There has been an information security mantra for years in the United States about the need for a public - private partnership. While ISACs have existed since the late 1990s, the results of public - private partnerships have hardly been harmonious; instead acrimony has been been the order of the day in most instances. Private sector organizations have long complained about the one way flow of information security data and information: from the private sector to the federal government, with nothing in return. That’s not entirely true, but that is the strong perception at least. For example, the NSA has been providing malware signatures to DIB (defense industrial base) companies for a couple years (e.g., “NSA Chief: Agency Wants To Provide Malware Signatures, Not Enter Private Networks”). The response of the private sector has generally been criticism of NSA’s perceived motives, and criticism about the quality of the NSA malware signatures provided. Of course this private sector skepticism was confirmed by the Snowden revelations in June 2013. Particularly galling to the private sector (especially the technology companies) was NSA’s PRISM surveillance program. Even within the private sector information sharing has been restricted. For example, ISACs are generally restricted to industry-specific members, and raw data is not shared. Rather. processed information, such as IOCs and malware indicators, are shared.
But in the last couple of years, the U.S. Government has taken a couple of small but useful steps to facilitate information sharing for information security. For example, in late 2015, Congress passed the Cybersecurity Information Sharing Act. While there were / are significant privacy concerns about the Act, it is intended to facilitate sharing of security information from the private sector to the Government. Additionally, in 2016, US-CERT adopted TLP to facilitate the sharing of security information.
However, very recently, we seem to be having some degree of trust actually breaking out? In March of this year, five major American universities (in the Big Ten) announced the launch of OmniSOC. These five universities have banded together to share a SOC. This is not an MSSP; this is five institutions sharing a single SOC. And even more recently, in May of this year, Project INDIGO was disclosed. Project INDIGO involves a subset of the FS-ISAC, the Financial Systemic Analysis & Resilience Center (FSARC), voluntarily sharing scrubbed data (e.g., IOCs, and malware indicators) with USCYBERCOM, as well as DHS and Treasury. This scrubbed data is not coming from small financial institutions; it is coming from some of the largest banks in the United States. According to media reports, the banks involved are: Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street, and Wells Fargo.
These two recent examples of trust have some important implications for information security. First, the size of the data sets to analyze for detection of attacks continues to get larger - even as the volume of attacks gets larger. For example, MasterCard recently told The New York Times that it alone is detecting three attacks per second. Undoubtedly, may of those “attacks” are simple port sweeps, but undoubtedly, many of those attacks are quite sophisticated.
Even more challenging however is detection of attacks through analysis across multiple datasets in parallel. There is little value in sharing data if my analysis is still siloed to a single dataset. CyberCom probably does not really care if FS-ISAC member x is under attack. I will bet however that CyberCom would be extremely interested if the broader financial services sector were under attack. (Think about the Iranian DDoS attacks on American banks from December 2011 through May 2013.) Most organizations today are challenged to utilize their SIEMs effectively within their own organization. Can you image trying to write effective (SIEM) correlations effectively across organizational datasets? That is simply not going to happen - not even with the personnel and financial resources of the NSA. Machine learning on the other hand is far better suited for this cross data set analysis for detection of attacks through the use of transfer learning.
Coupled with increasingly rapid changes in cyber attacks, and the task of trying to write new correlations, or even updating existing correlations, and we’re looking at a fail. If these two examples of trust mark the beginning of a trend, then I believe that the flip side of that trend marks the beginning of the death of SIEMs. If you’re not looking into machine learning already, then you should be. Machine learning is the only way to get the scale and sophistication of detection needed to drive down false negatives.