Discover Performance

HP Software's community for IT leaders // October 2013
Subscribe

Improve security through shared intelligence

Hackers and cyber-criminals don’t work alone, and neither should you.

The bottom line

What: It’s time to safely share security intelligence—and more of it than ever.
Why: You’re facing better, more collaborative adversaries.
How: HP is rolling out ThreatCentral as a way to stand united against cyber-criminals.
More: Visit HP Security Research.

Adversaries today have upped their game. Motivated by criminal, sociopolitical, and financial forces, our enemies have specialized and organized around a marketplace that generates and shares intelligence and malicious capabilities with disturbing effectiveness.

Evolving security technologies can and do help mitigate the damage, but linear improvements alone will not be enough to stay ahead of the enemy. Instead, progressive organizations are taking a lesson from the adversary’s playbook and collaborating to compete more effectively against common enemies. Indeed, for many organizations, the time has come to embrace the adage “The enemy of my enemy is my friend.”

Sounding the alarm

The growing frequency of advanced, multi-target attacks is spurring the need for greater speed and accuracy in identifying, analyzing, and mitigating threats. Sharing threat intelligence is one of the most effective ways to prevent such attacks from spreading rapidly.
 
“Organized attacks are being executed faster, occurring within minutes rather than days,” says Tomas Sander, a researcher at HP Labs’ Security and Cloud Lab who helped develop the HP ThreatCentral initiative. “They’re attacking not just one target, but many targets at the same time. If several organizations are being hit with a similar attack, it makes a lot of sense to share information to stop the common threat.”
 
By exchanging security data in a timely manner with others, organizations can thwart attacks in three ways:

  • Work collectively to identify and react to in-process attacks more quickly
  • Help others avoid falling victim to attacks that they have already experienced
  • Increase the pool of security intelligence available to recognize systematic attack patterns

Sharing made simple

While the value of sharing may be straightforward, security data itself is complex. Once an organization has made a strategic decision to join forces with other good guys, the difficulty lies in knowing what data to share and how to share it without introducing risk.

Examples of threat indicator data that organizations should focus on include:

  • IP addresses associated with malicious or suspicious activity
    • Descriptions of the activity for more context
    • Types of attacks (e.g., phishing, DDoS, command and control server, etc.)
  • Characteristics of attacks (e.g., the protocols used, packet length) to help distinguish attack traffic from benign traffic
  • Known vulnerabilities that have been exploited
  • Platforms impacted, where this information is not deemed overly sensitive
  • URLs and domain names related to malware distribution
  • File hashes of malicious files and attachments
    • Descriptions of malware behaviors
  • Email samples sent in spear phishing attempts, with confidential information redacted
  • Geospatial information related to attacks
  • Attacker identities, handles, and associations

Maximizing the benefits of shared intelligence requires more than simply feeding data into a system. Back-end analytics can help find needles in the haystack, and participants can collaborate when they spot anomalous activity.

“The idea is that other people in the community can build on one another’s work,” Sander says.

The necessity of innovation

The benefits of open collaboration are well known, but intelligence sharing to date has mostly taken the form of ad-hoc or manual sharing within small communities. These efforts, while surprisingly effective in some scenarios, suffer from a lack of automation, confidentiality, and control that keeps their overall impact on the threat landscape minimal. In short, here’s what’s been missing:

  • Automation. Traditional means of sharing—including manual posts to web forums, email or text advisories, and so on—do not scale. Some security teams report having turned off threat feeds because they provided too much information to digest. To date, enterprises have lacked a practical means of sharing security data without expensive manual intervention.
  • Confidentiality. Organizations require confidentiality to prevent damage to reputation that could occur from being identified as an attack target.
  • Control. Sharing can be a double-edged sword: the more information that organizations make public, the more they equip adversaries with counter-intelligence to evade detection.

To address concerns around confidentiality, the security research community has relied on industry-specific threat exchange consortia such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and more than a dozen other industry-specific ISACs.

Such groups ultimately ensure that threat intelligence is shared in a secure and confidential manner by limiting participation to invited member organizations or thoroughly vetted applicants. But efforts do not scale and require substantial resource investment from participants.

The ThreatCentral initiative

The HP ThreatCentral initiative reduces the amount of manual effort involved in sharing. Using automation, this type of exchange not only brings scale to intelligence sharing, but also improves confidentiality and control by enabling organizations to define, enforce, and audit against policies that govern what is shared and with whom.

“We need to be very careful that we distribute information in a policy-driven way among communities of interest,” Sander says. “You might build trust by creating different levels of membership. If financial companies are comfortable to share some intelligence only with other large banks and not with everybody in the finance industry, we need to provide for that within the exchange environment.”

Fighting back

In today’s sophisticated threat landscape, adversaries are working better together. By sharing threat intelligence, the good guys will begin doing the same. 

HP’s ThreatCentral will roll out in coming months. To stay current on this and other threat research, visit HP Security Research.


x

IT leader assessment

This tool evaluates the correlation between IT attributes and business success and, based on how your answers compare with average scores, will advise you where to invest in IT.

It is based on data HP collected from 650 global companies about a range of IT characteristics (server capacities, approach to information management, security, BYOD, etc.) and how they correlate to revenue gain. This assessment will compare your answers to the average scores in that study.

There are 12 questions that will require an estimated 10 minutes of your time. You'll receive a summary of your rating upon completion.



Let's get started
x

Please select an answer.
x

Analysis:

Your answer:
Your score:
Average score:
Revenue leaders' score:


x

Please select an answer.


x

Results

Your score:
Average score:
Revenue leaders' score:


Get detailed results:

Popular tags

Events

Big Data changes everything

HP CEO Meg Whitman discusses how connected intelligence will drive IT operations, application development, IT security, marketing, compliance—and the bottom line. Register now.


HP Protect 2014

Connect with nearly 1,500 security pros to learn how to better disrupt or mitigate threats. Learn to think like a bad guy. (Washington, D.C., Sept. 8 – 11)


Closing the book on Heartbleed

The Heartbleed vulnerability set users and enterprises scrambling. How can we avoid or mitigate the next Heartbleed?


Discover Performance Weekly

HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episode.


Enterprise 20/20

Security 20/20

Preparing today for tomorrow’s threats.

Introduction to Enterprise 20/20

What will a successful enterprise look like in the future?

CIO 20/20

Challenges and opportunities for the CIO of the future.

Dev Center 20/20

How will we organize development centers for the apps that will power our enterprises?

Marketing 20/20

Welcome to a new reality of split-second decisions and marketing by the numbers.

IT Operations 20/20

How can you achieve the data center of the future?

Employee 20/20

What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.

Mobility 20/20

Looking toward the era when everyone — and everything — is connected.

Data Center 20/20

The innovation and revenue engine of the enterprise.

Read more

HP Software related

Most read articles

Discover Performance

Archive

Tweets @ HPSecurity