At the Speed of Data: Automating Threat Information to Improve Incident ResponseReturn to TOC presented at FIRST 2014

by Denise Anderson, George Johnson,

Summary : Information sharing in the Cyber Defense world has historically been a tremendously manual and isolated process. While formal and informal networks of incident responders have sprung up to provide defenders some leverage in mitigating attacks, economic forces have driven the attack side faster than defenses can keep up. Exploits built to target a specific sector/industry can be broadly employed to provide a significant return on investment due to slow and uncoordinated responses across that sector/industry. The financial sector has recognized that it is imperative to change the economics of the attack/defense model in order to change the balance of power. Financial institutions through the Financial Services Information Sharing and Analysis Center (FS-ISAC) have been developing and maturing the process of information sharing among its constituents to increase the speed at which defense spreads across the entire financial sector. Several key factors have contributed to the success so far, including:
• Ability for users to post anonymously
• Analysts add value to each posting and users find the information valuable
• Creation of a clear guideline for information dissemination
• Maturing a trust model
• Providing an infrastructure to allow information sharing to occur
Notwithstanding success to date, human to human interaction imposes limits on the speed and volume of data shared. The finance sector has made the commitment to move to the automated sharing of threat information by using standardized protocols (STIX and TAXII) and mark-up automation in order to change the economics of cyber attacks more in favor of the defenders. This presentation will describe critical success factors in generating initial trust necessary to drive collaboration and next steps in automating information exchange so that analysts can focus on “asking the questions” instead of being slowed down by manual processes.