If your organization is, you can win on a couple fronts…
In traditional warfare, information sharing is key. The notion of sharing insight on your opponent is extremely valuable and cannot be underestimated. The basic principles in Sun Tzu’s The Art of War state you must know yourself and know your opponent to be successful. Cyberwarfare is no different. Information is obtained and exchanged to gain the upper hand. Translating to cybersecurity, you must know your vulnerabilities; understand the attackers’ tactics; and leverage a vulnerability (system or user), deception, hiding tactics, and strike efforts at an unexpected time and location. Sharing this insight is crucial to establishing detection and protection strategies. Just start with your current infrastructure sharing insight. Imagine your IT and security functions working together to protect your environment. Consider if critical vulnerability information is shared with your endpoint security or if network security blocks suspicious users or devices to detect and confine highly vulnerable devices. Maximizing your IT infrastructure to coordinate efforts will deter the creative attacker.
Basics of cybersharing
Cybersharing discussions begin with essential cybersharing framework components that address the why and the what:
- Identify the problem to be solved
- List the functions or products involved
- Simply describe what you want to happen
- Map these actions to one of four key capabilities (receive an event, ask a question, take action, and publish an event)
Using a robust cybersecurity sharing framework takes the technical heavy lifting out of integrations, allowing you to focus on what’s important. Cybersharing begins with understanding the problem you are trying to solve (such as blocking a non-compliant endpoint from your network), knowing what products are involved (endpoint solution or a Network Access Control solution), understanding what you want to have happen (if an endpoint is incorrectly configured, be sure to restrict its network access), and mapping these to framework capabilities (ask the endpoint a question on its configuration status, transmit this status to the Network Access Control solution, and depending on the status, allow or block). It’s really that simple, automated, and effective.
(on the side) Integrating security tools can improve your response time by 20% (MSI Research, 2018).
Highs and lows of cybersharing
Cybersharing is not a new concept. The industry has been working on it for a while with many stakeholders. Many initiatives have come and gone in the past—the industry has always clamored for it, but it has often fallen into the “too hard” or “too expensive” bracket. Until now. There is now a belief among security vendors that we cannot do everything with just one vendor. Sharing is essential to defending our environments and defeating our adversaries.
A cybersharing option to consider
Sharing can be difficult and time-consuming. Just getting the connection to share the information may require writing to a proprietary API, which means lots of maintenance and manual efforts to add new connections. And once you have the connection, the information flow is daunting. Imagine a world where you simply share within your environment without the need to write to proprietary APIs or write with prescribed data structures.
Enter Data Exchange Layer (DXL). DXL is an established and proven communication layer, allowing security functions and tools to share and collaborate information based on a messaging topic. It’s like real-time tweets, only in this context the “tweet” would be a piece of security information and the “followers” would be your security products.
Over 4,000 organizations are participating in OpenDXL, the open source initiative using DXL to interconnect security functions to coordinate defenses. This interconnection can be a one-to-many-systems ratio or a one-to-one. It may be a simple exchange of specific threat intelligence or threat insight with a recommended response. We feel open sourcing this framework is key to information sharing—no ties to a vendor, no lock-in, and no restrictions on who or what products can integrate with DXL.
Everything you need to get started is on OpenDXL.com—from the components, to pre-built development environments in Docker containers, to documentation and pre-built integrations (including in many cases the source code). Get started and elevate your security program today.
Taking cybersharing to new heights
It’s time to join the DXL challenge—the first cybersharing contest of its kind. We’re introducing a recognition program, DXL Super Stars, to share these critical DXL integrations that improve security efficiency and efficacy. Join the cybersharers and win cash! Don’t delay—submissions must be in by late January.
About the Author
Categories: McAfee Enterprise