ID Experts Home
0

Article

Threat Intelligence Sharing: Buyer Beware

In the first article in our two-part series on threat intelligence sharing, we discussed the benefits of threat intelligence sharing, which has been one of the hot trends in privacy and security for at least the past couple years. In it, we provided five tips to help organizations choose the right threat sharing solution.   In this article, we’ll take a closer look at the other side of the story: the three greatest risks and challenges in threat intelligence sharing. Although the benefits frequently outweigh these issues, it is important to consider them carefully before investing in an external intelligence sharing solution.   Security Must Come First The first problem with sharing threat intelligence data is … you’re sharing data. Will the data you upload to an external source be protected from criminals? Will it be kept anonymous? And if something goes wrong, will you be held liable?   If those questions concern you, you’re not alone. In a November 2015 report, Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, Ponemon Institute found that 75 percent of the 692 IT and IT security practitioners surveyed believed threat intelligence was essential for a strong security posture. At the same time, of the organizations that only partially participated in threat intelligence sharing, 62 percent indicated it was because of potential liability issues and 60 percent pointed to a lack of trust in the sources of intelligence.   “Data privacy and security is certainly a concern,” said Keith Fricke, principal consultant with TW Security. “For instance, if your organization sends firewall logs to a threat intelligence organization for analysis, it is at least possible that someone on the receiving end could identify where those logs came from.”   Mitigating privacy and security concerns is essential for threat intelligence organizations—it’s difficult to imagine they would survive for long if a customer’s data were leaked or stolen. But it nonetheless falls on you to thoroughly vet each vendor to ensure that they have the very latest security and privacy protections in place and will shield your organization from any liability if the unforeseen occurs.   High Costs Could Price Some Businesses Out of Threat Sharing We described a variety of threat intelligence sharing solutions in the first article in this series. Some of those solutions are free or very low in cost, but others require a significant investment that some organizations, especially smaller ones, may not be able to afford. “We recommend that organizations look at the security solutions they already have in place before investing in an external threat sharing solution,” said Fricke. “Maybe they can activate a sharing feature on their existing equipment at no additional charge, or they may be able to rely on less formal threat sharing opportunities through their peer network.”   Whatever investment an organization makes today, a May 2015 survey by ESG suggests that those costs will rise in the near future—another factor to consider before investing in a threat intelligence solution. ESG asked 304 IT professionals about their anticipated threat intelligence spending over the next 12 to 18 months. Twenty-seven percent of respondents expected their threat intelligence spending to increase “significantly,” and another 45 percent expected spending to increase “somewhat.” Only 3 percent expected spending to decrease in the next 12 to 18 months.   More Data Means More Management Headaches In theory, having threat intelligence data is a great idea that can help organizations respond to cyberattacks faster and avoid or at least minimize the damage done. In practice, some organizations are overwhelmed by the amount of shared information they receive and are unable to gather, analyze, and respond in a timely manner—which could create more problems than not having the information in the first place.   The ESG report found that the three biggest challenges in collecting and analyzing external threat intelligence were: Inadvertently blocking legitimate traffic due to a problem with threat intelligence (32 percent)  Collecting and analyzing information with different individuals, making it difficult to get a holistic picture of internal and external threats (32 percent) “Workflow, process, and integration” problems (31 percent)   “Organizations sometimes make the mistake of subscribing to a threat intelligence service without thinking through what will happen if it provides actionable information. Sometimes organizations flounder a bit because they’re not ready to respond as quickly as necessary,” said Fricke.   Fricke recalled a threat intelligence vendor that would sift through about 2 million events a day and “boil it down” to just five events a day that subscribers would need to review. “The problem is that, even if it’s ‘just’ five events a day, those events don’t always wrap up in an hour like your favorite episode of CSI,” he said.   As a prerequisite to subscribing to a threat intelligence service, you must be prepared to take action on the information that is provided. Find out how timely the information will be, how it will be categorized (ideally by threat type and attacker), and how much data will be provided on a daily, weekly, and monthly basis. Then take stock of your resources and determine if you can manage the influx of information.   If you fail to take those steps, when a breach occurs, it is conceivable that investigators will see that you were warned and hold that fact against you, perhaps applying harsher penalties than they might have done if you had been ignorant of the threat.   The Bottom Line Even given the challenges he has seen, Fricke remains a proponent of threat intelligence sharing. “I think there are probably more pros than cons,” he said. “That’s why we’re starting to see greater adoption of threat intelligence with each passing year.”   The growth in demand for threat intelligence services is also why we are seeing many more vendors emerging—which only adds to the need for organizations to carefully evaluate their options. Make sure the vendor you choose has the latest privacy and security protections in place, is affordable for your organization now and in the months to come, and will provide data and alerts that your internal teams will be able to act on in a timely manner.

0

Article

2015 PHI Protection Network Forum - A Time “Before…

It is 10:33 am the day after attending the third annual PPN Forum in Orange, California on February 19, 2015.  I am sitting in seat 26D at the back of Alaska fight 587 traveling home and reflecting on the highlights of the forum. The key message at the forum was that mega data breaches starting with Target in December of 2013 through the recent breach of up of to 80 million members of Anthem has created a “window of opportunity” for PHI Protectors to advance their cause of better PHI security.    Here are a few highlights from the day…   Dick Wolfe recognized with the first “PHI Hero” Award:  The morning started with us honoring Dick Wolfe, a good friend and colleague with the first “PHI Hero” Award. Dick made a significant contribution to the protection of health information before his passing last November.  Dick’s daughter, Melissa Johnson, was there to accept the award on her father’s behalf and said how much she really appreciated hearing about the important work her father did during his 30 year career and understanding how important his role was to protecting our health information.   Average Persistent Threat: Larry Clinton, President of the Internet Security Alliance set the tone for the conference highlighting the challenge PHI Protectors have in healthcare with investment down and the challenge of advanced persistent threats becoming the “Average Persistent Threat”.  It is now commonplace for cyber criminals to use sophisticated methods and tools to attack and breach an organization’s security defenses.  He said there are now only two kinds of organizations - those that know they have been breached and those that don’t know they have been breached.  The reality is every organization is at risk of cyber-attack and breach of sensitive personal data, intellectual property, and other trade secrets.   Delineation now exists in time before the Target breach and after the Target breach: JD Sherry, VP Technology and Solutions from Trendmicro, asked each panelist which Looney Tune character best represented their role?  The panelists all agreed it was the Wile E. Coyote because no matter what he tried, the Road Runner always got away.  The bad guys always seem one step ahead of the good guys regardless of effort or technology they implement.  JD asked how their jobs had changed over the past 24 months.  A key point made by this panel was “we now refer to time as Before Target and After Target”.  Dustin Wilcox, CISO at Centene said before Target, he met with his executive team for 15 minutes once a quarter, but after the Target breach, his board members and executives began calling him at home asking questions about how to avoid a Target-type breach and giving him the necessary resources to implement security initiatives faster.   Value of A Cyber Insurance Policy:  David Finn, Health IT Officer from Symantec led his panel on a discussion of the legal and regulatory issues and consequences.  The panelists highlighted the benefit cyber liability insurance can have in mitigating the financial impact of a breach.  Kim Holmes, VP Product Development at One Beacon said one big mistake entities make is believing that their current general liability insurance policy covers cyber risk. Sean Hoar, Partner at Davis Wright Tremaine cautioned about knowing what is covered and what is not and whether the policy had specified vendors you had to use as part of the coverage.  He commented that if if you already have a relationship with an attorney or breach services provider, the policy may exclude you from using them.  Andrew Serwin also talked about when to use attorney client privilege to protect confidential information and suggested considering invoking this protection when doing a risk assessment in case this information discloses cyber risks an organization decides to accept.   4 Threats are Big Data, cloud, mobile, social media:  Greg Bassett, VP of Service Delivery at Clearwater Compliance introduced his panel by stating the value of a information in a patient health record is worth 20 to 50 times of a social security number on the black market.  Big Data, cloud computing, mobile (BYOD), and social media are what is keeping security and privacy professionals up at night.  And on top of all of this risk, is “risk of the unknown.”  Jerry Sto. Tomas, CISO Allergan, shared a story about a recent hostile takeover attempt to create a possible security breach.  The panel shared that there is a shortage of security professionals available for hire in the market, creating more opportunity for risk.   What I Learned from Chinese Hackers: This panel focused on approaches to protecting PHI and was led by James Christiensen, VP of Risk from Accuvant.  Eric Cornelius, Director of Critical Infrastructure and Industrial Control Systems at Cylance shared what he learned from hackers who use existing tools to breach a network. He said Chinese hackers will use the standard utilities that come prepackaged with Microsoft to gain access to a secure network.  He also said that with zero additional investment, an entity could use these same free tools and do a better job of detecting a breach. Chris Strand, Sr. Director of Compliance at Bit9 and Stephen Bono, Principal at Security Evaluators also talked about the need to focus on the basics in cyber security - people, process, and tools.    San Diego Health Connect is proof there is value in sharing health information:  Good news was shared by Dan Chavez, General Manager of San Diego Health Connect, a health information utility that connects providers, patient and Health Information Exchanges (HIE). Dan believes that the success his health information exchange is based on creating a platform with federated data that improves health quality outcomes.  He stressed that all the stakeholders including major provider systems, government agencies, and business associates agreed to play by the same rules, which fosters information exchange without competition.   The common enemy between doctors and CISOs is the compliance officer: When Dr. Jay Smith was asked how PHI Protectors could do a better job engaging doctors in compliance; he said that the enemy is the compliance officer.  But he followed up with the sentiment of “give them a role and voice at the table and they will come.”  Ray Ribble, Managing Partner at All Medical Solutions asked his panel to suggest ways PHI Protectors could get involved with efforts inside and outside of their organizations after the conference, which  lead to a discussion about engaging with alliances such as the Medical Identity Fraud Alliance, NIST, and ISACS.    Thank you again to the sponsors, speakers, and attendees for making this a wonderful information sharing and networking event.  Please join the conversation on the LinkedIn Group and participate in the ongoing dialogue. As our panelists said, we have a tremendous window of opportunity now to make an impact -- patient privacy and security is about all of us.

Have questions? We'd like to help

Let's discuss your specific needs & how we can support your strategies

Get the latest intelligence in your inbox

Learn about the latest solutions, tools, case studies, & regulations from industry experts