Combating Emerging Threats Through Security Collaboration

Threat Sharing and CollaborationIt’s no surprise to anyone practicing security today that the threat landscape has grown increasingly complex. Modern attacks weave together exploits, malware, applications and evasions into long, ongoing attacks that can last days, months or even years. To respond, security teams have begun to take a more integrated overall approach to threat prevention in which multiple technologies work together and are evaluated in context of the user and application.

For example, a modern IPS looking for exploits needs to know the application and protocols of the traffic it analyzes in order to see and stop the appropriate threats. Similarly, malware and advanced attacks are often found by correlating anomalous behaviors in the network such as the presence of unknown or customized traffic, unusual download behavior, and the use of common evasive tactics, such as using dynamic DNS. This intuitively makes sense because if we are combating a more coordinated, multi-vectored attack, then it stands to reason that we will need coordinated, multi-disciplined defenses.

Collaboration Through Sharing of Threat Data

However, even this perspective is limited to the information that we can observe on our own individual networks. As the threat landscape continues to grow more daunting, it will become increasingly important that security teams find a safe way to share data concerning threats across organizational boundaries. In much the same way that we can benefit from correlating across information in our own security silos, we can also benefit from what other security teams are seeing in the wild. Of course, a certain level of this sharing already happens in the industry in specific areas such as sharing of virus information at services such as Virus Total.

A good step in the right direction, but this will provide insight into just a single piece of an attack. We gain a different perspective entirely if we can begin to understand the process of the attack. For example, was there a phishing component? How was the user targeted and over what applications? What systems or applications were targeted or exploited? What sorts of malware were used and where had it been seen before? How was the attack ultimately detected? Of course, all of this information is not always known, but even when examined in an incomplete form, it can provide a much more realistic view into real attack strategies that we all will likely face.

Challenges, Not Road Blocks

Of course there are challenges to be addressed. Anonymity will be required to ensure that organizations can share information safely. A trusted third party will likely need to be established where information can be safely shared and normalized. This will likely need to include both government and industry resources, which will not be without its challenges. However, even with these obstacles the long-term value to all industries is hard to overlook.

Collaboration as a Competitive Advantage

I would also argue that collaboration is one of the fundamental advantages that white-hats enjoy over the black-hats. It’s important to remember that attackers are largely competitive with one another. While obviously attackers learn techniques by observing what works in successful attacks, the concept of sharing and collaboration is very rare. Sharing of information between attackers is typically limited to hacktivism groups. On the other hand, organized crime and nation-state attackers are heavily incented to keep their techniques secret. Almost by definition these criminal “for profit” organizations are prevented from sharing information in order to maintain their advantage. As enterprise security teams, we are obviously in a much better position to collaborate. Even in the case where two companies compete with one another, their security teams share the same goal and face the same threat landscape.

If security teams, both industry and government, can commit to improved collaboration it will give these teams the ability to better track emerging infections and stay ahead of new malware techniques.

Palo Alto Networks™ is the network security company.

Get the Whitepaper “Moving from Detection to Prevention of Modern Malware”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: