Forcepoint Flash: From The Office Of The CSO

Top Five Security Capabilities I Wanted 10 Years Ago [Part Four]

By Doug Copley, Forcepoint Deputy CISO

We’ve reached #2 and are getting close to my #1 security capability I wished for  10 years ago. I’ve always been a very strong advocate for collaboration and information sharing, regardless of the industry in which I worked. I think this was sparked in me back in my days at Accenture working in the Office of the CIO. We knew as a consulting organization, we needed to collaborate and share best practices across the company. When it comes to cybersecurity defenses and preparedness, however, the need to share and leverage knowledge extends beyond your own company’s boundaries. To recap, here’s the items I’ve discussed so far:

• Web security that was more than URL filtering, and worked off-network
• The ability to detect and block threats BEFORE they were delivered to users
• I wanted systems that talked to one another and were EASY TO MANAGE

#2 – I wanted open communication with others to SHARE threat info and best practices

As my career in security and privacy began to mature, I quickly realized that the best path forward to advancing security capabilities was to collaborate. That meant looking for peers, industry groups, government entities, etc. that would be willing to sit down and collaborate for the good of everyone involved. At the time, I was working in financial services so I turned to the Financial Services Roundtable, Information Security Forum and Corporate Executive Board for assistance. Although some minor assistance could be had, companies and government entities were still very secretive and unwilling to share at a truly meaningful level.

When I stepped into the healthcare industry in 2012 it was even more clear that collaboration was crucial to success. That’s why in 2013, a colleague and I started the Michigan Healthcare Cybersecurity Council. Maybe it’s because most are community based non-profit entities with very small security teams, but I found healthcare entities to be much more willing to share information. Over the past few years, the US government has stepped up and not only promoted public-private sharing of threat indicators, but passed the Cybersecurity Information Sharing Act of 2015 (CISA). In June 2016 guidance was also indicating that non-government entities can also receive liability protection for sharing information across non-government entities, provided information is shared in accordance with the guidelines under CISA. In addition, US-CERT has published very specific technology implementation guidance using STIX and TAXII protocols to aid companies in sharing and leveraging threat indicators with other entities. So I’m happy to say cyber threat information sharing is possible (and encouraged) today.

All this being said, what I hear from CISOs is still confusion as to what the term “threat intelligence” really means, and how to leverage it effectively to improve a security program. Is it the sharing of threat indicators with government and peer organizations? Is it the research and intelligence my security vendor is already leveraging to protect us? I see sharing happening mostly via informal methods from which value is difficult to get. In my opinion, threat intelligence sharing needs to be automated to make it truly useful and valuable for companies. I have learned that some groups (such as FS-ISAC, state governments and private companies with some more advanced capabilities) have been able to effectively shared threat intelligence, but for most companies, the automated execution of these capabilities remains a challenge to be conquered some day in the future.

Though threat intelligence and indicator sharing automation may remain elusive to some organizations today, I’m very encouraged by the amount of focus organizations, consortiums and government organizations have put toward this common goal. Please stay tuned for the fifth and final entry in this blog where I will discuss my #1 security capability I wished for a decade ago.

To learn more about a technology that delivers these security capabilities, visit: https://www.forcepoint.com/solutions/need/unified-content-security