By George Aquila
The Evolving Threat Landscape
Mitigating cyber threats is a difficult task. As has been shown time and again in various recent data breaches, maintaining up to date security measures and abiding by industry prescribed best practices can leave even the most prominent and incident-ready organizations open to breaches. With a diverse range of constantly evolving Advanced Persistent Threats (APTs), traditional defenses like firewalls and signature-based malware detectors are at an inherent disadvantage against motivated attackers looking to infiltrate data systems of all kinds.
In terms of rooting out the bad guys, the cyber threat landscape has often been compared to the Wild West. Although there are nominal measures of law enforcement in cyberspace, individual people and organizations are, for the most part, on their own when it comes to protecting themselves.
The closest the world has to an “internet government” is the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees domain assignments and IP distribution, but has no effective way of mitigating cyber crime. Likewise, the FBI and federal law enforcement agencies equipped to deal cyberthreats are generally reactive by necessity, tracking perpetrators who are usually far outside their jurisdiction.
Breach detection is more plausible and reliable than prevention, but it is most successful when a defender is up to date on potential threats with real-time intelligence. The only way to ensure that such intelligence is accessible and widespread is through effective coordinated information sharing, enabling rapid response.
New Data Sharing Initiatives
The National Institute of Standards and Technology (NIST) recently published a draft of a guide to Cyber Threat Information Sharing. The draft is open for public comment until November 28th and builds on an initiative started by NIST in February of 2013, the Framework for Improving Critical Infrastructure in Cybersecurity. The central idea is to aggregate and distribute the collective wisdom of a breadth of organizations, sharing the experiences they have gained mitigating various cyber threats and intrusions. Sharing and building on practical experiences is key, regardless of whether those intrusions were successful or not.
Although the nuts and bolts of how to do this can be tricky to work out between companies who may not want to publicly disclose full breach details, NIST has attempted to prescribe a general guideline as to when incidents should necessarily be reported, catalogued, and distributed.
NIST’s initiative is not the only example of cooperation on cyber threat data sharing, as attempts at aggregating and utilizing threat information have been initiated on many fronts. The Structured Threat Information eXpression (STIX) and the Trusted Automated eXchange of Indicator Information (TAXII), both developed by the Department of Homeland Security (DHS), are means of creating a common communication standard and threat sharing platform to better respond to cyber incidents. The Department of Defense also maintains a Cyber Security Information Assurance reporting system to collect threat intelligence from across the defense industrial base.
Another good example of threat intelligence sharing now occurring between private companies is in the American retail industry, a sector that has been hammered by a growing number of high profile attacks and data breaches over the last few years. This effort has manifested itself in the Retail Cyber Intelligence Information Center (R-CISC).
Public-private partnerships in these efforts are also key. Joint exercises between governments and the private sector were recently conducted in Europe in an effort to maintain cyber-readiness and distributed defense. All of these efforts represent a collective push towards more cooperation in threat assessment and management in cyberspace. On an individual level however, the success these practices and initiatives hinges on organizations and companies being able to log incident response data and map out their own assets and vulnerabilities.
How Sqrrl Can Help
Sqrrl Enterprise is Sqrrl’s primary solution for integrating, securing, and analyzing the data and assets of any organization looking to protect themselves from these extensive threats and join in these collective data sharing efforts. Part of Sqrrl Enterprise’s advantage rests in its ability to label and securely provision access to sensitive data stored within large datasets.
How can this help with threat data sharing? Sqrrl’s advanced cell-level security, powered by Apache Accumulo, can assign labels to a specific data point, such as an email. This enables varying levels of authorization and access control to more and less sensitive data, ranging from personal identifiable information to less important metadata. Prioritizing levels of information can facilitate a smoother and more secure exchange of information between organizations. In a cyber investigation, sensitive logs or datasets can also be tagged to assure that only certified analysts see critical information.
One of the critical suggestions also included in the NIST report is the conducting of an “information inventory,” through which “an organization gains a better understanding of where its critical information resides, who owns it, how it must be protected, and when it can be shared.” In addition to formally establishing information ownership, the practice serves to help organizations prioritize assets and better understand their value, associated risks and legitimate uses in regular workflows. Sqrrl Enterprise’s ability to tag and control access to data at a very granular level makes this process easier and much more manageable.
Sqrrl’s complete capabilities in providing data-centric security and specific data labeling are profiled in our new Whitepaper. Check it out and let us know if you would like to see a demo below: