In the wake of the Sony attack and tens of millions of cases of consumer credit card and personal information being compromised the White House is championing legislative proposals to help address the challenge of cybersecurity. At the heart of the proposal, and many before this one, is “Enabling Cybersecurity Information Sharing” which “promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector.” So, will better information sharing help the vast majority of companies prevent, detect or respond to cyber attacks? Probably not and here are 3 reasons why:
1. No Tools…
The vast majority of companies, say under twenty billion in annual revenue, are not equipped to analyze and act on cyber threat data because they have not been resourced for the mission. Actionable intelligence is only useful if the company you provide it to has made the right investments to take appropriate action.
IP addresses, signatures, filenames, MD5 hashes and other actionable cybersecurity intelligence are mostly interesting but irrelevant if you don’t have a person, process, and technology to take the appropriate action. Handing off this kind of intelligence to an organization who has not made the appropriate Security information and event management (SIEM), Intrusion detection system (IDS), or similar investment will only serve to further exacerbate the problem.
2. You’ve Got Tools…
But not enough people to support them and certainly not any documented, repeatable, or ideally automated process to optimize them. This is where the vast majority of organizations find themselves, tool heavy and people and process starved. Sharing threat information with a tool heavy organization will further overwhelm the less than ten security professionals that typically try and deliver security for multinational corporations of twenty billion or less. Yes, less than ten full timers delivering security is the norm so throwing tools at the problem is not the answer either.
Many readers can remember when you bought a Data Loss Prevention (DLP) tool in response to an internal audit and then another tool in response to something else and so the tool tree grew but few can probably remember resourcing the people and processes to support those tools.
3. No business plan for security…
Be as proactive as you can probably be in security and do an assessment of your entire security organization and its capabilities. This assessment will serve as your business plan for security and facilitate a conversation with your board that educates and informs. For more on the value of an assessment try reading this blog post: http://www.cybersheath.com/blog/november-2013/are-security-assessments-of-any-value#
Security assessments are like home inspections in that they give you an expert view of red flags, watch items and things that are in good shape for now. Without a comprehensive assessment and corresponding plan of action to address the findings you’re likely to have more tools than people to support them and when the FBI comes knocking with actionable intelligence you will be in the unenviable position of asking the government for help it likely can’t provide.