In their latest attempt to protect investor and customer data, eight major banks recently did the unthinkable: they formed an alliance. Reportedly, J.P. Morgan, Bank of America, Goldman Sachs and several other competitive institutions have agreed to the rapid sharing of information and analysis related to cyber threats. The coalition of otherwise cutthroat competitors reflects one of the smartest possible moves in a game that is too often won by the bad guys. Because companies within a common industry typically suffer similar attacks, the formation of the subgroup within the Financial Services Information Sharing and Analysis Center (FS-ISAC) will be among banking’s best tools for detecting complex threats and attacks. Other industries should follow finance’s lead.
The need for information sharing among competitive companies
Industry-driven threat sharing can be the difference between detecting an attack early in the incident or far too late. For finance – as well as other vulnerable sectors, such as healthcare and manufacturing – there has never been a more relevant time to form information-sharing alliances.
There are three core reasons:
- When attack groups conduct reconnaissance on potential targets, they usually focus on several companies within a single sector. If one player in the market detects this kind of activity, others in the market are also likely at risk at that time. For example, the Carbanak attack that hit multiple banks worldwide used the same method of infection: phishing emails with Microsoft Word 97 – 2003 (.doc) files or CPL files attached. If one of the banks had managed to detect this attack and share it with the community, others would have been able to mitigate the attack at an early stage.XXX.
- Even advanced persistent threat attackers reuse some tools and techniques. We see this in the hospitality industry, which has been particularly hard hit by point-of-sale compromises over the past two years. The vulnerabilities have been linked to MalumPOS, which is a malware designed to collect data specifically from point-of-sale systems running on Oracle’s MICROS platform. However, the industry just became aware of the Oracle MICROS breach last August. Therefore, potential targets can learn valuable information from industry peers who have suffered APTs.
- The interim guidelines of this year’s Cybersecurity Information Sharing Act lower the barriers against information sharing to make it easier for companies to create marketwide alert systems without breaking antitrust or privacy laws.
Overcoming resistance to collaboration
Nowadays, there are many systems and best practices in place to make sharing threat information with industry peers as easy and beneficial as possible; however, companies, IT teams and even security professionals still resist doing so.
This is, to an extent, understandable. Sharing requires all parties to invest time, money and effort into a centralized platform that accounts for distributed networks. Perhaps more importantly, this kind of collaboration requires trust, and that is a complicated quality to foster among competitive organizations.
The first step to overcoming these challenges is to lower the barriers and make the process as quick and painless for participants as possible. This will need some level of technical support to make industry collaboration actionable in a timely manner, including automating processes like threat reporting. Whether that support comes from internal teams or external third parties, organizations will have to structure or standardize their data for easy sharing and consumption to help support actionable and efficient processes. This step is key since teams are understandably reluctant to divert any time during an attack away from mitigation to report out to an industry group.
Tackling the trust issues around reputation damage and data reliability is even more challenging. If commercial markets aren’t leading the way to cross this and other barriers to information sharing, governments will have to step in to instill regulations or required frameworks.
The future of industrywide cybersecurity
Companies in industries that witness increased threat need the leadership of internal and external visionaries to make information sharing the norm. Chief information security officers, sector organizations like FS-ISAC and industry computer emergency readiness teams (CERTs) all have a role to play in promoting defensive information sharing.
Once the will is established, the success of cross-company information sharing will come down to how easy it is for participants to do it. Easy information sharing will require:
- Definitions for incidents and data types to be reported;
- Technical tools that automatically export data to a sharing platform;
- Structuring of data so it is actionable;
- A platform to enable sharing based on trust level and anonymity needs; and
- An ecosystem of supporting technologies that make analysts’ lives easier by completely integrating and streamlining alerts or anticipating new threats with machine learning and behavioral analysis.
Additionally, the regulators must take an active role in rallying for greater information sharing. When they lead the charge toward greater sharing of industry-driven intelligence, companies and their customers will see the benefits: increased visibility of the cyber threat landscape and more balance in the scales between hazards and protection.