Aug 26 2012
Oracle CSO, Mary Ann Davidson, says information sharing isn’t happening based on her experience as CSO and President of an IT Information Sharing and Analysis Center (IT-ISAC) chapter. I think someone who says information sharing isn’t going on is looking in the wrong places and has her head stuck in the sand. Her conclusions are probably accurate from her point of view; she’s not seeing much information sharing from Oracle or IT-ISAC, so it must not be going on. But I think her viewpoint is myopic.
From my point of view, there is a lot of information sharing going on out there. This week I was at the bi-weekly Advanced Cyber Security Center (ACSC) meeting in Boston, MA. Over the summer I spent a week in Malta at the annual Forum of Incident Response and Security Teams (FIRST). I’ve been to over a dozen conventions this year alone and spoken to hundreds of security professionals of every level. There’s also thousands of people in security who spend time every day interacting on Twitter and other social networks, building relationships with people who share their passion for security, sharing information .
Then there are all the information sharing efforts I’m not involved in but probably should be. Things like the Dragon Research Group, the Shadow Server Foundation, the SANS Internet Storm Center, Emerging Threats, as well as a host of others. These efforts are led by volunteers who like to dig deep into some of the dark corners of the Internet and share with others what they’ve found. Some of it’s supported by businesses, but the majority of the effort is led by people who are passionate about security and want to share what they’re finding for everyone’s benefit.
There’s also a lot of intelligence being shared by the industry in the form of monthly, quarterly and annual reports. My personal favorite is the Data Breach Investigation Report (DBIR) provided every year by the folks at Verizon. The reports that come from Symantec, McAfee, Prolexic, Dell and Arbor, just to name a few, also add to the breadth of knowledge we have available. I’ve even been contributing to the Security section of the Akamai State of the Internet Report the last few quarters myself. And there’s more industry blogs than you can shake a stick at if you care to spend, oh, maybe 30 seconds in your favorite search engine.
My point is, there’s a lot of information sharing going on, it’s just not neatly packaged up in a way that a senior manager can easily say, “Here are the specific actions my corporation should take based on this data”. It takes work to review the sources and synthesize the information into something that could legitimately be called knowledge. So far, the ACSC is the organization that works the best for sharing directed information, but that is in large part because the group is limited in scope (New England area organizations only) and because it meets every other week for face time and information sharing. It takes trust, which generally is something that you’re only going to earn over time by consistently being available and being trustworthy yourself. Trust is something that’s gained one person at a time, not just because you’re part of a big company or you think you’re a big name in the industry. Meeting once a quarter or just using forums and mailing lists isn’t going to earn much trust, nor is admonishing people for not sharing.
If you want to further information sharing in the security industry, businesses need begin by sharing a little of what they’re seeing themselves, not expect everyone else to come to them with information. Oracle has a horrible reputation when it comes to sharing security information. When was the last time anyone saw a real, valuable announcement about a vulnerability in an Oracle product before it was a zero day or the researcher ran out of patience after waiting two years to publish his or her findings? What information is Oracle publishing that’s valuable to the industry or talked about as a resource everyone just *has* to read? Rather than implying I’m a bad Internet citizen by telling me I should share more information, show me how it’s done. Come to the table with something of value, show me how to contribute in return, give me an example I’ll want to follow, rather than whining because I didn’t give you something first. Lead me by showing me how it’s done, not by telling me I need to do a better job of it myself!
One of the points where I think Mary Ann Davidson is dead wrong is in being condescending about concerns for personal privacy in information sharing. If we have learned anything, it’s that properly anonymizing data is HARD. Remember when AOL released search data to researchers in 2006, it was quickly proven that it was relatively easy to take the data and link it to people in the real world. If we’re asking for that level of information sharing between companies and government, we need to be absolutely certain we’ve taken as much care as possible to protect individuals, and only reveal their information when it’s actually needed as part of the threat intelligence. Which I’d say is probably only 1 case in 10,000 or more, since the majority of traffic from individuals has no bearing on security. Maybe Mary Ann is willing to hand over her information to every information sharing entity and the entities they interact with, but I’m not. Besides which, I’d be willing to bet that personal privacy is only a stalking horse for most businesses, they’re really more concerned with sharing their company’s private information than the private information of their customers.
Rather than complain that we’re not sharing enough as an industry, we need to work on sharing information about attacks, attackers and malicious traffic in a safe and sane manner. This doesn’t mean just sharing traffic captures, which 99% of management professionals wouldn’t understand anyway. It means identifying threat actors, doing what we can to create positive attribution and sharing that data with other companies and the government. This doesn’t just mean the stuff that goes on behind closed doors, it means creating more reports that show real statistics and contain valuable analysis for the industry as a whole. Give me tools that I can use to help make informed decisions about securing my corporation and I might just surprise you by reciprocating.
One Response to “Put up or shut up: Lead with action, not words”