Editor’s note: This guest post from JeffStutzman of the Red Sky Alliance provides context on a topic of tremendous interest in the community, collaborative cyber security information sharing. – bg

Government sponsored hackers, advanced cyber criminals, and even unskilled hactivists operate with relative ease against our information systems because of the sophistication of new tools at their disposal and their ability to connect quickly to full featured command and control systems. Millions of computers can be rented cheaply to attack and steal information from your environment. A simple search for “Advanced Persistent Threat” yields over 8,200,000 hits! Even with so much press, and the sophistication of defensive tools, little is known about how to protect us from these new cyber threats. The amount of money lost from these attacks is astronomical. The amount of intellectual property lost by technology companies can not even be estimated. Everyone is at risk.

The problem? Most companies don’t know how to detect the attacks, let alone fix the attacks. To whom do these companies turn to for help? Increasingly they are collaborating together with trusted partners. The Red Sky® Alliance facilitates this information sharing by providing an environment where companies can share information, learn from each other, compare notes, and be better prepared when hackers come knocking.

Why do people share cyber information? Here are a couple of thoughts:

1.    Information from a cyber collaborative has far fewer false positives than information collected from simple technical aggregation.

In my last position as the DCISE Director, indicators and compromise information was collected from the entire community, analyzed, and shared back. One of the companies tested the aggregate to find approximately a 3% false positive rate. That doesn’t mean every indicator fired 97% of the time, but since the data had been collected from the partnership that was actually being attacked, it seems only natural that there would be a very low false positive rate.

On the other hand, many of the companies I talk about ‘cloud based’ protections using technically aggregated signatures complain loudly about high false positive rate. In fact one company I talk to regularly often talks about how they burned down entire infrastructures based on APT ‘hits’ in in the cloud protection process piloted by the DIB ‘opt-in’ cyber security program (this program, now under DHS is called the Joint Cyber Security Program – JCSP for short). Why might this be? Many reasons – data input/quality errors are a common source of false positive in both camps, but using technical aggregation techniques for protection creates a massive amount of data. This data often times includes historical data from a lot of sources. Some of the indicators are current, but in many cases contain extraneous information such as policy rules, etc. Additionally, aggregated information contains information on more than just targeted attack. Much of the information is viewed as duplicative. Aggregated technical indicators generally are not used for protections against targeted threats. They’re used for covering a lot of cyber protective real estate rather than guarding only the door to the room with the safe.

Collaborative work product is far more focused. When a collaborative is build on trust, better information is shared, and the result is highly vetted, high quality indicators to be used in your defense in depth.

2.  Return on investment in a good collaborative can be priceless.

In a recent (ahem) gin and tonic survey (meaning informal over drinks), I asked a group of CISOs a simple question – “How much does an ‘targeted attack’ incident response cost?” Several answers were given, but the costs ranged from $1.9 million (in a very recent case) to $10 million. I then asked how effective they believed they’d been in detecting and responding to targeted attacks. Several companies were represented (50 or so). Those that went it alone seemed to fall largely into two categories –“We’ve go it under control” or “We’re playing whack-a-mole and can’t keep up”.  A few belong to a cyber APT-focused collaboration. In all cases the latter group felt confident that they at least knew what was happening even if they couldn’t always control or respond to it. In all cases they felt they were getting better because of the collaborative, but still had a ways to go. In most of these cases the CISOs believed they’d learned to detect more, and once they figured out how to respond (with good process) their numbers of successful incidents dropped significantly. One CISO believed at least a third. When handling 5-10 active incidents per day, that number becomes significant.

So by the math -Using 5 incidents per day, three days per week (I’ll be conservative) a typical CISO might experience 780 incidents in a year. Real incidents are, for arguments sake, an incident where an IR team must deploy to stop bleeding. If a 5% reduction were realized (this is also conservative based on the gin and tonic survey), 39 incidents may have been stopped. 39 incidents at $1.9 million per means this example saved a company $74.1 million in one year! Remember, these are large enterprise CISOs. Every incident costs not only the cost of the incident response, but also investigation (especially if they’re a regulated industry!), network team time, desktop team, possibly project management, reporting, etc. $1.9 million when cleaning up a mass casualty targeted intrusion might be construed as expensive by a small company, but it’s actually a realistic number in a large company. Imaging saving $74.1 million per year across the company!

3.    Defense in depth is expensive and complicated! No one company has all of the skills required in their current bench of Infosec labor to do it all.

Controls in a standard defense in depth infrastructure might number several hundred, ranging from managing data, ensuring the blood running through the veins isn’t poisoned, to building and managing the moats around the critical information required to keep your company going. Add to that the need to build more on top of that set of controls to deal with targeted attacks, new methods of fraud, and advanced persistent threat groups who won’t stop trying until they’ve satisfied their collection requirements.  Regardless of the model used – NIST, ISO, SANS Top 20, or what ever you chose as a baseline Infosec model, you’ve still got to be able build tools on the fly, integrate intelligence and operations, make organizational decisions on the go –sometimes at the peril of the business.

Two weeks ago in the Red Sky Alliance one of the companies called “Wild Fire”. This is the code word for “I’m fighting an incident response and need help.” The collaboration is sometimes used as an out of band war room. In this case the company called Wild Fire and within minutes four other large companies jumped in to help. One did malware analysis while another found external contacts for a fourth (me) to call for victim notification and for attacking, C2 and exfil servers taken offline. The head of incident response later commented that he’d never been involved in an incident response where others had jumped in to help. He loved it.

It is indeed good to give. When you get something back of value, it’s really good to receive!