More Evident Every Day]

Meanwhile, retailers with established IT teams need to develop more robust incident response plans and regularly test them with people who know how to use threat information, said Amit Yoran, general manager and senior vice president of RSA Security in Bedford, Mass., and a former director of the Department of Homeland Security's National Cyber Security Division.

"For many organizations, their systems might not be tooled accurately to identify what is occurring in their environment and alert on the most important issues that need to be addressed by an incident response team," Yoran said in a recent interview. "There's a realization that even these next-generation technologies are not going to keep you fully protected, and incident response is where the market is heading."

Industry groups designed to provide data about ongoing attacks consist of people in position to take action by addressing targeted systems, said Paul Vixie, an Internet pioneer, domain name system expert and security industry luminary. ISACs help coordinate the dissemination of information, but they rely on trust and share with individuals who "need to know," Vixie said. "If you can't take action on any systems or infrastructure, you will not be part of these groups," said Vixie, who recently founded Farsight Security, which specializes in a subscription service for specialized threat intelligence data. "If there is a certain risk of adding someone inside the security perimeter, why take the risk if there is no possible benefit."

Communicating accurate threat information at a rapid pace has been an ongoing priority for incident responders in the public and private sector, said Derek Manky, a global security strategist at Fortinet and spokesperson for the annual Forum of Incident Response and Security Teams (FIRST) Conference held recently in Boston. Progress is being made on the establishment and adoption of global standards for threat intelligence sharing, but legal and regulatory issues pose hurdles that prevent some organizations from participating, Manky said. "It's clear that every industry has unique resources that need to be protected, their own set of threat actors targeting them and similar avenues of attack," Manky said. "Most organizations want to contribute because there's a major benefit in gaining advance notice about attacks."

MSPs with strong security practices are increasingly becoming part of the process. CRN recently reported that the Department of Homeland Security is establishing stronger ties with trusted managed security service providers (MSSPs). The DHS has established a secure connection to share classified intelligence data with AT&T and CenturyLink through its Enhanced Cybersecurity Services program and said it is expanding the program to MSSPs who seek approval.

NEXT: Improving Communication