The juggernaut known as the “threat intelligence sharing imperative.”  Security and industry conferences fill their time with “sharing.”  How many sharing groups and platforms do we require?  Too many exist.  Alien Vault recently reported that 76% of survey respondents reported a “moral obligation to share threat intelligence.”  McAfee says sharing threat intelligence “is the only way we win” (that isn’t even remotely true).  However, it’s not working.

According to Robert Lemos in eWeek, even with the most recent US cyber security legislation providing legal immunity organizations are not rushing to share.  The reason is simple.  That was only one component of a complicated problem.  While the legislation addressed one policy element, it didn’t address that sharing has never been proven (with data) to benefit sharing organizations.

We must move beyond these “religious” arguments and provide clear incentives for defenders to share.

In January, President Obama signed the Cybersecurity Act of 2015, but companies remain in a holding pattern, waiting for legal clarity and demonstrable benefits before sharing sensitive information.

– Robert Lemos, eWeek “Cyber-Threat Data Sharing Off to Slow Start Despite U.S. Legislation” [2016-10-02]

The Loudest in the Room

There is one thing I notice – security vendors yell the loudest about sharing. I don’t claim their sharing narrative is FUD, but the sharing narrative is a net positive for them.  The more data and intelligence they receive strengthen their products and services adding value to their organization. Security vendors have strong incentives to promote threat intelligence sharing.  But, what is the case that the cost of sharing to defenders is a net benefit to them?

Security vendors have strong incentives to promote threat intelligence sharing.  But, what is the case that the cost of sharing to defenders is a net benefit to them?

Sharing is Costly

I’ve been involved in threat intelligence sharing for a long time.  I am the first to support the notion of sharing.  I have story up on story which supports the sharing narrative.  But, I qualify my support: the value of sharing must exceed the cost.

Most network defenders will agree: sharing is costly.

  1. It requires significant cost to integrate externally shared threat intelligence effectively.
  2. Once you consume that threat intelligence you quickly discover it may consume your security team with poor quality – and requires significant tuning.  There is risk.
  3. Establishing a sharing mechanism, program, and process is costly.  It usually requires engineering effort.
  4. Management support for sharing usually requires political capital from network defense leaders.  They must prove that the resources spent on sharing are more important than the 20 other components competing for resources.  Also, let’s not forget about the legal support.

An Incentive-Based Approach

Sharing must go beyond a “religious” argument.  Instead, we must take an incentive-based approach.  We must create and promote incentives for defenders to share – with demonstrable results.  Therefore, those promoting sharing must provide a coherent and consistent data-driven case that sharing overcomes these costs to defending organizations.  “Share because it is good for you” is not enough.

So, next time you advocate for sharing – enumerate why network defenders should share.  Make it meaningful.  Make it data-driven.