I just got done reading the DTCC’s White Paper entitled Cyber Risk – A Global Systemic Threat (PDF). The white paper outlines seven recommendations for policymakers that they state will further an “aggressive agenda to combat cyber threats.” Four of the seven recommendations refer to information sharing between and among governments and businesses.
Information sharing is a fabulous idea, but is easier said than done. Everyone in my field of cybersecurity agrees that information sharing is a good thing. If you show me your signatures, then I’ll show you mine. If my NG firewall finds a new 0-day CryptoWall variant, then it would be helpful to share this with other companies so they don’t get hit by the same variant. Obviously, reciprocation of sharing is expected, or in actuality, hoped for with the myriad of SLAs and annual maintenance contracts organizations have with cloud-enabled security tools.
Consumers and employees want their information protected and secure, NOT shared (i.e. PII, HIPAA, Safe Harbor). So, let’s assume that, like many of the companies breached in the past 24 months, you are a global company with locations in North America, Europe and Asia. How do you adjudicate alerts as they come into the Security Operations Center (SOC) from overseas?
In order to answer this question, we must first discuss what an alert is. The SOC receives information from various hardware and software tools on the network and is alerted when suspicious activity occurs on the network or an endpoint. It is then the responsibility of a human SOC analyst to examine the alert and determine if it is possibly malicious. If the SOC analyst (sometimes referred to as Tier 1) determines that the alert is malicious, it is forwarded to Tier 2 for further investigation.
The Tier 2 SOC analyst will then adjudicate the alert. The process of adjudication includes investigating the alert by taking the supporting information and determining if something malicious is happening or if the alert is a false positive. To do this the Tier 2 SOC analyst must look at the underlying information that the hardware and software inspected to trigger the alert. In most circumstances this underlying information is based on content and metadata.
And herein lays the rub. What if the SOC analyst resides in the United States and the alert originates from a server in Germany? Can you simply transfer the evidence package (e.g. PCAP) from Germany to the United States? Do you need an import/export compliance officer to give you authorization to move the PCAP from Germany to the United States? Well, you don’t know until you look at the data but you can’t look at the data because once you look at it, you’ve initiated an import. It is the definition of a catch-22 situation.
Am I Breaking the Law?
On one hand, organizations need to share information internally and be actionable to respond to cybersecurity threats within minutes. On the other hand, the company must remain in compliance to ensure that information crossing borders complies with regulatory requirements.
Likewise, moving regulated data requires special procedures that are often prohibitive of operational capabilities. What if the PCAP you are analyzing in the United States originated in Kuala Lumpur and contains unencrypted PII information of a Malaysian employee? Did you just violate Malaysian law?
I am not a lawyer, but the legal teams of breached clients for whom I’ve worked have spent countless days and nights solving situation such as this. While our policymakers institute regulations to keep information safe and secure (e.g., encrypted at rest and encrypted in transit), they can’t then ask that we share that information.
What can we do?
This makes me mad because this is an avoidable, manmade roadblock that is making cybersecurity more difficult than it has to be. The intentions may be good, but the end result is a confusing and inherently broken information sharing system. Until business and governments come together to solve these issues, information sharing will continue to be subpar and cybersecurity efforts will continue to be hampered by bureaucracy. If and when the industry is able to have a frank and open conversation with regulators to devise a system that allows cybersecurity investigators to openly share information while protecting personal and confidential information, we will finally be able to properly examine alerts in real-time and better protect our clients from today’s advanced threats.