For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!
Saturday, July 14, 2012
Red Sky Alliance Weekly - 7/14/12 - FR12-015 published
Been a heck of a busy week. This is exactly the way we like
it. The portal is active, the membership requests are coming in, and the crowd-sourced
analysis model in the portal is purring along nicely.
On a side note, in every call or meeting, a CISO tells me
how much data they receive. Most when asked list a slew of open source lists,
RSS feeds, and almost all have at least one (usually several) of the premium
subscription services available. In almost every case, I ask the CISO “How much
of that information do you act on?” The answer? Less than 10%! So to be clear,
every piece of information must be read, evaluated, and if needed, acted upon. This
means lost labor in evaluating the other 90%. How inefficient! And then, what
makes something actionable? Is there a standard tripwire that is used in your
company to signal a piece of information that’s more important the others
you’ve read that day?I’m scratching my
head on this one. If an aggregated feed costs you $100,000 per year and you
only act on 10%, shouldn’t you be paying $10,000 for it? Would you pay $100,000
for a car that’s only worth $10,000 to you?
So here is what I hear: CISOs have data. What they really need is knowledge. They need it delivered in a way that makes it
highly relevant/actionable, and preferably prequalified.
Enter Red Sky Alliance. Red Sky focuses on conversations.
You know what’s important because other members tell you. Right now, there are
sixty-two pairs of eyes reading the wire in their own large enterprises.
Those conversations are distilled into data. We add open source information,
and expert analytics, and then feed that knowledge back to the entire
membership in the form of a Fusion Report. The fusion reports transfer knowledge in a smart,
meaningful and actionable way. We want our members to know how we did our
analysis -maybe teach them -maybe be taught --we show all of our work. Every
source is clearly referenced. And, every report offers signatures and
indicators in an easily digestible list that may be copied directly into the
appropriate location in your defense in depth.Our goal? 100% of our information should be actionable, and
received in a timely manner.
Did I mention it was a busy week? Here are some of this week’s
·Fusion Report 15 (FR12-015) was released
earlier this week. The report details a previously unknown Trojan discovered by
one of the members. Red Sky has named this Trojan “Eclipse”. Eclipse operates
completely encrypted and we do not believe it will be detected using
traditional network/signature based defenses. This report is 12 pages long.
It’s ten pages of analysis and lists 79 ways to identify the Trojan in your
·Two new companies have begun Red Sky Alliance
oA large Oil and Gas company received first
credentials today, making this our first –and this company is probably one of
the best that could have lead the way for that industry.
oThe second is a company who specializes in large
airport and municipal projects. Again, a first for us. Our membership now spans
almost all of the global “Critical Infrastructures” and includes some of the
largest companies in them.
·We’ve begun testing CIF (Collective Intelligence
Framework) as one model for sharing information between members. There are
several models for sharing data in the membership. I’ve been invited to DHS to
talk about TAXII on Monday, but in Red Sky, we’re pulling the membership
together for a virtual meeting looking for the happy mean; to figure out what’s
going to work for us. To date, we’ve been using Kill Chain.
·We had a bit of a stumbling block this week with
our new authentication system, but it seems we’ve worked that out. Even with the
stumbling block, at last look (this morning) Red Sky members are tracking over
480 different threads. Malware and submissions to our Security Intelligence
area are easily topping the list of most participated areas. Our membership is
Red Sky Alliance continues to grow. Won’t you join us?