Friday, October 14, 2011

On Information Sharing...

Going to tell you.. I'm a long time straight stick IT guy, gone Intel/Information Warfare then Information Security (for the last 15 years or so?), and I've not had so much fun, nor realized the value of Information Sharing until my last three years running an information security sharing organization wrapped around a CERT and Analysis shop. I'm not going to take a lot of time to tell you what that is. You can check out my bio and look at the web page; rather I'd like to take a moment and tell you about the value proposition I've come to realize over the course of my tenure.

Not a day goes by without a new story in the news depicting company losses from (ahem) Advanced Persistent Threats (APT) - a term coined by a guy named Greg Rattray several years ago during his active duty career. At the time, the term APT seemed pretty spot-on. Since however, those APT threats have become far more ubiquitous, and now I'm more convinced they should be called  Omnivorous Persistant Threats --OPT. Malware, computers beaconing, and bandwidth consumed is becoming more common than not, and most importantly, the vast majority of companies don't even know they've been successfully attacked!

I'm here to tell you, the most valuable information security lesson I've ever learned has been learned in the last five years --INFORMATION SECURITY PRACTITIONERS MUST STOP LISTENING TO VENDORS AND START TALKING TO EACH OTHER. Vendors want to sell you stuff. Your peers are working hard to stop the same attacks you are. More importantly, the threats change as your ability to protect yourself changes. Even the most sophisticated shops lack the 100% capability to foil every attack.

I'm preparing to speak at a conference for healthcare CIOs. I'm going to give them three words of wisdom:

1. Most companies attacked by APT don't know it until someone else tells them they've been owned.
2. Pick a standard infosec model, implement solid processes,  do it well, and don't shoot at protecting everything. Protect that information most important to your organization and build solid controls around the rest.
3. Talk to your peer companies. They're getting hit with the same things you are. Lone wolves starve in the cold. The packs survive.

More next time. I've got to update the block list in my UTM.

JS