If you’re a parent, you may use the phrase, “Play nicely together!” as a threat to children who refuse to get along. In cyber security, it’s the other way around. The phrase might apply to threats themselves. “Play nicely together” should be the slogan of threat intelligence management. Effectively managing threat intelligence requires many different people and entities to play nicely, so to speak. This is a lot harder to do than one might imagine.
As Jonathan Couch, Senior Vice President of Strategy at ThreatQuotient, explained, threat intelligence management is only partly a matter of technology. “You have to have the right platforms in place, along with a commitment amongst all participants to integrate their respective technologies and share threat intel,” he said. “However, hard as this technical integration is—and make no mistake, it’s a bear—that is only part of the solution.”
According to Couch, there are two basic challenges to address in threat intelligence management after the technology issue has been worked out. First, people tend to work in their own siloes. “SecOps teams are detecting and monitoring threats,” he said. “At the same time, you’ve got incident response and threat hunting teams and threat intel teams all working in relative isolation. Sometimes, it’s total isolation. One team might know something that would be extremely valuable to the others. However, they need a reason to share what they know, as well as permission to share.”
It’s not that teams don’t want to share. They may lack the organizational or technological means to do so. Here, the platform can make a difference. Couch, who spent decades in military and national security cyber intelligence before joining ThreatQuotient, understands this problem very well. “We’ve architected ThreatQ to help organizations overcome the structural and technical barriers to sharing threat data.”
The other big difficulty is inter-organizational threat sharing. While government and private industry have made huge strides in this area of cyber security in recent years, much work still remains to be done. “Agencies and companies don’t like to share threat intelligence,” Couch observed. “We’re shifting this mindset, but many legitimate reasons remain to dissuade government and private industry to share threat data.”
At one level, it’s about control. “Agencies want to control the threat data they have,” he noted. “And, to be fair, there are risks in sharing information about threats. Can you trust the other organization? Perhaps you’ll inadvertently give away some important facts about your threat gathering operations and methods to the wrong people. It’s hard to establish trust.”
Government security classifications are also a big barrier. “Once an agency has deemed a threat report classified, it’s a lot of work to allow others to see it, especially if the prospective viewer works in a private business. That’s smart, much of the time,” he said. “Do you want to share classified data with any old person in private industry? No… but DHS is now making the process easier. This is long overdue.”
Here again, the platform can make a difference. A threat intelligence management platform has the ability to control information sharing and help establish trust amongst people from different entities. “You can tear down walls, especially through the use of role-based access permissions that cot across organizational boundaries,” Couch added. So perhaps, at long last, government and industry will learn to “play nicely” when it comes to threat sharing.