Fighting through the noise of breaking breaches and new vulnerabilities, something else in the security industry has been making headlines lately: security research collaboration, often involving vendors that might compete in the marketplace.
The reason for this is fairly obvious - we all face the same common enemy (malicious threat actors targeting organizations’ networks) and it’s important to form a united front. In the battle against cyber threats, this can take shape in different ways:
- Coordinated research and action: Whether applied in breach forensics investigations or in the proactive protection technologies that prevent them, strong threat intelligence can be a key advantage against the bad guys. Various players in the security community tend to have their own investigations in progress and certainly possess their own datasets.We in the community find it useful to actively collaborate on such research, often bringing unique capabilities to bear. An example of this might be the revelations around ‘Operation SMN’ involving Novetta, iSight Partners, Microsoft and others. The depth and detail in the report likely could not have been achieved if the entire project had been driven by a single participant.
- Enriched research: In numerous cases, an outcome of the open publication of threat intelligence is that other researchers are prompted to search through their datasets, often leading to more findings and a vastly more comprehensive view of the threat activity. There might not be overt collaboration but we’re all paying attention to what is being published and every piece of threat intelligence that is shared provides an opportunity to discover new insights based on our respective research. This often leads to another round of public sharing of data. One of my favorite examples in recent months was Recorded Future with this post on Operation STTEAM.
- Individual collaboration: Many of us are present in sharing communities based on trust and even if our day jobs involve working at vendors in a competitive marketplace, we recognize the value in sharing intelligence behind the scenes, again with the common goal in mind.
As the cyber landscape continues to evolve, hopefully collaboration will mature and develop alongside it. The security industry has made progress when it comes to working together, but we are just at the tip of the iceberg. As we look forward, some developments may be on the horizon that will advance collaboration and allow for further sharing of information:
- Driving forces will emerge: Whether its law enforcement agencies or large powerhouses such as Microsoft, leaders will emerge to lead the charge. Programs will mature and leaders will coordinate efforts on a much larger scale.
- Naming trends will stabilize: The trend of cybersecurity firms putting their own branding spin on attack campaigns will stabilize. There will be less arm wrestling over the naming of threats and more collaboration focused on building on each other’s research to stop them.
- Platforms will develop: A platform of choice for information sharing hasn’t arisen yet. While there are contenders, such as ThreatConnect and Microsoft Interflow, no one has claimed the prize yet for optimal sharing. As collaborations gain momentum, an industry standard for sharing intelligence will emerge, supported by a platform that provides a better way of distributing threat intelligence and other necessary information across vendors, in-house security analysts, threat researchers, law enforcement and others involved.