Palo Alto Networks is on board with industry-wide efforts to share threat intelligence and disseminate it so the collective knowledge businesses gather about threats can be quickly turned into defenses against new types of attacks.
Its efforts include support for the new federal Cybersecurity Information Sharing Act that lifts some of the liability businesses are exposed to if they share data about security incidents. If the data inadvertently reveals personal information but was submitted in accordance with the law, the contributor would not be legally liable.
The company is also hammering out the details of the Cyber Threat Alliance it formed last year to gather threat information from security vendors and researchers that can rapidly and thoroughly unmask current threats. The goal is to shorten the useful lives of attacks and put a heavier burden on attackers who want to stay in business.
Recently Network World spoke about this with Palo Alto’s CSO Rick Howard. Here is an edited version of that conversation.
What impact has the Cybersecurity Information Sharing Act had on your efforts?
The law basically gives [businesses that share intelligence] some relief in case somebody makes a mistake in intelligence sharing. So it’s too early to tell what sort of an impact that’s going to be.
Are you saying it’s going to take somebody to actually be challenged in court and have a ruling before CISA will be widely used?
Right. Until someone gets challenged on it, I don’t know how impactful the law will be.
What value, if any, will this type of information sharing have for you and your customers?
This is a fundamental thing that we have to get right. Palo Alto Networks believes it, I believe it, that we need to scale intelligence sharing massively in order to get ahead of the adversaries so yes, I encourage anything that will help us share intelligence better with our peers, with our competitors, with our friends - anybody.
What are the advantages, specifically?
Let me talk about the initiative that we’ve been working on here. It’s called the Cyber Threat Alliance. My boss got three other CEOs of security vendors [Fortinet, Intel and Symantec] to group up and decide to share threat intelligence with each other. What we are pushing on is not just sharing malicious code with each other, although that’s what we’re doing right now. What we’d really like to do is share adversary playbook information down the kill chain, indicators of compromise, how the adversary thinks his or her way through their victims’ networks. Our experience is that the list of indicators of compromise in that playbook could be as small as 100 and as big as over 3,000 to 4,000 things that they do. What we want to be able to do is share that information with as many people that can consume it and push prevention controls out as automatically as we can.
How might that effort be helped if individual corporations start contributing to threat intelligence that they gathered?
If everybody is doing this, if vendors do it, white hat researchers do it, corporations do it big and small, just think if we could crowd-source all of that intelligence and stick it into prevention vehicles that we all have deployed. That’s the value of it.
So if you’re really after the indicators of compromise, would every contributor have to analyze things they detect and come up with a list of IOCs or would that be done by somebody else? I’m thinking of a business that might not have huge resources.
Maybe those guys might belong to other kinds of sharing organizations, like [information sharing and analysis centers] and maybe the alliance collects that from those organizations. They would be sort of a gathering point of all that stuff. It’s yet to be seen.
And the growth of the alliance, how has that been over the year? It started with four.
We’ve added four contributing members since then. The contributing members are Reversing Labs, Barracuda, Zscaler and Eleven Paths. We sort of put a cap on it last year while we got our act together. We had to learn how to trust each other and we had to build some infrastructure to allow efficient sharing.
Would you say you’re up to speed?
No. We had to solve a pretty big problem. I go in with my counterpart from the Alliance and brief the CEOs every quarter about the status of the Cyber Threat Alliance. They called us in June and said, 'What are we going to do with this thing? Can you guys just do a proof of concept? Can you do one adversary group? Can you just do one? We’ll give you 90 days to do it.'
We put our best analysts on it and we went after CryptoWall 3 over last summer. At the end of it we published a whitepaper and when we published the whitepaper, the adversaries behind CryptoWall 3 moved to CryptoWall 4 the next day. Now we didn’t make them move, they were ready to move but we bumped them and that’s the whole idea. They probably weren’t ready to go when we did, but they used that as an excuse to go to the next version and if we can do that in real time every day then we are making [adversaries] spend resources that they probably don’t want to spend.
What other hurdles do you face?
One of the bigger ones is how do you measure the quality of intelligence if the pool of intelligence people providing intelligence to everybody else is large? Right now we make everybody share 1,000 pieces of malicious code a day. At Palo Alto Networks we collect 20 million samples of malicious code a week so sharing 1,000 a day with eight other vendors is not going to move the needle. If we want to share indicators of compromise for every adversary group out there, that takes a significant upgrade in capability.
How do you measure the quality [of contributions]? Because right now with our current stipulation, that you have to share a thousand pieces every day, kind of eliminates the smaller players. So we are talking about how to solve that problem right now and we’re working on a proof of concept that should be done by the summertime.
Security vendors like us and Symantec and Intel, we all collect malicious code all the time. Collecting and sharing 1,000 pieces every day is not that big of a deal for us but there are niche intel players and one-person teams that are also doing pretty good intelligence but have no way to meet that high bar so we’re trying to figure out how to get those guys into the club.
Are you concerned that members will glean all the intelligence provided by others without contributing very much?
Yes. If you belong to the alliance, everybody has to contribute. We want to measure that with some accuracy and not all intelligence is of the same quality as others. I may come in with a piece of malicious code that everybody has seen already so that’s not much value but a smaller player might come in and give the one indicator that attributes the entire playbook to a specific adversary. We want to be able to measure that and take credit for that and give that person who shares it the credit that they deserve. What we’re talking is building an intelligence marketplace, a way to evaluate all the intelligence that’s coming in, giving it a score and therefore everybody in the marketplace knows who the good intelligence people are, who the bad ones are.
So, it’s not a one-way street where members gain the benefits but don’t contribute.
Right. We’re trying to protect against the not so great intelligence outfits that just come in and grab all the great intelligence and don’t ever give anything.
With the proof of concept, how do you overcome the problem?
We’re building it now and testing it now. We’ve got some ideas about how to build the thing. We’ll see what shakes out by the summertime.
And that should theoretically improve the effectiveness of the whole alliance?
I think so. It gives everybody a chance to play regardless of what size they are and regardless of the amount... No longer will we grade it on volume of intelligence shared. It will be on quality of intelligence shared.