The Cyber Threat Alliance (CTA) formed earlier this year by Fortinet, McAfee, Palo Alto Networks and Symantec is taking cyber threat information sharing to a new level that it hopes will lead to all its members offering better protection against cyber threats.
The CTA was formed as an informal alliance by the four companies in 2014, and formalised in February 2017 with the addition of Cisco and Checkpoint Software Technologies as founding members.
Michael Daniel, formerly Barak Obama’s security adviser, was named as the CTA’s first president. Daniel will be in Sydney on 12 October to discuss information sharing and cyber security at the Australian Information Security Association’s conference.
Speaking to Computerworld Australia ahead of the event, Daniel said one of the CTA’s main projects was the development of a cyber threat intelligence sharing system. While not yet complete, he said this was now operational and “beyond the beta stage.”
Many cyber security companies already gather threat intelligence that they use to update their products and better protect customers, often citing these as competitive differentiators. However, Daniel said the aim of the shared database was to lift competition to a new level.
“The truth is that nobody has a complete data pool: Not any of our member companies, not even the US government,” he said.
“We need competition to occur not on the raw quantity of data but on the quality of the data and on what people actually do with it: The analytics they put behind it, the way they integrate it into their products, with their business models.
“The idea is that we will encourage that shift to happen by enabling this information sharing, but there will still be strong competition in the market.”
A new platform for sharing threat data
Daniel said the platform would hold indications of compromise, malware binaries, URLs, IP addresses and context around these indicators — “What adversary group do we think this malware is associated with; who do with think the intended target was, at least at a broad industry level.”
He said that CTA members are awarded points for the value of the information they share and are required to ‘earn’ at least 10,000 points per day.
“The way we measure it is that we have an algorithm that scores the incoming threat intelligence packages. If we have not seen the observable before, it is worth five points and each piece of context provided around it is worth 10 points.
“Over time we will evolve that algorithm to be more sophisticated as we learn what types of observables are worth more to our members; what kinds of context are the most useful.”
All members hold their own local copy of the database, which is updated every five minutes by default, and are responsible for integrating it into their own products and services.
Daniel said all contributing members of CTA got access to the platform. Affiliate members can also participate in the committees governing the alliance and founding members automatically get seats on the committees and the board.
He said the organisation was primarily looking to expand its range of contributing members. “We are generating a lot of interest,” he said. We have 12 currently and we have another 20 or 30 in various stages of the pipeline.”
CTA proves its worth on WannaCry
In addition to the database, Daniel said the CTA had already provided its value in the WannaCry attack earlier this year by facilitating greater collaboration between members and creating a common language for discussing cyber security issues.
“We were able to gather the threat intelligence units from all members, get them to discuss notes in a way they were not able to do before and gain insights much more quickly than we would have been able to do otherwise.
“We very quickly figured out that none of our members was seeing emails as a vector. Everybody knows that now, but in the first few days everybody was running around looking for the phishing emails.”
He added, “The alliance is unique. There is lots of information sharing alliances out there, but none like the CTA. We are doing the hard business of figuring out how to make cyber threat information sharing work and that is a huge challenge, or we would have solved it 15 years ago.”
Cyber security a risk, not a problem
Daniel said that, in addition to talking about information sharing in his AISA conference address he would be trying to promote a different view of cyber security.
“We tend to treat cyber security as a technical problem for which we are trying to find a technical solution. My argument is that cyber security is not a problem you can solve; it is a risk that you have to manage.
“As long as you keep banging your head against the wall looking for a technical solution, you will fail, but if you manage to change your mindset and shift to one that is more about a risk management framework you can be much more effective.”