Microsoft and the Age of Collaboration: Now, We Stand
Thank you, Microsoft. When teaching about computer security, I’ve often quipped, “There is ‘Infosec,’ ‘Comsec’ and ‘Jobsec.’” Thanks to the ubiquitous Windows platform, fraught with security holes that were found on what felt like a weekly basis. Patch Tuesday was “celebrated” almost as much as Friday nights (not really).
But Microsoft has taken security seriously over the last decade and has vastly improved the safety and security of its core OS product and its cloud offerings. Perhaps more importantly, the company has led a joint effort with other security companies to share threat intelligence and to vastly improve the sorry state of “breach-a-day” security practices. The Cybersecurity Tech Accord that was announced at RSA 2018 was a long time in coming. Aesop, the ancient Greek, is credited with the age-old saying, with countless variations, “United we stand, divided we fall.” Now, we stand. Bad news for the bad guys, finally.
What is the Collaborative Agreement About?
Microsoft announced a cooperative agreement between a number of security companies and global enterprises, many of them direct competitors with one another, to share the proprietary threat intelligence each contributes through their products. The agreement makes security sense, but also incredible economic sense for the customers they each aim to protect: all of us.
The concept and value of sharing cross-domain intelligence about security threats has been understood for a very long time as a valuable collaborative security tool. But there was no easy way to accomplish the goal without direct government encouragement. For example, the Information Sharing and Analysis Centers (ISACS) were established to provide improved critical infrastructure security across major sectors of the economy. Although in operation for many years, the success of these ISACs is hard to measure. The intent is admirable, but cyberattacks have not abated for the many years they have been in operation. Will this change with the new Tech Accord? Yes, it will. And there is an existence proof.
For many years, a threat-sharing infrastructure has existed for the attacker community; it’s called the internet. They have shared their ware, and they have had every opportunity to learn from each other by inspecting attack vectors launched in the wild. It is obvious they have extracted tremendous value from sharing attack information with each other. It is now time for defenders to enjoy the same capability and advantage.
Sharing of Threat Information is Not Easy
A number of products and services now exist that provide sharing of known threats, IP addresses, malicious URLs, malcode samples, etc. But these are shared among customers of a particular vendor—with a fee for their feeds, of course. The new tech accord opens the gates to freely sharing and enhancing everyone’s security.
But I do have a cautious word about collaborative security systems. Depending upon what information is shared, care must be taken to avoid inadvertently sharing confidential information. A large “sensor net” of the sort the sharing represents could easily make an error and share the wrong information. Years ago, we developed a project in my IDS lab at Columbia University called the Worminator. It was a system that focused on safe, privacy-aware sharing of security information by exchanging one-way data structures (Bloom filters) to communicate raw packet content for suspect malcode. The technique is effective and efficient, and greatly reduces the chance for error.
Perhaps a larger concern in a global-scale collaborative security system is trust. You don’t want attackers to access the shared information, since they can profitably use it to test their own evasion strategies and tactics. A great deal of care must be taken to ensure trusted sharers limit exposure to unknown threat actors inside their own companies who can corrupt the shared information.
As threats continue to mount, such a sharing infrastructure obviously must be designed to scale massively, without overwhelming each consumer of the threat intel. Globally protecting a trillion connected devices isn’t easy. But one must not lose site of the need to continue developing new threat detection capabilities. One opportunity to enrich current threat intel is “beacon” technology. I have been writing recently about the value of beacons used in either a deception-in-depth strategy ore in an active defensive posture for large enterprises. Leakage of beacons from a large enterprise has garnered, and will continue to garner, additional valuable knowledge about attackers, especially their drop-points on the dark web. Beacons might substantially enhance shared threat intel by homing in on clear areas of malicious activity. Hence, the sharing infrastructure must be extensible and managed to permit new capabilities of value to all participants.
The House is No Longer Divided
Sharing of deep threat intelligence on attackers, and wide spread unfettered access to this information, will surely improve the state of cybersecurity. It will break the asymmetry of cybersecurity enjoyed for far too long by attackers. Thank you, Microsoft and all the signers of the collaborative sharing of security information. We all shall benefit.