As we look ahead to the New Year and think about what we are going to prioritize from a security and threat intelligence perspective, it struck me that it is the same problem of old with which we are challenged: collaborating and communicating more effectively to share vital intelligence in the face of ever-growing threats and adversaries.

Growing collaboration across government and industry partners

On a macro level we are certainly seeing more collaboration efforts within the intelligence community. I recently saw an article about U.S. intelligence agencies working toward closer collaboration with government and industry partners. The Office of the Director of National Intelligence (ODNI) has established an Office of Partnership Engagement designed to foster closer industry collaboration and provide ODNI with access to commercial insights about AI, cybersecurity and space, among other areas.

Additionally, other agencies like the National Security Agency (NSA) have established information exchange programs that help the government and industry get on the same page about cyber threats. NSA’s Cybersecurity Collaboration Center authorizes the government and the private sector to share information about cyber criminals and nation-state hackers. 

However, I would argue that for intelligence sharing to work well at the macro level it also needs to happen at the micro level. It is important that we break down silos between teams such as SIEM teams, vulnerability management teams, incident response (IR) teams and cyber threat intelligence (CTI) teams, because there is often a lack of data sharing across these silos. This can be down to organizational dynamics or the fact that there isn’t always an automated way to get a bidirectional flow of information, and this is one area that a threat intelligence platform can really help to address.

Put simply, organizations must break down the silos between ALL teams involved in security. This is not just about understanding the organization’s cyber hygiene, but it is also about understanding the layers that an attacker would have to get through to exploit and conduct potentially nefarious activities within the business. Once this insight is gained this enables teams to work through requirements and align the CTI program for specific stakeholders. This means that both offense and defense teams are working together, mapping out the attack path and gaining a better understanding of defense. Doing this will provide a better understanding of offense as teams scout to look at what could be effective, going to the next layer to consider what might be vulnerable and whether they have mitigating controls in place to provide any additional prevention.

One central source of truth

Additionally, this also means having one central place for sharing which avoids the knowledge leakage that often happens. In the past, teams working on-site together would document their work on a whiteboard. Now, with the advent of remote working, there are fewer opportunities to share in person, and a plethora of communication channels that lead to knowledge fragmentation as different people use different tools such as Slack or other messaging platforms, or would just share intelligence one-on-one. This means that knowledge is not being captured in a single source of truth or via a system of record. It is important to implement this single system of record in order for corporate knowledge to be retained and built on, rather than letting it trickle out the edges of the business as team members move on and communications channel archives get deleted.

Having the ability to document and share threat intelligence is also important to meet growing regulations and to ensure compliance and operational resilience. EU regulations such as DORA and NIS2 are now mandating that intelligence on threats and breaches is shared with national and international cybersecurity agencies. But it is also important to share with industry partners and other communities at the macro level, especially as nationalism seems to be becoming more prevalent in countries around the world. Of course, companies must maintain sovereignty over their data, ensuring it is owned, controlled and housed within a private instance that can operate with autonomy and confidentiality.  However, at the same time, they require a centralized platform that allows for controlled access to this intelligence by external parties such as federated operations, dealer networks and so on.  This ensures collaboration but does not compromise security.

Additionally, the complexity of cybersecurity demands support for diverse models from machine to machine, to exchanges accommodating various languages and formats, to the distribution of human-readable data. Also, access to user-centric dashboards, comprehensive reports and sophisticated tools is also crucial to enable actionable intelligence.

A platform that caters for diverse requirements

When we talk about sharing in this way – either micro or macro, any platform must also cater for varying levels of maturity of different teams, always ensuring usability and accessibility regardless of expertise. It must also seamlessly integrate with different infrastructures and architectures, enabling versatile and inclusive approach to threat intelligence sharing across the cybersecurity ecosystem. For larger organizations with subsidiaries, it needs to support autonomous operations across different business units or geographical locations. Additionally, it should provide and maintain strict data segregation so that organizations working with several partners or server providers can manage threat intelligence in a tailored way. But it should also be available for Information Sharing and Intelligence Centers (ISACs) to utilize and leverage to distribute intelligence across their network, enhancing collective defense. Our cybersecurity automation research shows that while we are sharing threat intelligence, there is a way to go. Although ninety-nine percent of cybersecurity professionals say they share cyber threat intelligence through at least one channel; 54% share cyber threat intelligence with their direct partners and suppliers and 48% share with others in their industry through official threat sharing communities. My number one wish for the year ahead, is that we continue to increase this collaboration with more sharing and more of a focus on collaboration in the coming years.