Saturday, July 14, 2012

Red Sky Alliance Weekly - 7/14/12 - FR12-015 published


Been a heck of a busy week. This is exactly the way we like it. The portal is active, the membership requests are coming in, and the crowd-sourced analysis model in the portal is purring along nicely.
On a side note, in every call or meeting, a CISO tells me how much data they receive. Most when asked list a slew of open source lists, RSS feeds, and almost all have at least one (usually several) of the premium subscription services available. In almost every case, I ask the CISO “How much of that information do you act on?” The answer? Less than 10%! So to be clear, every piece of information must be read, evaluated, and if needed, acted upon. This means lost labor in evaluating the other 90%. How inefficient! And then, what makes something actionable? Is there a standard tripwire that is used in your company to signal a piece of information that’s more important the others you’ve read that day?  I’m scratching my head on this one. If an aggregated feed costs you $100,000 per year and you only act on 10%, shouldn’t you be paying $10,000 for it? Would you pay $100,000 for a car that’s only worth $10,000 to you?
So here is what I hear: CISOs have data. What they really need is knowledge.  They need it delivered in a way that makes it highly relevant/actionable, and preferably prequalified.
Enter Red Sky Alliance. Red Sky focuses on conversations. You know what’s important because other members tell you. Right now, there are sixty-two pairs of eyes reading the wire in their own large enterprises. Those conversations are distilled into data. We add open source information, and expert analytics, and then feed that knowledge back to the entire membership in the form of a Fusion Report. The fusion reports transfer knowledge in a smart, meaningful and actionable way. We want our members to know how we did our analysis -maybe teach them -maybe be taught --we show all of our work. Every source is clearly referenced. And, every report offers signatures and indicators in an easily digestible list that may be copied directly into the appropriate location in your defense in depth.  Our goal? 100% of our information should be actionable, and received in a timely manner. 
Did I mention it was a busy week? Here are some of this week’s highlights:
·      Fusion Report 15 (FR12-015) was released earlier this week. The report details a previously unknown Trojan discovered by one of the members. Red Sky has named this Trojan “Eclipse”. Eclipse operates completely encrypted and we do not believe it will be detected using traditional network/signature based defenses. This report is 12 pages long. It’s ten pages of analysis and lists 79 ways to identify the Trojan in your enterprise.
·      Two new companies have begun Red Sky Alliance membership processes.
o   A large Oil and Gas company received first credentials today, making this our first –and this company is probably one of the best that could have lead the way for that industry.
o   The second is a company who specializes in large airport and municipal projects. Again, a first for us. Our membership now spans almost all of the global “Critical Infrastructures” and includes some of the largest companies in them.
·      We’ve begun testing CIF (Collective Intelligence Framework) as one model for sharing information between members. There are several models for sharing data in the membership. I’ve been invited to DHS to talk about TAXII on Monday, but in Red Sky, we’re pulling the membership together for a virtual meeting looking for the happy mean; to figure out what’s going to work for us. To date, we’ve been using Kill Chain.
·      We had a bit of a stumbling block this week with our new authentication system, but it seems we’ve worked that out. Even with the stumbling block, at last look (this morning) Red Sky members are tracking over 480 different threads. Malware and submissions to our Security Intelligence area are easily topping the list of most participated areas. Our membership is active.
Red Sky Alliance continues to grow. Won’t you join us?
Until next week.
Have a great weekend.
Jeff