The future of Cyberintelligence
With a growing ecosystem we asked Arandjelovic where he thought the sharing of Cyber Intelligence was going. In fact Blue Coat are sitting on the working group of STIX and TAXII and he believes that ultimately it is such standards bodies that will provide the answer.
To a neutral observer threat intelligence should be shared by all. “Over the last few months we have seen a growing trend for people to talk about sharing threat intelligence between each other. At present this has manifested itself in two obvious ways. The first is through acquisition or partnerships such as FC-ISAC, Soltra and IBM or DragonFly and NHSC.”
Arandjelovic was refreshingly honest when asked his opinion on the matter:
“…Organisations tend to be very shy about disclosing information on threats that they discovered especially the ones that where they have been compromised and where they discover it because they have actually been breached.
“..We have been very strong proponents of a move towards transparency. Not necessarily opening up the hood to everybody and your competitors and saying ‘yes we were hacked in this way and we lost all this data’, but at least openly sharing information.
“…It is that game theory philosophy. If everybody exchanges a little bit and discloses a little bit we can all be that much stronger for it. As of today I think there is a slow recognition that we have to move in this direction but it seems that people are very reluctant to take the first step and go too far on their own. Until standards like STIX can potentially come out there and provide an avenue for which to do that in an anonymised way where there is no worry about that data being exploited or used (to put the supplier at a disadvantage).”
It was also interesting to hear how he thought this sharing must manifest. In fact one could argue that Blue Coat’s appliance has the capability of helping with this. At the moment it has the intelligence to know that a packet is infected, but that data can easily be anonymised because the information could come from any of the linked security solutions.
“i think we will get to a point where threat intelligence will be shared in an automated fashion because the threat landscape is changing way too fast and way too dynamically to have it where everyone has to react in real time. It is only through this real time learning that a perfectly interconnected threat intelligence world …(will) make it possible to keep it up.
“The problem is that cybercriminals are becoming more sophisticated, sponsored by nation states and the security market is always playing catch up.” Arandjelovic added “…and it is going to get even crazier when you get polymorphic threats and things like that that are changing virtually on the second. It will be impossible to not participate in that kind of exchange.”
This is a sensible viewpoint, the cybersecurity worlds needs to wake up and act quickly. It was slightly disappointing when we asked Arandjelovic what he thought the likely timescales would be for intelligence sharing. He answered:
“Within the next several years, you start seeing more and more solutions working together and providing this and the customers paying for this information, or paying for products that give them that information. I can see it nearing ubiquity in five years, where this is the way security products have to work.”
This is a long way off, as cyberterrorism becomes more sophisticated the threat increases exponentially to businesses. The Sony breach, orchestrated by North Korea, may be merely the first of many such breaches. Companies need to be aware that the threat vectors are constantly evolving, in the same way that the speed of change for business has been increasing, “Velocity” as Chris Lalonde, CEO ObjectRcket puts it, so the velocity of the cyber threat is increasing.
(Next : Conclusion)
