Friday, October 28, 2011

Information Sharing... part 3/3

This is the third part of a three part post. I started with "you don't know what you don't know" moved to "pick one!", and now I'm moving into sharing of information.

I built, and now operate a cyber information sharing organization. While I can give you a 100% guarantee that I've not gotten it 100% right (yet), I know from recent feedback that every one of them enjoys the broadened situational awareness and each and every one has improved their security postures. They share cyber analysis, stories, and data. More than that, the vast majority now run 24/7 security operations centers who look for and act on data coming from the information sharing environment and each other! Sharing information helps the tactician identify and act, it helps the manager allocate resources on the most pressing issues, and it helps senior managers measure themselves against baseline. Best of all? It makes you safer by knowing what the other guys are seeing and allows you to take advantage of strengths/skills in other organizations that you may not be able to fill yourself.

Bottom line? If you're not talking to your peers, you're already two steps behind in this cyber environment.

So where can you go?

Immediate thoughts:
  • SANS Internet Storm Center has been around since Y2K (I was there! I was one of the first watch standers keeping vigil and maintaining comms during the transition). The Storm Center is one of the better places to share information, although data can be time-late. The ISC is a free service offered by SANS.
  • The Information Sharing and Analysis Centers (ISACS) represent nearly every segment of industry and are operated through membership fees. One issue I have with the ISAC structure is the requirement to anonymize all submissions. This results in the loss of ability for an analyst to actually ask questions of the originator.
  • Red Sky Alliance is a newcomer. I've watched from the sidelines and offered a bit of pro bono consulting in the past couple of weeks. I also sold them a trademarked name and domain ;) I like the idea. The thought is real time sharing of information in a private setting with a trusted membership and a small cadre of back-end analysts to keep things moving. Again, Red Sky Alliance will be operated through membership fees. I don't believe the company has the site operational yet, but there is a video and demo site running and I know they've been signing on Founding Members. I'd expect to see them go live sometime in November of this year.
  • The Forum of Incident Response and Security Teams (FIRST) and Government equivalent (GFIRST) have also been around for a long time. I was an early member of FIRST during my days as an analyst at the Navy's Fleet Information Warfare Center in 1996, and again as the head of Cyber Threat Analysis and Intelligence at Northrop Grumman from 2007-2009. FIRST hasn't changed much. They require an up-front inspection of your security operation, issue a PGP key, and let you participate in multiple lists. I'm not convinced FIRST has kept up with the times in terms of information dissemination but they get the word out and do share information.. and they offer a pretty cool technical conference!
In many worlds, the phrase "publish or perish" rings true. Many careers have been made and lost on the publish or perish paradigm. I'd suggest publish or perish is also going to hold true in information security as we move forward and APT threats become more and more ubiquitous. Publish, talk, compare notes with your peers and others. Don't be afraid to go outside of your peer group for information that you may not have been exposed to.

Talk, publish, listen, compare notes, protect your environment. 

JLS