By Byron V. Acohido

Threat intelligence sharing has come a long way since Valentine’s Day 2015.

I happened to be in the audience at Stanford University when President Obama took to the stage to issue an executive order challenging the corporate sector and federal government to start collaborating as true allies.

Obama’s clarion call led to the passage of the Cybersecurity Information Sharing Act, the creation of Information Sharing and Analysis Organizations (ISAOs) and the jump-starting of several private-sector sharing consortiums.

Material progress in threat intel sharing, indeed, has been made. Yet, there remains much leeway for improvements. I had the chance to discuss this with Christopher Budd, director of Sophos X-Ops, the company’s cross-operational task force of security defenders.

Budd explained how Sophos X-Ops is designed to dismantle security silos internally, while also facilitating external sharing, for the greater good.

For a full drill down, please view the accompanying videocast. Here are my takeaways.

Overcoming inertia

Threat actors haven’t been exactly sitting on their laurels. Case in point: fresh intel just released in Sophos’  Active Adversary Report for Security Practitioners discloses how telemetry measuring network activity has begun turning up missing on a grand scale – in nearly 42 percent of the incident response cases examined by Sophos’ analysts between January 2022 and June 2023.

These gaps in telemetry illustrate just how deep and dynamic the cat vs. mouse chase has become; in some 82 percent of these cases the attackers purposefully disabled or wiped out the telemetry to hide their tracks.

“Because of improved network defenses, the attackers are innovating ways to get in and out as fast as they can,” Budd says.  “We’ve been dealing with this arms race for decades; at this point, not only is it an arms race, but it is also a highly caffeinated arms race.”

Budd

Overcoming inertia remains a big challenge, Budd adds. Historically, network security has been marked by siloed security operations; unilateral teams got stood up to carry out email security, vulnerability patching, incident response, etc. — interoperability really wasn’t on anyone’s radar.

Meanwhile, the network attack surface has inexorably expanded, even more so post Covid 19, as companies intensified their reliance on cloud-centric IT resources. And today, with the mainstreaming of next-gen AI tools, attackers enjoy an abundance of viable attack vectors, putting security teams that operate unilaterally at a huge disadvantage.

Joint task force approach

Sophos X-Ops launched in July 2022 to apply a joint task force approach to protecting enterprises in this environment. Budd directs a cross-operational unit linking SophosLabs, Sophos SecOps and SophosAI, bringing together three established teams of seasoned experts.

From this command center perspective, real-world strategic analysis happens continuously and in real time. The task force can deploy leading-edge detection and response tools and leverage the timeliest intelligence. It’s much the same approach that has proven effective time and again in military and emergency response scenarios.

“The benefit of a joint task force model is you maintain excellence and expertise in each domain area,” Budd says. “You don’t dilute the expertise in that domain area; you break down the silos by bringing each piece that you need for that unique threat to build a unique solution.”

The incidence response team, for instance, might zero in on suspicious activity to gather hard evidence that gets turned over to malware experts for deeper analysis. AI specialists might then jump on board to develop an automated mitigation routine, suitable for scaling. And the entire mitigation effort gets added to the overall knowledge base.

This is how the Sophos X-Ops team helped neutralized a recent spike in ransomware attacks against Microsoft SQL servers. The joint task force unraveled how the attackers were able to leverage a fake downloading site and grey-market remote access tools to distribute multiple ransomware families. The campaign was thwarted by pooling resources and jointly analyzing the attackers’ tactics.

External sharing

It struck me in discussing this with Budd that the joint task force approach directly aligns with Obama’s call for stronger alliances on the part of the good guys. Notably, Sophos X-Ops from day one has actively participated in external sharing, via the Cyber Threat Alliance (CTA)and the Microsoft Active Protections Program (MAPP.)

The CTA is a coalition of some two dozen companies and organizations, led by Cisco, Palo Alto Networks, Fortinet and Check Point, committed to sharing actionable threat intel in real time. Members proactively share information on emerging threats, malware samples and attack patterns.

With MAPP, Microsoft aims to share fresh vulnerability patching alerts with security vendors before public disclosure. This gives the security vendors a head start in developing patches and affords them a head start in distributing patches. This strengthens the overall Windows ecosystem, Budd noted.

As cyber threats continue to evolve and scale up, the urgency for companies and government agencies to do much more of this is intensifying. The good news is that the advanced technologies and vetted best practices required to completely dismantle security silos as well as to  extend external sharing far and wide, are readily available.

This all aligns with the notion that deeper levels of sharing must coalesce if we are to have any hope of tempering continually rising cyber threats. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

November 15th, 2023